Windows Analysis Report
YyIDUCFWC1.exe

Overview

General Information

Sample name:	YyIDUCFWC1.exe renamed because original name is a hash value
Original sample name:	6d59b75f2b8bf7590c144cd4b3d24516.exe
Analysis ID:	1427891
MD5:	6d59b75f2b8bf7590c144cd4b3d24516
SHA1:	6325d9ea89692248cf599493743f637b7fefe726
SHA256:	50ccd3682708ff0e7a6bfe46730937d469ca29e0ae405f3607b70fb15ad2e5c0
Tags:	exezgRAT
Infos:

Detection

PureLog Stealer, Vidar, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected PureLog Stealer

Yara detected Vidar

Yara detected Vidar stealer

Yara detected zgRAT

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Searches for specific processes (likely to inject)

Sigma detected: Silenttrinity Stager Msbuild Activity

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Signatures

AV Detection

Found malware configuration

Source: 00000000.00000002.1701548677.0000000003DA5000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199673019888"]}

Multi AV Scanner detection for submitted file

Source: YyIDUCFWC1.exe	ReversingLabs: Detection: 26%
Source: YyIDUCFWC1.exe	Virustotal: Detection: 26%			Perma Link

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF2DD20 CryptReleaseContext,	0_2_6CF2DD20
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF2DEE0 CryptReleaseContext,	0_2_6CF2DEE0
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF2DE00 CryptGenRandom,__CxxThrowException@8,	0_2_6CF2DE00
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF2D9D0 CryptAcquireContextA,GetLastError,	0_2_6CF2D9D0
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF2DBB0 CryptAcquireContextA,CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,__CxxThrowException@8,	0_2_6CF2DBB0
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF535E0 CryptReleaseContext,	0_2_6CF535E0
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF2D7F0 CryptReleaseContext,	0_2_6CF2D7F0
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF2D7D3 CryptReleaseContext,	0_2_6CF2D7D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_00406FD0 CryptUnprotectData,LocalAlloc,LocalFree,	1_2_00406FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_00409230 memset,lstrlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,PK11_FreeSlot,lstrcat,PK11_FreeSlot,lstrcat,	1_2_00409230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_00411720 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	1_2_00411720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_00406F50 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	1_2_00406F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB5A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	1_2_6CB5A9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB544C0 PK11_PubEncrypt,	1_2_6CB544C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB24420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	1_2_6CB24420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB54440 PK11_PrivDecrypt,	1_2_6CB54440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CBA25B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	1_2_6CBA25B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB3E6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,	1_2_6CB3E6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB38670 PK11_ExportEncryptedPrivKeyInfo,	1_2_6CB38670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB5A650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,	1_2_6CB5A650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB7A730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,	1_2_6CB7A730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB80180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util,	1_2_6CB80180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB543B0 PK11_PubEncryptPKCS1,PR_SetError,	1_2_6CB543B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB77C00 SEC_PKCS12DecoderImportBags,PR_SetError,NSS_OptionGet,CERT_DestroyCertificate,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECOID_FindOID_Util,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,SECOID_GetAlgorithmTag_Util,SECITEM_CopyItem_Util,PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,PK11_ImportPublicKey,SECOID_FindOID_Util,	1_2_6CB77C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB7BD30 SEC_PKCS12IsEncryptionAllowed,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,	1_2_6CB7BD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB37D60 PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECOID_FindOID_Util,SECOID_FindOIDByTag_Util,PK11_PBEKeyGen,PK11_GetPadMechanism,PK11_UnwrapPrivKey,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,PK11_PBEKeyGen,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_ImportPublicKey,SECKEY_DestroyPublicKey,	1_2_6CB37D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB79EC0 SEC_PKCS12CreateUnencryptedSafe,PORT_ArenaMark_Util,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,SEC_PKCS7DestroyContentInfo,	1_2_6CB79EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB53FF0 PK11_PrivDecryptPKCS1,	1_2_6CB53FF0

Uses 32bit PE files

Source: YyIDUCFWC1.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 23.4.32.216:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.109.242.73:443 -> 192.168.2.4:49733 version: TLS 1.2

Source: YyIDUCFWC1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mozglue.pdbP source: MSBuild.exe, 00000001.00000002.2111715611.000000006CF6D000.00000002.00000001.01000000.0000000B.sdmp, mozglue.dll.1.dr, mozglue[1].dll.1.dr
Source:	Binary string: freebl3.pdb source: freebl3.dll.1.dr, freebl3[1].dll.1.dr
Source:	Binary string: freebl3.pdbp source: freebl3.dll.1.dr, freebl3[1].dll.1.dr
Source:	Binary string: nss3.pdb@ source: MSBuild.exe, 00000001.00000002.2110913060.000000006CC2F000.00000002.00000001.01000000.0000000A.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr
Source:	Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\Win32\Release\Protect32.pdb source: YyIDUCFWC1.exe, 00000000.00000002.1701548677.000000000449D000.00000004.00000800.00020000.00000000.sdmp, YyIDUCFWC1.exe, 00000000.00000002.1701548677.0000000004312000.00000004.00000800.00020000.00000000.sdmp, YyIDUCFWC1.exe, 00000000.00000002.1708250819.00000000056C0000.00000004.08000000.00040000.00000000.sdmp, YyIDUCFWC1.exe, 00000000.00000002.1710476616.000000006CF54000.00000002.00000001.01000000.00000007.sdmp, Protect544cd51a.dll.0.dr
Source:	Binary string: C:\dev\sqlite\dotnet-private\obj\2015\System.Data.SQLite.2015\Release\System.Data.SQLite.pdb source: YyIDUCFWC1.exe
Source:	Binary string: C:\Users\sc-client\Jenkins\workspace\WindowsBuild\SecureConnectClient\ACVC.Core\obj\WinRelease\netstandard2.0\AWSVPNClient.Core.pdbSHA256 source: YyIDUCFWC1.exe
Source:	Binary string: C:\dev\sqlite\dotnet-private\obj\2015\System.Data.SQLite.2015\Release\System.Data.SQLite.pdb\ source: YyIDUCFWC1.exe
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.1.dr, softokn3.dll.1.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140[1].dll.1.dr, vcruntime140.dll.1.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.1.dr, msvcp140[1].dll.1.dr
Source:	Binary string: C:\Users\sc-client\Jenkins\workspace\WindowsBuild\SecureConnectClient\ACVC.Core\obj\WinRelease\netstandard2.0\AWSVPNClient.Core.pdb source: YyIDUCFWC1.exe
Source:	Binary string: nss3.pdb source: MSBuild.exe, 00000001.00000002.2110913060.000000006CC2F000.00000002.00000001.01000000.0000000A.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: MSBuild.exe, 00000001.00000002.2105558542.0000000019808000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2099739476.0000000013898000.00000004.00000020.00020000.00000000.sdmp, sqln[1].dll.1.dr
Source:	Binary string: mozglue.pdb source: MSBuild.exe, 00000001.00000002.2111715611.000000006CF6D000.00000002.00000001.01000000.0000000B.sdmp, mozglue.dll.1.dr, mozglue[1].dll.1.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.1.dr, softokn3.dll.1.dr
Source:	Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\x64\Release\Protect64.pdb source: YyIDUCFWC1.exe, 00000000.00000002.1708250819.000000000577A000.00000004.08000000.00040000.00000000.sdmp, YyIDUCFWC1.exe, 00000000.00000002.1701548677.00000000043CE000.00000004.00000800.00020000.00000000.sdmp, YyIDUCFWC1.exe, 00000000.00000002.1701548677.0000000004243000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\Temp\Json\Working\Newtonsoft.Json\Src\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdb source: YyIDUCFWC1.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0040B030 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	1_2_0040B030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_004011E0 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_004011E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0040D320 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_0040D320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_004164A0 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,strtok_s,memset,lstrcat,strtok_s,PathMatchSpecA,wsprintfA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,DeleteFileA,FindNextFileA,FindClose,	1_2_004164A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_00417550 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_00417550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0040A530 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040A530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_00416CF0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	1_2_00416CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_00417140 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	1_2_00417140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0040A980 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_0040A980

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 1_2_004168E0 GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlen,

1_2_004168E0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	0_2_05323AD8
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 4x nop then jmp 0532BD0Ah	0_2_0532BC50
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 4x nop then jmp 0532BD0Ah	0_2_0532BC58
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	0_2_05323CF1
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	0_2_05323CF8
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_053207B4
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	0_2_05323E00
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	0_2_05323E08
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_053226EC
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_0532C120
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_0532C119
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	0_2_05323BE0
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	0_2_05323BE8
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	0_2_05323AD2

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://steamcommunity.com/profiles/76561199673019888

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /profiles/76561199673019888 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 23.4.32.216 23.4.32.216

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IIDHJKFBGIIJJKFIJDBGUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 279Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AKKKFBGDHJKFHJJJJDGCUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EHDAFIJJECFHJJKFCAKJUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AFHJJEHIEBKKFIDHDGHJUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 6973Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqln.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GIDBKKKKKFBGDGDHIDBGUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 4677Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DHIDHIEGIIIECAKEBFBAUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 1529Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KFIEHIIIJDAAAAAAKECBUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HJJJDAEGIDHCBFHJJJEGUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HJDAKFBFBFBAAAAAEBKJUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 1145Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GHIJJJEGDBFHDHJJDBAKUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CFCGIIEHIEGDGDGCAEBGUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DAKJDHIEBFIIDGDGDBAEUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 453Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JDGHIIJKEBGIDHIDBKJDUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 100429Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KEHCAFHIJECGCAKFCGDBUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DHDHCGHDHIDHCBGCBGCAUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 331Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 1_2_00404500 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

1_2_00404500

Source: global traffic	HTTP traffic detected: GET /profiles/76561199673019888 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqln.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Cache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: steamcommunity.com

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IIDHJKFBGIIJJKFIJDBGUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 279Connection: Keep-AliveCache-Control: no-cache

Source: YyIDUCFWC1.exe	String found in binary or memory: http://127.0.0.1:
Source: YyIDUCFWC1.exe	String found in binary or memory: http://ACVC.WPF.Service.Wcf/IOvpnProcessRunner/IsAliveResponse
Source: YyIDUCFWC1.exe	String found in binary or memory: http://ACVC.WPF.Service.Wcf/IOvpnProcessRunner/IsAliveT
Source: YyIDUCFWC1.exe	String found in binary or memory: http://ACVC.WPF.Service.Wcf/IOvpnProcessRunner/StartResponse
Source: YyIDUCFWC1.exe	String found in binary or memory: http://ACVC.WPF.Service.Wcf/IOvpnProcessRunner/StartT
Source: YyIDUCFWC1.exe	String found in binary or memory: http://ACVC.WPF.Service.Wcf/IOvpnProcessRunner/StopResponseR
Source: YyIDUCFWC1.exe	String found in binary or memory: http://ACVC.WPF.Service.Wcf/IOvpnProcessRunner/StopT
Source: YyIDUCFWC1.exe	String found in binary or memory: http://ACVC.WPF.Service.WcfT
Source: YyIDUCFWC1.exe, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: YyIDUCFWC1.exe, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: YyIDUCFWC1.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: YyIDUCFWC1.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: YyIDUCFWC1.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: YyIDUCFWC1.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: YyIDUCFWC1.exe, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: YyIDUCFWC1.exe, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: YyIDUCFWC1.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: YyIDUCFWC1.exe, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: YyIDUCFWC1.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: YyIDUCFWC1.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: YyIDUCFWC1.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: YyIDUCFWC1.exe, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: YyIDUCFWC1.exe, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: YyIDUCFWC1.exe	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: YyIDUCFWC1.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: YyIDUCFWC1.exe, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: YyIDUCFWC1.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: YyIDUCFWC1.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: YyIDUCFWC1.exe	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: YyIDUCFWC1.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: YyIDUCFWC1.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: YyIDUCFWC1.exe	String found in binary or memory: http://james.newtonking.com/projects/json
Source: YyIDUCFWC1.exe, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: YyIDUCFWC1.exe, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: YyIDUCFWC1.exe, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: YyIDUCFWC1.exe	String found in binary or memory: http://ocsp.digicert.com0H
Source: YyIDUCFWC1.exe	String found in binary or memory: http://ocsp.digicert.com0I
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: YyIDUCFWC1.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: YyIDUCFWC1.exe, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: YyIDUCFWC1.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/AccessLevelDetailSet.xsd
Source: YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/AccessLevelsSet.xsd
Source: YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/CameraAuthenticationsSet.xsd
Source: YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/CamerasSet.xsd
Source: YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/CardTemplateSet.xsd
Source: YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/CardTypesSet.xsd
Source: YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/CardsSet.xsd
Source: YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/DepartmentsSet.xsd
Source: YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/DoorsSet.xsd
Source: YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/EventsSet.xsd
Source: YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IndividualAccessLevelsSet.xsd$SelectedTimezoneID
Source: YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IoBoardInputsSet.xsd
Source: YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IoBoardOutputsSet.xsd
Source: YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IoBoardsSet.xsd
Source: YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/OperatorSet.xsd
Source: YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/RawEvent.xsd$StaffCategoriesSetRhttp://tempuri.org/StaffCategoriesSet.xsd
Source: YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/TimesheetCategoriesSet.xsd
Source: YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/TimesheetDetailsSet.xsd
Source: YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/TimesheetEventLogsSet.xsd
Source: YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/TimesheetSummarySet.xsd
Source: YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/TimesheetUsersDetailSet.xsd4HolidayAdjustmentPriorYear2HolidayAdjustmentThisYear2
Source: YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/TimezonesSet.xsd
Source: YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/UsersSet.xsd
Source: YyIDUCFWC1.exe, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: YyIDUCFWC1.exe	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: MSBuild.exe, MSBuild.exe, 00000001.00000002.2111715611.000000006CF6D000.00000002.00000001.01000000.0000000B.sdmp, mozglue.dll.1.dr, mozglue[1].dll.1.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: MSBuild.exe, 00000001.00000002.2105752036.000000001983D000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2099739476.0000000013898000.00000004.00000020.00020000.00000000.sdmp, sqln[1].dll.1.dr	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: 76561199673019888[1].htm.1.dr	String found in binary or memory: https://65.109.242.73
Source: MSBuild.exe, 00000001.00000002.2097165559.000000000107E000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2097165559.0000000000F68000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2097165559.0000000001074000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/
Source: MSBuild.exe, 00000001.00000002.2097165559.000000000107E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/$
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000F68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/09.242.73/Local
Source: MSBuild.exe, 00000001.00000002.2097165559.000000000107E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/2
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000F68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/B
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/X
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000F68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/XR
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000F68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/amData
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/c
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000F68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/es
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000F68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/f
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/freebl3.dll
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/h
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/mozglue.dll
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/msvcp140.dll
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000001093000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/nss3.dll
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000001093000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/nss3.dllE
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/softokn3.dllX
Source: MSBuild.exe, 00000001.00000002.2095584347.0000000000514000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/sqln.dll
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000F68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/ss3.dllPb
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/vcruntime140.dll
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/vcruntime140.dllc
Source: MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73BKJD
Source: MSBuild.exe, 00000001.00000002.2095584347.000000000051A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73T
Source: FBFCGIDA.1.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 76561199673019888[1].htm.1.dr	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: FBFCGIDA.1.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: FBFCGIDA.1.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: FBFCGIDA.1.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=96N66CvLHly8&a
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=Kg_v7CMM
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=N0D1
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=english
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=L35TrLJDfqtD&l=engl
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=english
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jU8h8CqVh6FY&l=e
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&l=en
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=BMF068jICwP9&
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=1_BxDGVvfXwv&am
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: FBFCGIDA.1.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: FBFCGIDA.1.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: FBFCGIDA.1.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://help.steampowered.com/en/
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: https://mozilla.org0/
Source: YyIDUCFWC1.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: 76561199673019888[1].htm.1.dr	String found in binary or memory: https://steamcommunity.com/
Source: MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://steamcommunity.com/discussions/
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 76561199673019888[1].htm.1.dr	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199673019888
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://steamcommunity.com/market/
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: YyIDUCFWC1.exe, 00000000.00000002.1701548677.0000000003DA5000.00000004.00000800.00020000.00000000.sdmp, YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002E75000.00000004.00000800.00020000.00000000.sdmp, YyIDUCFWC1.exe, 00000000.00000002.1701548677.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, YyIDUCFWC1.exe, 00000000.00000002.1709833273.0000000005CC0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, MSBuild.exe, 00000001.00000002.2097165559.0000000000FA8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199673019888
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199673019888/badges
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199673019888/inventory/
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199673019888;
Source: YyIDUCFWC1.exe, 00000000.00000002.1701548677.0000000003DA5000.00000004.00000800.00020000.00000000.sdmp, YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002E75000.00000004.00000800.00020000.00000000.sdmp, YyIDUCFWC1.exe, 00000000.00000002.1701548677.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, YyIDUCFWC1.exe, 00000000.00000002.1709833273.0000000005CC0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199673019888ve74rMozilla/5.0
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000F68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/s
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://steamcommunity.com/workshop/
Source: 76561199673019888[1].htm.1.dr	String found in binary or memory: https://store.steampowered.com/
Source: 76561199673019888[1].htm.1.dr	String found in binary or memory: https://store.steampowered.com/about/
Source: MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://store.steampowered.com/explore/
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://store.steampowered.com/legal/
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://store.steampowered.com/mobile
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://store.steampowered.com/news/
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://store.steampowered.com/stats/
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: KEHCAFHIJECGCAKFCGDBKEGIDH.1.dr	String found in binary or memory: https://support.mozilla.org
Source: KEHCAFHIJECGCAKFCGDBKEGIDH.1.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: KEHCAFHIJECGCAKFCGDBKEGIDH.1.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: MSBuild.exe, 00000001.00000002.2095584347.0000000000558000.00000040.00000400.00020000.00000000.sdmp, GCBGIIEC.1.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: GCBGIIEC.1.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: MSBuild.exe, 00000001.00000002.2095584347.0000000000558000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exe
Source: MSBuild.exe, 00000001.00000002.2095584347.0000000000558000.00000040.00000400.00020000.00000000.sdmp, GCBGIIEC.1.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: MSBuild.exe, 00000001.00000002.2095584347.0000000000558000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17.exe
Source: MSBuild.exe, 00000001.00000002.2095584347.0000000000558000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e1730.exe
Source: GCBGIIEC.1.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: YyIDUCFWC1.exe	String found in binary or memory: https://system.data.sqlite.org/
Source: YyIDUCFWC1.exe	String found in binary or memory: https://system.data.sqlite.org/X
Source: YyIDUCFWC1.exe, 00000000.00000002.1701548677.0000000003DA5000.00000004.00000800.00020000.00000000.sdmp, YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002E75000.00000004.00000800.00020000.00000000.sdmp, YyIDUCFWC1.exe, 00000000.00000002.1701548677.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, YyIDUCFWC1.exe, 00000000.00000002.1709833273.0000000005CC0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, MSBuild.exe, 00000001.00000002.2095584347.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/irfail
Source: YyIDUCFWC1.exe, 00000000.00000002.1701548677.0000000003DA5000.00000004.00000800.00020000.00000000.sdmp, YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002E75000.00000004.00000800.00020000.00000000.sdmp, YyIDUCFWC1.exe, 00000000.00000002.1701548677.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, YyIDUCFWC1.exe, 00000000.00000002.1709833273.0000000005CC0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/irfailAt
Source: YyIDUCFWC1.exe	String found in binary or memory: https://urn.to/r/sds_see
Source: YyIDUCFWC1.exe	String found in binary or memory: https://urn.to/r/sds_see=isolation
Source: YyIDUCFWC1.exe, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: FBFCGIDA.1.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: FBFCGIDA.1.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: KEHCAFHIJECGCAKFCGDBKEGIDH.1.dr	String found in binary or memory: https://www.mozilla.org
Source: MSBuild.exe, 00000001.00000002.2095584347.0000000000558000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: MSBuild.exe, 00000001.00000002.2095584347.0000000000558000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/:
Source: KEHCAFHIJECGCAKFCGDBKEGIDH.1.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: MSBuild.exe, 00000001.00000002.2095584347.0000000000558000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: MSBuild.exe, 00000001.00000002.2095584347.0000000000558000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/HCBFHJJJEG
Source: KEHCAFHIJECGCAKFCGDBKEGIDH.1.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: MSBuild.exe, 00000001.00000002.2095584347.0000000000558000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: KEHCAFHIJECGCAKFCGDBKEGIDH.1.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: KEHCAFHIJECGCAKFCGDBKEGIDH.1.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: MSBuild.exe, 00000001.00000002.2095584347.0000000000558000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: MSBuild.exe, 00000001.00000002.2095584347.0000000000558000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/d=enterpk2016&ui=en-us&rs=en-us&ad=us
Source: KEHCAFHIJECGCAKFCGDBKEGIDH.1.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: YyIDUCFWC1.exe	String found in binary or memory: https://www.security.us.panasonic.com
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown	HTTPS traffic detected: 23.4.32.216:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.109.242.73:443 -> 192.168.2.4:49733 version: TLS 1.2

Contains functionality to record screenshots

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 1_2_00411D10 memset,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GlobalFix,GlobalSize,SelectObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

1_2_00411D10

System Summary

Malicious sample detected (through community Yara rule)

Source: YyIDUCFWC1.exe, type: SAMPLE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.0.YyIDUCFWC1.exe.680000.0.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 1_2_6CC262C0 PR_dtoa,PR_GetCurrentThread,strlen,NtFlushVirtualMemory,PR_GetCurrentThread,memcpy,memcpy,

1_2_6CC262C0

Detected potential crypto function

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CEFB6B0	0_2_6CEFB6B0
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF4AC29	0_2_6CF4AC29
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CEF2D70	0_2_6CEF2D70
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF24EE0	0_2_6CF24EE0
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF14970	0_2_6CF14970
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF14AC0	0_2_6CF14AC0
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF40B89	0_2_6CF40B89
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CED8B30	0_2_6CED8B30
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF14550	0_2_6CF14550
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF4A54D	0_2_6CF4A54D
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CED6650	0_2_6CED6650
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CEDA7E0	0_2_6CEDA7E0
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CEDC7B0	0_2_6CEDC7B0
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CEEA0C0	0_2_6CEEA0C0
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF263B0	0_2_6CF263B0
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF32310	0_2_6CF32310
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF31CA0	0_2_6CF31CA0
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF13C90	0_2_6CF13C90
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF25DD0	0_2_6CF25DD0
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF45DD2	0_2_6CF45DD2
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF25EB9	0_2_6CF25EB9
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF13E50	0_2_6CF13E50
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF4BFF1	0_2_6CF4BFF1
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF49FFC	0_2_6CF49FFC
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF258D7	0_2_6CF258D7
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF258D5	0_2_6CF258D5
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF25830	0_2_6CF25830
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF4B964	0_2_6CF4B964
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF49AAB	0_2_6CF49AAB
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF13460	0_2_6CF13460
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF25050	0_2_6CF25050
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF25274	0_2_6CF25274
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF13260	0_2_6CF13260
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_02D5C2D8	0_2_02D5C2D8
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_02D58EE8	0_2_02D58EE8
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_02D578E0	0_2_02D578E0
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_02D50D80	0_2_02D50D80
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_02D50D70	0_2_02D50D70
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_02D51521	0_2_02D51521
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_05320040	0_2_05320040
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_05320248	0_2_05320248
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_05B00EB3	0_2_05B00EB3
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_05B026F8	0_2_05B026F8
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_05B00930	0_2_05B00930
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_05B026DC	0_2_05B026DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0041D38A	1_2_0041D38A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0041F4C0	1_2_0041F4C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0041CE39	1_2_0041CE39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0041DFB7	1_2_0041DFB7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CA9ECC0	1_2_6CA9ECC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAFECD0	1_2_6CAFECD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB7AC30	1_2_6CB7AC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB66C00	1_2_6CB66C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAAAC60	1_2_6CAAAC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CC2CDC0	1_2_6CC2CDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAA4DB0	1_2_6CAA4DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB36D90	1_2_6CB36D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB6ED70	1_2_6CB6ED70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CC28D20	1_2_6CC28D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CBCAD50	1_2_6CBCAD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB26E90	1_2_6CB26E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAAAEC0	1_2_6CAAAEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB40EC0	1_2_6CB40EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB80E20	1_2_6CB80E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB3EE70	1_2_6CB3EE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CBE8FB0	1_2_6CBE8FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAAEFB0	1_2_6CAAEFB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB7EFF0	1_2_6CB7EFF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAA0FE0	1_2_6CAA0FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CBE0F20	1_2_6CBE0F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAA6F10	1_2_6CAA6F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB62F70	1_2_6CB62F70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB0EF40	1_2_6CB0EF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CBA68E0	1_2_6CBA68E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAF0820	1_2_6CAF0820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB2A820	1_2_6CB2A820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB74840	1_2_6CB74840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB609B0	1_2_6CB609B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB309A0	1_2_6CB309A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB5A9A0	1_2_6CB5A9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CBBC9E0	1_2_6CBBC9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAD49F0	1_2_6CAD49F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAF6900	1_2_6CAF6900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAD8960	1_2_6CAD8960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB1EA80	1_2_6CB1EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB58A30	1_2_6CB58A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB4EA00	1_2_6CB4EA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB1CA70	1_2_6CB1CA70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB40BA0	1_2_6CB40BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CBA6BE0	1_2_6CBA6BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CBCA480	1_2_6CBCA480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB3A4D0	1_2_6CB3A4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAE64D0	1_2_6CAE64D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB2A430	1_2_6CB2A430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB04420	1_2_6CB04420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAB8460	1_2_6CAB8460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CA945B0	1_2_6CA945B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB2E5F0	1_2_6CB2E5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB6A5E0	1_2_6CB6A5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB40570	1_2_6CB40570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB02560	1_2_6CB02560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CBE8550	1_2_6CBE8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAF8540	1_2_6CAF8540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CBA4540	1_2_6CBA4540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAFE6E0	1_2_6CAFE6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB3E6E0	1_2_6CB3E6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAC46D0	1_2_6CAC46D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAFC650	1_2_6CAFC650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CACA7D0	1_2_6CACA7D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB20700	1_2_6CB20700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB7C0B0	1_2_6CB7C0B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAB00B0	1_2_6CAB00B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CA98090	1_2_6CA98090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB68010	1_2_6CB68010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB6C000	1_2_6CB6C000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAEE070	1_2_6CAEE070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAA01E0	1_2_6CAA01E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB16130	1_2_6CB16130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB84130	1_2_6CB84130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB08140	1_2_6CB08140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CC262C0	1_2_6CC262C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB6E2B0	1_2_6CB6E2B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB722A0	1_2_6CB722A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB78220	1_2_6CB78220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB6A210	1_2_6CB6A210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB28260	1_2_6CB28260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB38250	1_2_6CB38250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAD23A0	1_2_6CAD23A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAFE3B0	1_2_6CAFE3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAF43E0	1_2_6CAF43E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB12320	1_2_6CB12320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB36370	1_2_6CB36370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CBE2370	1_2_6CBE2370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAA2370	1_2_6CAA2370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CBBC360	1_2_6CBBC360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAA8340	1_2_6CAA8340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB3FC80	1_2_6CB3FC80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB61CE0	1_2_6CB61CE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CBDDCD0	1_2_6CBDDCD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAB1C30	1_2_6CAB1C30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAA3C40	1_2_6CAA3C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CBC9C40	1_2_6CBC9C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CA93D80	1_2_6CA93D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CBE9D90	1_2_6CBE9D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB71DC0	1_2_6CB71DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB03D00	1_2_6CB03D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAC3EC0	1_2_6CAC3EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CC25E60	1_2_6CC25E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CBADE10	1_2_6CBADE10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CBFBE70	1_2_6CBFBE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CC23FC0	1_2_6CC23FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAC1F90	1_2_6CAC1F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB4BFF0	1_2_6CB4BFF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CBBDFC0	1_2_6CBBDFC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAD5F20	1_2_6CAD5F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CA95F30	1_2_6CA95F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CBF7F20	1_2_6CBF7F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB7F8F0	1_2_6CB7F8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAAD8E0	1_2_6CAAD8E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAD38E0	1_2_6CAD38E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CBFB8F0	1_2_6CBFB8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB3F8C0	1_2_6CB3F8C0

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 6CAC9B10 appears 76 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 6CC2DAE0 appears 60 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 6CAC3620 appears 74 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 6CC2D930 appears 49 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 6CBD9F30 appears 31 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 00402360 appears 286 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 6CC209D0 appears 268 times
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: String function: 6CF390D8 appears 51 times
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: String function: 6CF3D520 appears 31 times
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: String function: 6CF39B35 appears 141 times

PE / OLE file has an invalid certificate

Source: YyIDUCFWC1.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: YyIDUCFWC1.exe, 00000000.00000002.1701548677.000000000449D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWindowsApp1.dll8 vs YyIDUCFWC1.exe
Source: YyIDUCFWC1.exe, 00000000.00000002.1709795517.0000000005B41000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameProtect.dll8 vs YyIDUCFWC1.exe
Source: YyIDUCFWC1.exe, 00000000.00000002.1701548677.0000000004312000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWindowsApp1.dll8 vs YyIDUCFWC1.exe
Source: YyIDUCFWC1.exe, 00000000.00000002.1709599903.0000000005AD0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameProtect.dll8 vs YyIDUCFWC1.exe
Source: YyIDUCFWC1.exe, 00000000.00000002.1699708698.0000000000F1E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs YyIDUCFWC1.exe
Source: YyIDUCFWC1.exe, 00000000.00000000.1691360547.0000000000682000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll4 vs YyIDUCFWC1.exe
Source: YyIDUCFWC1.exe, 00000000.00000000.1691360547.0000000000682000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameAWSVPNClient.Core.dllD vs YyIDUCFWC1.exe
Source: YyIDUCFWC1.exe, 00000000.00000000.1691360547.0000000000682000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Data.SQLite.dllF vs YyIDUCFWC1.exe
Source: YyIDUCFWC1.exe, 00000000.00000000.1691360547.0000000000682000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamenewsmakeformula_city7.exeL, vs YyIDUCFWC1.exe
Source: YyIDUCFWC1.exe, 00000000.00000002.1708250819.0000000005848000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameWindowsApp1.dll8 vs YyIDUCFWC1.exe
Source: YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameProtect.dll8 vs YyIDUCFWC1.exe
Source: YyIDUCFWC1.exe	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll4 vs YyIDUCFWC1.exe
Source: YyIDUCFWC1.exe	Binary or memory string: OriginalFilenameAWSVPNClient.Core.dllD vs YyIDUCFWC1.exe
Source: YyIDUCFWC1.exe	Binary or memory string: OriginalFilenameSystem.Data.SQLite.dllF vs YyIDUCFWC1.exe
Source: YyIDUCFWC1.exe	Binary or memory string: OriginalFilenamenewsmakeformula_city7.exeL, vs YyIDUCFWC1.exe

Uses 32bit PE files

Source: YyIDUCFWC1.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Yara signature match

Source: YyIDUCFWC1.exe, type: SAMPLE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.0.YyIDUCFWC1.exe.680000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: YyIDUCFWC1.exe, Module1.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: YyIDUCFWC1.exe, mEqmoE9UxRmX9ogcto.cs	Cryptographic APIs: 'CreateDecryptor'
Source: YyIDUCFWC1.exe, mEqmoE9UxRmX9ogcto.cs	Cryptographic APIs: 'CreateDecryptor'
Source: YyIDUCFWC1.exe, mEqmoE9UxRmX9ogcto.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/27@1/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 1_2_6CB00300 MapViewOfFile,GetLastError,FormatMessageA,PR_LogPrint,GetLastError,PR_SetError,

1_2_6CB00300

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 1_2_00410AA0 CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,

1_2_00410AA0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 1_2_00411020 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,FileTimeToSystemTime,GetProcessHeap,HeapAlloc,wsprintfA,VariantClear,

1_2_00411020

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\YyIDUCFWC1.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Protect544cd51a.dll

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe

File created: C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll

Jump to behavior

Source: YyIDUCFWC1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: YyIDUCFWC1.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: nss3.dll.1.dr, nss3[1].dll.1.dr, sqln[1].dll.1.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: nss3.dll.1.dr, nss3[1].dll.1.dr, sqln[1].dll.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: nss3.dll.1.dr, nss3[1].dll.1.dr, sqln[1].dll.1.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: nss3.dll.1.dr, nss3[1].dll.1.dr, sqln[1].dll.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: sqln[1].dll.1.dr	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: sqln[1].dll.1.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: nss3.dll.1.dr, nss3[1].dll.1.dr, sqln[1].dll.1.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: nss3.dll.1.dr, nss3[1].dll.1.dr, sqln[1].dll.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: sqln[1].dll.1.dr	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: KFIEHIIIJDAAAAAAKECB.1.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: sqln[1].dll.1.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: sqln[1].dll.1.dr	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: YyIDUCFWC1.exe	ReversingLabs: Detection: 26%
Source: YyIDUCFWC1.exe	Virustotal: Detection: 26%

Source: YyIDUCFWC1.exe	String found in binary or memory: --start
Source: YyIDUCFWC1.exe	String found in binary or memory: AConnecting using command {0} {1}gThe start process did not return within the timeout7Helper app --start output:
Source: YyIDUCFWC1.exe	String found in binary or memory: Action3http://ACVC.WPF.Service.Wcf/IOvpnProcessRunner/StopT
Source: YyIDUCFWC1.exe	String found in binary or memory: Action3http://ACVC.WPF.Service.Wcf/IOvpnProcessRunner/StopT
Source: YyIDUCFWC1.exe	String found in binary or memory: ReplyAction;http://ACVC.WPF.Service.Wcf/IOvpnProcessRunner/StopResponseR
Source: YyIDUCFWC1.exe	String found in binary or memory: ReplyAction;http://ACVC.WPF.Service.Wcf/IOvpnProcessRunner/StopResponseR
Source: YyIDUCFWC1.exe	String found in binary or memory: Download/Install
Source: YyIDUCFWC1.exe	String found in binary or memory: U/configuration/appSettings/add[@key='{0}']

Source: unknown	Process created: C:\Users\user\Desktop\YyIDUCFWC1.exe "C:\Users\user\Desktop\YyIDUCFWC1.exe"
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe	Jump to behavior

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: YyIDUCFWC1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: YyIDUCFWC1.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: YyIDUCFWC1.exe

Static file information: File size 4479608 > 1048576

Source: YyIDUCFWC1.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x431800

Source: YyIDUCFWC1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mozglue.pdbP source: MSBuild.exe, 00000001.00000002.2111715611.000000006CF6D000.00000002.00000001.01000000.0000000B.sdmp, mozglue.dll.1.dr, mozglue[1].dll.1.dr
Source:	Binary string: freebl3.pdb source: freebl3.dll.1.dr, freebl3[1].dll.1.dr
Source:	Binary string: freebl3.pdbp source: freebl3.dll.1.dr, freebl3[1].dll.1.dr
Source:	Binary string: nss3.pdb@ source: MSBuild.exe, 00000001.00000002.2110913060.000000006CC2F000.00000002.00000001.01000000.0000000A.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr
Source:	Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\Win32\Release\Protect32.pdb source: YyIDUCFWC1.exe, 00000000.00000002.1701548677.000000000449D000.00000004.00000800.00020000.00000000.sdmp, YyIDUCFWC1.exe, 00000000.00000002.1701548677.0000000004312000.00000004.00000800.00020000.00000000.sdmp, YyIDUCFWC1.exe, 00000000.00000002.1708250819.00000000056C0000.00000004.08000000.00040000.00000000.sdmp, YyIDUCFWC1.exe, 00000000.00000002.1710476616.000000006CF54000.00000002.00000001.01000000.00000007.sdmp, Protect544cd51a.dll.0.dr
Source:	Binary string: C:\dev\sqlite\dotnet-private\obj\2015\System.Data.SQLite.2015\Release\System.Data.SQLite.pdb source: YyIDUCFWC1.exe
Source:	Binary string: C:\Users\sc-client\Jenkins\workspace\WindowsBuild\SecureConnectClient\ACVC.Core\obj\WinRelease\netstandard2.0\AWSVPNClient.Core.pdbSHA256 source: YyIDUCFWC1.exe
Source:	Binary string: C:\dev\sqlite\dotnet-private\obj\2015\System.Data.SQLite.2015\Release\System.Data.SQLite.pdb\ source: YyIDUCFWC1.exe
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.1.dr, softokn3.dll.1.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140[1].dll.1.dr, vcruntime140.dll.1.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.1.dr, msvcp140[1].dll.1.dr
Source:	Binary string: C:\Users\sc-client\Jenkins\workspace\WindowsBuild\SecureConnectClient\ACVC.Core\obj\WinRelease\netstandard2.0\AWSVPNClient.Core.pdb source: YyIDUCFWC1.exe
Source:	Binary string: nss3.pdb source: MSBuild.exe, 00000001.00000002.2110913060.000000006CC2F000.00000002.00000001.01000000.0000000A.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: MSBuild.exe, 00000001.00000002.2105558542.0000000019808000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2099739476.0000000013898000.00000004.00000020.00020000.00000000.sdmp, sqln[1].dll.1.dr
Source:	Binary string: mozglue.pdb source: MSBuild.exe, 00000001.00000002.2111715611.000000006CF6D000.00000002.00000001.01000000.0000000B.sdmp, mozglue.dll.1.dr, mozglue[1].dll.1.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.1.dr, softokn3.dll.1.dr
Source:	Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\x64\Release\Protect64.pdb source: YyIDUCFWC1.exe, 00000000.00000002.1708250819.000000000577A000.00000004.08000000.00040000.00000000.sdmp, YyIDUCFWC1.exe, 00000000.00000002.1701548677.00000000043CE000.00000004.00000800.00020000.00000000.sdmp, YyIDUCFWC1.exe, 00000000.00000002.1701548677.0000000004243000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\Temp\Json\Working\Newtonsoft.Json\Src\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdb source: YyIDUCFWC1.exe

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: YyIDUCFWC1.exe, mEqmoE9UxRmX9ogcto.cs

.Net Code: Type.GetTypeFromHandle(CfGIXtTdcZLAtxDM4Z.zlLGFC8v8FsZ4(16777503)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(CfGIXtTdcZLAtxDM4Z.zlLGFC8v8FsZ4(16777307)),Type.GetTypeFromHandle(CfGIXtTdcZLAtxDM4Z.zlLGFC8v8FsZ4(16777260))})

.NET source code contains potential unpacker

Source: YyIDUCFWC1.exe, hrwN54ssk66JhR0d65a.cs

.Net Code: pkqf1sPLYHfD2WBJfKjH System.Reflection.Assembly.Load(byte[])

Binary contains a suspicious time stamp

Source: YyIDUCFWC1.exe

Static PE information: 0xAC500F2F [Wed Aug 10 19:31:59 2061 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe

Code function: 0_2_6CEEB6C0 GetModuleHandleW,GetModuleHandleW,LoadLibraryW,GetProcAddress,__cftoe,GetModuleHandleW,GetProcAddress,

0_2_6CEEB6C0

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF3CC2B push ecx; ret	0_2_6CF3CC3E
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF3D565 push ecx; ret	0_2_6CF3D578
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_02D54743 push ds; iretd	0_2_02D54744
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0041A4E5 push ecx; ret	1_2_0041A4F8

Source: YyIDUCFWC1.exe, hrwN54ssk66JhR0d65a.cs	High entropy of concatenated method names: 'lLHifFIsCLsZtjvFfN0i', 'tsFkXCLB65', 'V2hk1qXaN6', 'VIcAsHPLk0x0qMOGDsUM', 'AlGEkNPLR6uMGdG1y6Fn', 'XbGKZJPLqpgb8KM4dYNO', 'TFKckiPLlTiYWYmTuprl', 'SxfBmKPLsova8eEhejPp', 'fws0jCPLoKnUFSdfYYPp', 'l99dCbPLVe4inAOWaG2i'
Source: YyIDUCFWC1.exe, Context.cs	High entropy of concatenated method names: 'Add', 'ContainsKey', 'Remove', 'TryGetValue', 'Add', 'Clear', 'Contains', 'CopyTo', 'Remove', 'GetEnumerator'
Source: YyIDUCFWC1.exe, Form1.cs	High entropy of concatenated method names: 'Dispose', 'InitializeComponent', 'kWr4EX5Gd857rgq7rv', 'Tnp50ng4OqUnov4Fxb', 'tCSbgiwQoAlj0QLZ36', 'cI0MyEaTG7OotqrxMs', 'OOC1K84P5qL9DRVtmF', 'OiNNB5hg5t7XaB8AG6', 'dxD2y4rqQoZEmsew5J'
Source: YyIDUCFWC1.exe, mEqmoE9UxRmX9ogcto.cs	High entropy of concatenated method names: 'Q5MkM5QYd3', 'Tipv3tPTMYJ73eGHyD8t', 'zGgUq6PTckEu7BpQjCFR', 'sQrX3QPTZiBvbHfgVOBV', 'fHSkdAnkJf', 'k96k7mkjK6', 't26kG3LxyN', 'WBQk3NCaKd', 'AgYkLp4qOr', 'UPXIAdPTAdlLUbv9SeBu'
Source: YyIDUCFWC1.exe, TimesheetDetailView.cs	High entropy of concatenated method names: 'nH2csNPoDkxv3xVMPkEc', 'tI5AITPozrBsvLDxmKkk', 'louZwoPVIx35aw75X1WY', 's3PYHsPVPkUkR6vqItE8', 'QfXCUmPV1Ne1wQ5C6Va5', 'mU6K5PPVtd4ryAqNpWI8', 'yauu6iPVnfvoi7tbbDpj', 'R1WkAMPV6BgQ0IlNt6MB', 'kAc54APoffcgC6emZXhR', 'Q72JRtPo3ltPjl20kZQQ'
Source: YyIDUCFWC1.exe, IoBoardsSet.cs	High entropy of concatenated method names: 'AddIoBoardRow', 'AddIoBoardRow', 'Clone', 'CreateInstance', 'InitVars', 'InitClass', 'NewIoBoardRow', 'NewRowFromBuilder', 'GetRowType', 'OnRowChanged'
Source: YyIDUCFWC1.exe, DoorsSet.cs	High entropy of concatenated method names: 'AddDoorRow', 'AddDoorRow', 'Clone', 'CreateInstance', 'InitVars', 'InitClass', 'NewDoorRow', 'NewRowFromBuilder', 'GetRowType', 'OnRowChanged'
Source: YyIDUCFWC1.exe, TimesheetUsersDetailView.cs	High entropy of concatenated method names: 'wmbaswPYDXyNgv38BvAQ', 'PgPDXZPYzmwP9sje52Ee', 'gwMyRuPdIWxnLajCmGSs', 'PVJy9lPdPhVqL15VO2Bp', 'v2td2SPd1rhqvYRfFdud', 'WlUSX8Pdte2ZhoINriUj', 'Q8ABT6PdnkqMxRM7oKOK', 'feW1XXPd643ep26o9DDA', 'yENk1jPdWCOeNnHyeFD9', 'AoihPKPdJDiR1rpe792v'
Source: YyIDUCFWC1.exe, EventsSet.cs	High entropy of concatenated method names: 'AddEventRow', 'AddEventRow', 'Clone', 'CreateInstance', 'InitVars', 'InitClass', 'NewEventRow', 'NewRowFromBuilder', 'GetRowType', 'OnRowChanged'
Source: YyIDUCFWC1.exe, IoBoardOutputsSet.cs	High entropy of concatenated method names: 'AddIoBoardOutputRow', 'AddIoBoardOutputRow', 'Clone', 'CreateInstance', 'InitVars', 'InitClass', 'NewIoBoardOutputRow', 'NewRowFromBuilder', 'GetRowType', 'OnRowChanged'
Source: YyIDUCFWC1.exe, TimesheetSummaryView.cs	High entropy of concatenated method names: 'hSqRhvP9mgWaYjvT2kDB', 'sjYSeJP9x1aOTX0lQkPX', 'cUt3XtP9vWCHiGkcUYD0', 'LVK7uyP9jQyeekgUG9bc', 'wILFROP9e1VryiymYFrO', 'V5PxZXP9fM1PfkKlVYol', 'q6KxrQP93XF02cxxaigD', 'j29Hd5P9DplPnRdCFEJ5', 'AyGNe8P9StklH3e5lMjc', 'oL01VVP9Xgkk5uaivu9v'
Source: YyIDUCFWC1.exe, IoBoardInputsSet.cs	High entropy of concatenated method names: 'AddIoBoardInputRow', 'AddIoBoardInputRow', 'Clone', 'CreateInstance', 'InitVars', 'InitClass', 'NewIoBoardInputRow', 'NewRowFromBuilder', 'GetRowType', 'OnRowChanged'
Source: YyIDUCFWC1.exe, AccessLevelDetailSet.cs	High entropy of concatenated method names: 'AddAccessLevelDetailRow', 'AddAccessLevelDetailRow', 'Clone', 'CreateInstance', 'InitVars', 'InitClass', 'NewAccessLevelDetailRow', 'NewRowFromBuilder', 'GetRowType', 'OnRowChanged'
Source: YyIDUCFWC1.exe, TimesheetUsersDetailSet.cs	High entropy of concatenated method names: 'AddTimesheetUsersDetailRow', 'AddTimesheetUsersDetailRow', 'Clone', 'CreateInstance', 'InitVars', 'InitClass', 'NewTimesheetUsersDetailRow', 'NewRowFromBuilder', 'GetRowType', 'OnRowChanged'
Source: YyIDUCFWC1.exe, TimesheetCategoriesSet.cs	High entropy of concatenated method names: 'AddTimesheetCategoryRow', 'AddTimesheetCategoryRow', 'Clone', 'CreateInstance', 'InitVars', 'InitClass', 'NewTimesheetCategoryRow', 'NewRowFromBuilder', 'GetRowType', 'OnRowChanged'
Source: YyIDUCFWC1.exe, TimesheetSummarySet.cs	High entropy of concatenated method names: 'AddTimesheetSummaryRow', 'AddTimesheetSummaryRow', 'Clone', 'CreateInstance', 'InitVars', 'InitClass', 'NewTimesheetSummaryRow', 'NewRowFromBuilder', 'GetRowType', 'OnRowChanged'
Source: YyIDUCFWC1.exe, OemClient.cs	High entropy of concatenated method names: 'Initialise', 'GetListOfOperators', 'GetOperatorLevel', 'GetOperatorLevel', 'AuthenticateUser', 'AuthenticateUser', 'AuthenticateUser', 'AuthenticateUser', 'ValidateOperator', 'CheckUserPermissionLevel'
Source: YyIDUCFWC1.exe, TimezonesSet.cs	High entropy of concatenated method names: 'AddTimezonesRow', 'AddTimezonesRow', 'Clone', 'CreateInstance', 'InitVars', 'InitClass', 'NewTimezonesRow', 'NewRowFromBuilder', 'GetRowType', 'OnRowChanged'
Source: YyIDUCFWC1.exe, CardView.cs	High entropy of concatenated method names: 'bjvf5H2abDegFgs1fxu', 'Me8Z0724J4Kn8R0QfhI', 'qyN8Uk2hHSSkwpRCVq1', 'xXW7U42rr8UNYmVWo5t', 'cinJtk2uf1OBbHj6MUk', 'qV0rv02NUaesGv8k8xr', 'RnOZbO2UGlVuxXILDX2', 'UUafni2pTG7LRa9a1q8'
Source: YyIDUCFWC1.exe, UsersSet.cs	High entropy of concatenated method names: 'AddUserRow', 'AddUserRow', 'Clone', 'CreateInstance', 'InitVars', 'InitClass', 'NewUserRow', 'NewRowFromBuilder', 'GetRowType', 'OnRowChanged'
Source: YyIDUCFWC1.exe, UserView.cs	High entropy of concatenated method names: 'qOCWirPOJ8NTP6oVysLn', 'N1lqtGPObLhnSMJaG8rG', 'QkUP2APOkj6prMtU4pXx', 'PQCc7cPORCZqCrUdpBBM', 'PD5PW2POq4LMvIxvrvBh', 'a182U5POluS17AlCURGD', 'wuoISIPOsr71qS0TwRTv', 'DaTfU5POonDkEGZltIAP', 'kOWhc0POVDKtXBXPOWxa', 'mTdN8FPOyN389U1yLthS'
Source: YyIDUCFWC1.exe, StaffCategoriesSet.cs	High entropy of concatenated method names: 'AddStaffCategoryRow', 'AddStaffCategoryRow', 'Clone', 'CreateInstance', 'InitVars', 'InitClass', 'NewStaffCategoryRow', 'NewRowFromBuilder', 'GetRowType', 'OnRowChanged'
Source: YyIDUCFWC1.exe, CardsSet.cs	High entropy of concatenated method names: 'AddCardRow', 'AddCardRow', 'GetEnumerator', 'Clone', 'CreateInstance', 'InitVars', 'InitClass', 'NewCardRow', 'NewRowFromBuilder', 'GetRowType'
Source: YyIDUCFWC1.exe, CameraAuthenticationsSet.cs	High entropy of concatenated method names: 'AddCameraAuthenticationRow', 'AddCameraAuthenticationRow', 'Clone', 'CreateInstance', 'InitVars', 'InitClass', 'NewCameraAuthenticationRow', 'NewRowFromBuilder', 'GetRowType', 'OnRowChanged'
Source: YyIDUCFWC1.exe, DepartmentsSet.cs	High entropy of concatenated method names: 'AddDepartmentRow', 'AddDepartmentRow', 'Clone', 'CreateInstance', 'InitVars', 'InitClass', 'NewDepartmentRow', 'NewRowFromBuilder', 'GetRowType', 'OnRowChanged'
Source: YyIDUCFWC1.exe, OperatorSet.cs	High entropy of concatenated method names: 'AddOperatorRow', 'AddOperatorRow', 'Clone', 'CreateInstance', 'InitVars', 'InitClass', 'NewOperatorRow', 'NewRowFromBuilder', 'GetRowType', 'OnRowChanged'
Source: YyIDUCFWC1.exe, CardTemplateSet.cs	High entropy of concatenated method names: 'AddCardTemplatesRow', 'AddCardTemplatesRow', 'FindByCardId', 'Clone', 'CreateInstance', 'InitVars', 'InitClass', 'NewCardTemplatesRow', 'NewRowFromBuilder', 'GetRowType'
Source: YyIDUCFWC1.exe, TimesheetEventLogsSet.cs	High entropy of concatenated method names: 'AddTimesheetEventLogRow', 'AddTimesheetEventLogRow', 'Clone', 'CreateInstance', 'InitVars', 'InitClass', 'NewTimesheetEventLogRow', 'NewRowFromBuilder', 'GetRowType', 'OnRowChanged'
Source: YyIDUCFWC1.exe, CamerasSet.cs	High entropy of concatenated method names: 'AddCameraRow', 'AddCameraRow', 'FindByID', 'Clone', 'CreateInstance', 'InitVars', 'InitClass', 'NewCameraRow', 'NewRowFromBuilder', 'GetRowType'
Source: YyIDUCFWC1.exe, CardTypesSet.cs	High entropy of concatenated method names: 'AddCardTypeRow', 'AddCardTypeRow', 'Clone', 'CreateInstance', 'InitVars', 'InitClass', 'NewCardTypeRow', 'NewRowFromBuilder', 'GetRowType', 'OnRowChanged'
Source: YyIDUCFWC1.exe, IndividualReaderAreasSet.cs	High entropy of concatenated method names: 'AddIndividualReaderAreasRow', 'AddIndividualReaderAreasRow', 'Clone', 'CreateInstance', 'InitVars', 'InitClass', 'NewIndividualReaderAreasRow', 'NewRowFromBuilder', 'GetRowType', 'OnRowChanged'
Source: YyIDUCFWC1.exe, RawEvent.cs	High entropy of concatenated method names: 'AddEventRow', 'AddEventRow', 'Clone', 'CreateInstance', 'InitVars', 'InitClass', 'NewEventRow', 'NewRowFromBuilder', 'GetRowType', 'OnRowChanged'
Source: YyIDUCFWC1.exe, TimesheetDetailsSet.cs	High entropy of concatenated method names: 'AddTimesheetDetailRow', 'AddTimesheetDetailRow', 'Clone', 'CreateInstance', 'InitVars', 'InitClass', 'NewTimesheetDetailRow', 'NewRowFromBuilder', 'GetRowType', 'OnRowChanged'
Source: YyIDUCFWC1.exe, ClientHeartBeat.cs	High entropy of concatenated method names: '_003CRunHeartBeat_003Eb__2', '_003CRunHeartBeat_003Eb__5', '_003CChangeServerConnectionState_003Eb__18', '_003CGetNextClientInstance_003Eb__1c', '_003CUnregisterClient_003Eb__23', 'RunHeartBeat', 'RunClientChecks', 'CheckServerReconnection', 'ChangeServerConnectionState', 'GetNextClientInstance'
Source: YyIDUCFWC1.exe, AccessLevelsSet.cs	High entropy of concatenated method names: 'AddAccessLevelRow', 'AddAccessLevelRow', 'Clone', 'CreateInstance', 'InitVars', 'InitClass', 'NewAccessLevelRow', 'NewRowFromBuilder', 'GetRowType', 'OnRowChanged'
Source: YyIDUCFWC1.exe, EventView.cs	High entropy of concatenated method names: 'VaMcMrvcxjskXqJcyAu', 'VWedAqvZu0IinNUcmHM', 'mYUvsEvEXQwrXQZwd5c', 'xXs6euvi8x4jSIfmTxW', 'Mv1ZLDv8bNktrRIvW0s', 'gd91ChvQy6x9g6lVj8y', 'Q0w6UGvGZrXC2QO5H9L', 'D2YH2Wv2YqdPWVGxRVw', 'qiqwyavAaXPnHMuRpnB', 'mq2BjxvS08IURxeCXIp'

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	File created: C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqln[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 1_2_004185A0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_004185A0

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: YyIDUCFWC1.exe PID: 5480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6360, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: MSBuild.exe	Binary or memory string: DIR_WATCH.DLL
Source: MSBuild.exe	Binary or memory string: SBIEDLL.DLL
Source: MSBuild.exe	Binary or memory string: API_LOG.DLL
Source: MSBuild.exe, 00000001.00000002.2095584347.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: AAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Memory allocated: 2C00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Memory allocated: 2DA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Memory allocated: 4DA0000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqln[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

API coverage: 5.6 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe TID: 6576	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe TID: 6740	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 1_2_00410370 GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 004104A2h

1_2_00410370

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0040B030 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	1_2_0040B030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_004011E0 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_004011E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0040D320 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_0040D320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_004164A0 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,strtok_s,memset,lstrcat,strtok_s,PathMatchSpecA,wsprintfA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,DeleteFileA,FindNextFileA,FindClose,	1_2_004164A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_00417550 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_00417550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0040A530 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040A530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_00416CF0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	1_2_00416CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_00417140 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	1_2_00417140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0040A980 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_0040A980

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 1_2_004168E0 GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlen,

1_2_004168E0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 1_2_00410540 GetSystemInfo,wsprintfA,

1_2_00410540

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Thread delayed: delay time: 30000			Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000F68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000F68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000F68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware)g

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe

Code function: 0_2_6CF3948B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_6CF3948B

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe

Code function: 0_2_6CEEB6C0 GetModuleHandleW,GetModuleHandleW,LoadLibraryW,GetProcAddress,__cftoe,GetModuleHandleW,GetProcAddress,

0_2_6CEEB6C0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 1_2_00411020 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,FileTimeToSystemTime,GetProcessHeap,HeapAlloc,wsprintfA,VariantClear,

1_2_00411020

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF3948B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6CF3948B
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF3B144 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6CF3B144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0041A68F memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0041A68F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0041F768 SetUnhandledExceptionFilter,	1_2_0041F768
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0041BBB7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_0041BBB7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CBDAC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_6CBDAC62

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Jump to behavior

Searches for specific processes (likely to inject)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 1_2_00411BD0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

1_2_00411BD0

Writes to foreign memory regions

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 423000	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 42E000	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 641000	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 642000	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: ACB008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 1_2_6CC24760 malloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,PR_SetError,GetLastError,free,GetLastError,GetLastError,free,free,free,

1_2_6CC24760

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 1_2_6CB01C30 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLengthSid,malloc,CopySid,CopySid,GetTokenInformation,GetLengthSid,malloc,CopySid,CloseHandle,AllocateAndInitializeSid,GetLastError,PR_LogPrint,

1_2_6CB01C30

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe

Code function: 0_2_6CF384B0 cpuid

0_2_6CF384B0

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,		1_2_00410370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoA,LocalFree,		1_2_004103E9

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Queries volume information: C:\Users\user\Desktop\YyIDUCFWC1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe

Code function: 0_2_6CF3A25A GetSystemTimeAsFileTime,__aulldiv,

0_2_6CF3A25A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 1_2_00410220 GetProcessHeap,HeapAlloc,GetUserNameA,

1_2_00410220

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 1_2_00410300 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

1_2_00410300

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 1_2_6CB28390 NSS_GetVersion,

1_2_6CB28390

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: YyIDUCFWC1.exe, type: SAMPLE
Source: Yara match	File source: 0.0.YyIDUCFWC1.exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1691360547.0000000000682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.YyIDUCFWC1.exe.3e0c1e0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.YyIDUCFWC1.exe.3e3f810.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.YyIDUCFWC1.exe.3e3f810.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.YyIDUCFWC1.exe.3e0c1e0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1701548677.0000000003DA5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1701132649.0000000002E75000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2095584347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1701548677.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1709833273.0000000005CC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: YyIDUCFWC1.exe PID: 5480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6360, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: YyIDUCFWC1.exe, type: SAMPLE
Source: Yara match	File source: 0.0.YyIDUCFWC1.exe.680000.0.unpack, type: UNPACKEDPE

Found many strings related to Crypto-Wallets (likely being stolen)

Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000F60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000F60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000F60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000F60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000F60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000F60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000F60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000F60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000F60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000F60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: MetaMask\|1\|nkbihfbeogaeaoehlefnkodbefgpgknn\|1\|0\|0\|MetaMask\|1\|djclckkglechooblngghdinmeemkbgci\|1\|0\|0\|MetaMask\|1\|ejbalbakoplchlghecdalmeeeajnimhm\|1\|0\|0\|TronLink\|1\|ibnejdfjmmkpcnlpebklmnkoeoihofec\|1\|0\|0\|BinanceChainWallet\|1\|fhbohimaelbohpjbbldcngcnapndodjp\|1\|1\|0\|Yoroi\|1\|ffnbelfdoeiohenkjibnmadjiehjhajb\|1\|0\|0\|Coinbase\|1\|hnfanknocfeofbddgcijnmhnfnkdnaad\|1\|0\|1\|Guarda\|1\|hpglfhgfnhbgpjdenjgmdgoeiappafln\|1\|0\|1\|iWallet\|1\|kncchdigobghenbbaddojjnnaogfppfj\|1\|0\|0\|RoninWallet\|1\|fnjhmkhhmkbjkkabndcnnogagogbneec\|1\|0\|0\|NeoLine\|1\|cphhlgmgameodnhkjdmkpanlelnlohao\|1\|0\|0\|CloverWallet\|1\|nhnkbkgjikgcigadomkphalanndcapjk\|1\|0\|0\|LiqualityWallet\|1\|kpfopkelmapcoipemfendmdcghnegimn\|1\|0\|0\|Terra_Station\|1\|aiifbnbfobpmeekipheeijimdpnlpgpp\|1\|0\|0\|Keplr\|1\|dmkamcknogkgcdfhhbddcghachkejeap\|1\|0\|0\|AuroWallet\|1\|cnmamaachppnkjgnildpdmkaakejnhae\|1\|0\|0\|PolymeshWallet\|1\|jojhfeoedkpkglbfimdfabpdfjaoolaf\|1\|0\|0\|ICONex\|1\|flpiciilemghbmfalicajoolhkkenfel\|1\|0\|0\|Coin98\|1\|aeachknmefphepccionboohckonoeemg\|1\|0\|0\|EVER Wallet\|1\|cgeeodpfagjceefieflmdfphplkenlfk\|1\|0\|0\|KardiaChain\|1\|pdadjkfkgcafgbceimcpbkalnfnepbnk\|1\|0\|0\|Rabby\|1\|acmacodkjbdgmoleebolmdjonilkdbch\|1\|0\|0\|Phantom\|1\|bfnaelmomeimhlpmgjnjophhpkkoljpa\|1\|0\|0\|Oxygen (Atomic)\|1\|fhilaheimglignddkjgofkcbgekhenbh\|1\|0\|0\|PaliWallet\|1\|mgffkfbidihjpoaomajlbgchddlicgpn\|1\|0\|0\|NamiWallet\|1\|lpfcbjknijpeeillifnkikgncikgfhdo\|1\|0\|0\|Solflare\|1\|bhhhlbepdkbapadjdnnojkbgioiodbic\|1\|0\|0\|CyanoWallet\|1\|dkdedlpgdmmkkfjabffeganieamfklkm\|1\|0\|0\|KHC\|1\|hcflpincpppdclinealmandijcmnkbgn\|1\|0\|0\|TezBox\|1\|mnfifefkajgofkcjkemidiaecocnkjeh\|1\|0\|0\|Goby\|1\|jnkelfanjkeadonecabehalmbgpfodjm\|1\|0\|0\|RoninWalletEdge\|1\|kjmoohlgokccodicjjfebfomlbljgfhk\|1\|0\|0\|UniSat Wallet\|1\|ppbibelpcjmhbdihakflkdcoccbgbkpo\|1\|0\|0\|Authenticator\|0\|bhghoamapcdpbohphigoooaddinpkbai\|1\|1\|0\|GAuth Authenticator\|0\|ilgcnhelpchnceeipipijaljkblbcobl\|1\|1\|1\|Tronium\|1\|pnndplcbkakcplkjnolgbkdgjikjednm\|1\|0\|0\|Trust Wallet\|1\|egjidjbpglichdcondbcbdnbeeppgdph\|1\|0\|0\|Exodus Web3 Wallet\|1\|aholpfdialjgjfhomihkjbmgjidlcdno\|1\|0\|0\|Braavos\|1\|jnlgamecbpmbajjfhmmmlhejkemejdma\|1\|0\|0\|Enkrypt\|1\|kkpllkodjeloidieedojogacfhpaihoh\|1\|0\|0\|OKX Web3 Wallet\|1\|mcohilncbfahbmgdjkbpemcciiolgcge\|1\|0\|0\|Sender\|1\|epapihdplajcdnnkdeiahlgigofloibg\|1\|0\|0\|Hashpack\|1\|gjagmgiddbbciopjhllkdnddhcglnemk\|1\|0\|0\|GeroWallet\|1\|bgpipimickeadkjlklgciifhnalhdjhe\|1\|0\|0\|Pontem Wallet\|1\|phkbamefinggmakgklpkljjmgibohnba\|1\|0\|0\|Finnie\|1\|cjmkndjhnagcfbpiemnkdpomccnjblmj\|1\|0\|0\|Leap Terra\|1\|aijcbedoijmgnlmjeegjaglmepbmpkpi\|1\|0\|0\|Microsoft AutoFill\|0\|fiedbfgcleddlbcmgdigjgdfcggjcion\|1\|0\|0\|Bitwarden\|0\|nngceckbapebfimnlniiiahkandclblb\|1\|0\|0\|KeePass Tusk\|0\|fmhmiaejopepamlcjkncpgpdjichnecm\|1\|0\|0\|KeePassXC-Browser\|0\|oboonakemofpalcgghocfoadofidjkkk\|1\|0\|0\|Rise - Aptos Wallet\|1\|hbbgbephgojikajhfbomhlmmollphcad\|1\|0\|0\|Rainbow Wallet\|1\|opfgelmcmbiajamepnmloijbpoleiama\|1\|0\|0\|Nightly\|1\|fiikommddbeccaoicoejoniammnalkfa\|1\|0\|0\|Ecto Wallet\|1\|bgjogpoidejdemgoochpnkmdjpocgkha\|1\|0\|0\|Coinhub\|1\|jgaaimajipbpdogpdglhaphldakikgef\|1\|0\|0\|Leap Cosmos Wallet\|1\|fcfcfllfndlomdhbehjjcoimbgofdncg\|1\|0\|0\|MultiversX DeFi Wal
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000F60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000F60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000F60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000F60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000F60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: YyIDUCFWC1.exe, 00000000.00000000.1691360547.0000000000682000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: set_UseMachineKeyStore
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000001044000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\."~
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000F60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000001.00000002.2095584347.0000000000558000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6360, type: MEMORYSTR

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: YyIDUCFWC1.exe, type: SAMPLE
Source: Yara match	File source: 0.0.YyIDUCFWC1.exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1691360547.0000000000682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.YyIDUCFWC1.exe.3e0c1e0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.YyIDUCFWC1.exe.3e3f810.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.YyIDUCFWC1.exe.3e3f810.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.YyIDUCFWC1.exe.3e0c1e0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1701548677.0000000003DA5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1701132649.0000000002E75000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2095584347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1701548677.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1709833273.0000000005CC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: YyIDUCFWC1.exe PID: 5480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6360, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: YyIDUCFWC1.exe, type: SAMPLE
Source: Yara match	File source: 0.0.YyIDUCFWC1.exe.680000.0.unpack, type: UNPACKEDPE

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CEEA0C0 CorBindToRuntimeEx,GetModuleHandleW,GetModuleHandleW,__cftoe,GetModuleHandleW,GetProcAddress,	0_2_6CEEA0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CBE0C40 sqlite3_bind_zeroblob,	1_2_6CBE0C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CBE0D60 sqlite3_bind_parameter_name,	1_2_6CBE0D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB08EA0 sqlite3_clear_bindings,	1_2_6CB08EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CBE0B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	1_2_6CBE0B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB06410 bind,WSAGetLastError,	1_2_6CB06410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB060B0 listen,WSAGetLastError,	1_2_6CB060B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB0C030 sqlite3_bind_parameter_count,	1_2_6CB0C030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB06070 PR_Listen,	1_2_6CB06070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB0C050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp,	1_2_6CB0C050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CA922D0 sqlite3_bind_blob,	1_2_6CA922D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB063C0 PR_Bind,	1_2_6CB063C0

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
65.109.242.73	unknown	United States		11022	ALABANZA-BALTUS	false
23.4.32.216	steamcommunity.com	United States		16625	AKAMAI-ASUS	false

Contacted Domains

Name	IP	Active
steamcommunity.com	23.4.32.216	true
fp2e7a.wpc.phicdn.net	192.229.211.108	true
windowsupdatebg.s.llnwi.net	69.164.42.0	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://65.109.242.73/mozglue.dll	false		unknown
https://65.109.242.73/	false	4%, Virustotal, Browse	unknown
https://65.109.242.73/sqln.dll	false	4%, Virustotal, Browse	unknown
https://65.109.242.73/freebl3.dll	false		unknown
https://65.109.242.73/msvcp140.dll	false		unknown
https://65.109.242.73/vcruntime140.dll	false		unknown
https://65.109.242.73/nss3.dll	false		unknown

AV Detection

Found malware configuration

Source: 00000000.00000002.1701548677.0000000003DA5000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199673019888"]}

Multi AV Scanner detection for submitted file

Source: YyIDUCFWC1.exe	ReversingLabs: Detection: 26%
Source: YyIDUCFWC1.exe	Virustotal: Detection: 26%			Perma Link

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF2DD20 CryptReleaseContext,	0_2_6CF2DD20
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF2DEE0 CryptReleaseContext,	0_2_6CF2DEE0
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF2DE00 CryptGenRandom,__CxxThrowException@8,	0_2_6CF2DE00
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF2D9D0 CryptAcquireContextA,GetLastError,	0_2_6CF2D9D0
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF2DBB0 CryptAcquireContextA,CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,__CxxThrowException@8,	0_2_6CF2DBB0
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF535E0 CryptReleaseContext,	0_2_6CF535E0
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF2D7F0 CryptReleaseContext,	0_2_6CF2D7F0
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF2D7D3 CryptReleaseContext,	0_2_6CF2D7D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_00406FD0 CryptUnprotectData,LocalAlloc,LocalFree,	1_2_00406FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_00409230 memset,lstrlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,PK11_FreeSlot,lstrcat,PK11_FreeSlot,lstrcat,	1_2_00409230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_00411720 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	1_2_00411720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_00406F50 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	1_2_00406F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB5A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	1_2_6CB5A9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB544C0 PK11_PubEncrypt,	1_2_6CB544C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB24420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	1_2_6CB24420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB54440 PK11_PrivDecrypt,	1_2_6CB54440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CBA25B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	1_2_6CBA25B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB3E6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,	1_2_6CB3E6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB38670 PK11_ExportEncryptedPrivKeyInfo,	1_2_6CB38670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB5A650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,	1_2_6CB5A650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB7A730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,	1_2_6CB7A730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB80180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util,	1_2_6CB80180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB543B0 PK11_PubEncryptPKCS1,PR_SetError,	1_2_6CB543B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB77C00 SEC_PKCS12DecoderImportBags,PR_SetError,NSS_OptionGet,CERT_DestroyCertificate,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECOID_FindOID_Util,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,SECOID_GetAlgorithmTag_Util,SECITEM_CopyItem_Util,PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,PK11_ImportPublicKey,SECOID_FindOID_Util,	1_2_6CB77C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB7BD30 SEC_PKCS12IsEncryptionAllowed,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,	1_2_6CB7BD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB37D60 PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECOID_FindOID_Util,SECOID_FindOIDByTag_Util,PK11_PBEKeyGen,PK11_GetPadMechanism,PK11_UnwrapPrivKey,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,PK11_PBEKeyGen,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_ImportPublicKey,SECKEY_DestroyPublicKey,	1_2_6CB37D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB79EC0 SEC_PKCS12CreateUnencryptedSafe,PORT_ArenaMark_Util,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,SEC_PKCS7DestroyContentInfo,	1_2_6CB79EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB53FF0 PK11_PrivDecryptPKCS1,	1_2_6CB53FF0

Uses 32bit PE files

Source: YyIDUCFWC1.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 23.4.32.216:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.109.242.73:443 -> 192.168.2.4:49733 version: TLS 1.2

Source: YyIDUCFWC1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mozglue.pdbP source: MSBuild.exe, 00000001.00000002.2111715611.000000006CF6D000.00000002.00000001.01000000.0000000B.sdmp, mozglue.dll.1.dr, mozglue[1].dll.1.dr
Source:	Binary string: freebl3.pdb source: freebl3.dll.1.dr, freebl3[1].dll.1.dr
Source:	Binary string: freebl3.pdbp source: freebl3.dll.1.dr, freebl3[1].dll.1.dr
Source:	Binary string: nss3.pdb@ source: MSBuild.exe, 00000001.00000002.2110913060.000000006CC2F000.00000002.00000001.01000000.0000000A.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr
Source:	Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\Win32\Release\Protect32.pdb source: YyIDUCFWC1.exe, 00000000.00000002.1701548677.000000000449D000.00000004.00000800.00020000.00000000.sdmp, YyIDUCFWC1.exe, 00000000.00000002.1701548677.0000000004312000.00000004.00000800.00020000.00000000.sdmp, YyIDUCFWC1.exe, 00000000.00000002.1708250819.00000000056C0000.00000004.08000000.00040000.00000000.sdmp, YyIDUCFWC1.exe, 00000000.00000002.1710476616.000000006CF54000.00000002.00000001.01000000.00000007.sdmp, Protect544cd51a.dll.0.dr
Source:	Binary string: C:\dev\sqlite\dotnet-private\obj\2015\System.Data.SQLite.2015\Release\System.Data.SQLite.pdb source: YyIDUCFWC1.exe
Source:	Binary string: C:\Users\sc-client\Jenkins\workspace\WindowsBuild\SecureConnectClient\ACVC.Core\obj\WinRelease\netstandard2.0\AWSVPNClient.Core.pdbSHA256 source: YyIDUCFWC1.exe
Source:	Binary string: C:\dev\sqlite\dotnet-private\obj\2015\System.Data.SQLite.2015\Release\System.Data.SQLite.pdb\ source: YyIDUCFWC1.exe
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.1.dr, softokn3.dll.1.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140[1].dll.1.dr, vcruntime140.dll.1.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.1.dr, msvcp140[1].dll.1.dr
Source:	Binary string: C:\Users\sc-client\Jenkins\workspace\WindowsBuild\SecureConnectClient\ACVC.Core\obj\WinRelease\netstandard2.0\AWSVPNClient.Core.pdb source: YyIDUCFWC1.exe
Source:	Binary string: nss3.pdb source: MSBuild.exe, 00000001.00000002.2110913060.000000006CC2F000.00000002.00000001.01000000.0000000A.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: MSBuild.exe, 00000001.00000002.2105558542.0000000019808000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2099739476.0000000013898000.00000004.00000020.00020000.00000000.sdmp, sqln[1].dll.1.dr
Source:	Binary string: mozglue.pdb source: MSBuild.exe, 00000001.00000002.2111715611.000000006CF6D000.00000002.00000001.01000000.0000000B.sdmp, mozglue.dll.1.dr, mozglue[1].dll.1.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.1.dr, softokn3.dll.1.dr
Source:	Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\x64\Release\Protect64.pdb source: YyIDUCFWC1.exe, 00000000.00000002.1708250819.000000000577A000.00000004.08000000.00040000.00000000.sdmp, YyIDUCFWC1.exe, 00000000.00000002.1701548677.00000000043CE000.00000004.00000800.00020000.00000000.sdmp, YyIDUCFWC1.exe, 00000000.00000002.1701548677.0000000004243000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\Temp\Json\Working\Newtonsoft.Json\Src\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdb source: YyIDUCFWC1.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0040B030 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	1_2_0040B030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_004011E0 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_004011E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0040D320 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_0040D320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_004164A0 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,strtok_s,memset,lstrcat,strtok_s,PathMatchSpecA,wsprintfA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,DeleteFileA,FindNextFileA,FindClose,	1_2_004164A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_00417550 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_00417550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0040A530 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040A530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_00416CF0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	1_2_00416CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_00417140 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	1_2_00417140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0040A980 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_0040A980

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 1_2_004168E0 GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlen,

1_2_004168E0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	0_2_05323AD8
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 4x nop then jmp 0532BD0Ah	0_2_0532BC50
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 4x nop then jmp 0532BD0Ah	0_2_0532BC58
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	0_2_05323CF1
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	0_2_05323CF8
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_053207B4
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	0_2_05323E00
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	0_2_05323E08
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_053226EC
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_0532C120
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_0532C119
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	0_2_05323BE0
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	0_2_05323BE8
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	0_2_05323AD2

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://steamcommunity.com/profiles/76561199673019888

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /profiles/76561199673019888 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 23.4.32.216 23.4.32.216

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IIDHJKFBGIIJJKFIJDBGUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 279Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AKKKFBGDHJKFHJJJJDGCUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EHDAFIJJECFHJJKFCAKJUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AFHJJEHIEBKKFIDHDGHJUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 6973Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqln.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GIDBKKKKKFBGDGDHIDBGUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 4677Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DHIDHIEGIIIECAKEBFBAUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 1529Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KFIEHIIIJDAAAAAAKECBUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HJJJDAEGIDHCBFHJJJEGUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HJDAKFBFBFBAAAAAEBKJUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 1145Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GHIJJJEGDBFHDHJJDBAKUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CFCGIIEHIEGDGDGCAEBGUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DAKJDHIEBFIIDGDGDBAEUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 453Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JDGHIIJKEBGIDHIDBKJDUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 100429Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KEHCAFHIJECGCAKFCGDBUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DHDHCGHDHIDHCBGCBGCAUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Content-Length: 331Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73
Source: unknown	TCP traffic detected without corresponding DNS query: 65.109.242.73

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

1_2_00404500

Source: global traffic	HTTP traffic detected: GET /profiles/76561199673019888 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqln.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 65.109.242.73Cache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: steamcommunity.com

Source: unknown

Source: YyIDUCFWC1.exe	String found in binary or memory: http://127.0.0.1:
Source: YyIDUCFWC1.exe	String found in binary or memory: http://ACVC.WPF.Service.Wcf/IOvpnProcessRunner/IsAliveResponse
Source: YyIDUCFWC1.exe	String found in binary or memory: http://ACVC.WPF.Service.Wcf/IOvpnProcessRunner/IsAliveT
Source: YyIDUCFWC1.exe	String found in binary or memory: http://ACVC.WPF.Service.Wcf/IOvpnProcessRunner/StartResponse
Source: YyIDUCFWC1.exe	String found in binary or memory: http://ACVC.WPF.Service.Wcf/IOvpnProcessRunner/StartT
Source: YyIDUCFWC1.exe	String found in binary or memory: http://ACVC.WPF.Service.Wcf/IOvpnProcessRunner/StopResponseR
Source: YyIDUCFWC1.exe	String found in binary or memory: http://ACVC.WPF.Service.Wcf/IOvpnProcessRunner/StopT
Source: YyIDUCFWC1.exe	String found in binary or memory: http://ACVC.WPF.Service.WcfT
Source: YyIDUCFWC1.exe, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: YyIDUCFWC1.exe, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: YyIDUCFWC1.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: YyIDUCFWC1.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: YyIDUCFWC1.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: YyIDUCFWC1.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: YyIDUCFWC1.exe, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: YyIDUCFWC1.exe, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: YyIDUCFWC1.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: YyIDUCFWC1.exe, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: YyIDUCFWC1.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: YyIDUCFWC1.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: YyIDUCFWC1.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: YyIDUCFWC1.exe, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: YyIDUCFWC1.exe, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: YyIDUCFWC1.exe	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: YyIDUCFWC1.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: YyIDUCFWC1.exe, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: YyIDUCFWC1.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: YyIDUCFWC1.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: YyIDUCFWC1.exe	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: YyIDUCFWC1.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: YyIDUCFWC1.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: YyIDUCFWC1.exe	String found in binary or memory: http://james.newtonking.com/projects/json
Source: YyIDUCFWC1.exe, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: YyIDUCFWC1.exe, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: YyIDUCFWC1.exe, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: YyIDUCFWC1.exe	String found in binary or memory: http://ocsp.digicert.com0H
Source: YyIDUCFWC1.exe	String found in binary or memory: http://ocsp.digicert.com0I
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: YyIDUCFWC1.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: YyIDUCFWC1.exe, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: YyIDUCFWC1.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/AccessLevelDetailSet.xsd
Source: YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/AccessLevelsSet.xsd
Source: YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/CameraAuthenticationsSet.xsd
Source: YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/CamerasSet.xsd
Source: YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/CardTemplateSet.xsd
Source: YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/CardTypesSet.xsd
Source: YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/CardsSet.xsd
Source: YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/DepartmentsSet.xsd
Source: YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/DoorsSet.xsd
Source: YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/EventsSet.xsd
Source: YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IndividualAccessLevelsSet.xsd$SelectedTimezoneID
Source: YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IoBoardInputsSet.xsd
Source: YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IoBoardOutputsSet.xsd
Source: YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/IoBoardsSet.xsd
Source: YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/OperatorSet.xsd
Source: YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/RawEvent.xsd$StaffCategoriesSetRhttp://tempuri.org/StaffCategoriesSet.xsd
Source: YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/TimesheetCategoriesSet.xsd
Source: YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/TimesheetDetailsSet.xsd
Source: YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/TimesheetEventLogsSet.xsd
Source: YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/TimesheetSummarySet.xsd
Source: YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/TimesheetUsersDetailSet.xsd4HolidayAdjustmentPriorYear2HolidayAdjustmentThisYear2
Source: YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/TimezonesSet.xsd
Source: YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/UsersSet.xsd
Source: YyIDUCFWC1.exe, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: YyIDUCFWC1.exe	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: MSBuild.exe, MSBuild.exe, 00000001.00000002.2111715611.000000006CF6D000.00000002.00000001.01000000.0000000B.sdmp, mozglue.dll.1.dr, mozglue[1].dll.1.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: MSBuild.exe, 00000001.00000002.2105752036.000000001983D000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2099739476.0000000013898000.00000004.00000020.00020000.00000000.sdmp, sqln[1].dll.1.dr	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: 76561199673019888[1].htm.1.dr	String found in binary or memory: https://65.109.242.73
Source: MSBuild.exe, 00000001.00000002.2097165559.000000000107E000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2097165559.0000000000F68000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2097165559.0000000001074000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/
Source: MSBuild.exe, 00000001.00000002.2097165559.000000000107E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/$
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000F68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/09.242.73/Local
Source: MSBuild.exe, 00000001.00000002.2097165559.000000000107E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/2
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000F68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/B
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/X
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000F68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/XR
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000F68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/amData
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/c
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000F68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/es
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000F68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/f
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/freebl3.dll
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/h
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/mozglue.dll
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/msvcp140.dll
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000001093000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/nss3.dll
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000001093000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/nss3.dllE
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/softokn3.dllX
Source: MSBuild.exe, 00000001.00000002.2095584347.0000000000514000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/sqln.dll
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000F68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/ss3.dllPb
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/vcruntime140.dll
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73/vcruntime140.dllc
Source: MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73BKJD
Source: MSBuild.exe, 00000001.00000002.2095584347.000000000051A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://65.109.242.73T
Source: FBFCGIDA.1.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 76561199673019888[1].htm.1.dr	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: FBFCGIDA.1.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: FBFCGIDA.1.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: FBFCGIDA.1.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=96N66CvLHly8&a
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=Kg_v7CMM
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=N0D1
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=english
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=L35TrLJDfqtD&l=engl
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=english
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=jU8h8CqVh6FY&l=e
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&l=en
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=BMF068jICwP9&
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=1_BxDGVvfXwv&am
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: FBFCGIDA.1.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: FBFCGIDA.1.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: FBFCGIDA.1.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://help.steampowered.com/en/
Source: nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: https://mozilla.org0/
Source: YyIDUCFWC1.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: 76561199673019888[1].htm.1.dr	String found in binary or memory: https://steamcommunity.com/
Source: MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://steamcommunity.com/discussions/
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 76561199673019888[1].htm.1.dr	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199673019888
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://steamcommunity.com/market/
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: YyIDUCFWC1.exe, 00000000.00000002.1701548677.0000000003DA5000.00000004.00000800.00020000.00000000.sdmp, YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002E75000.00000004.00000800.00020000.00000000.sdmp, YyIDUCFWC1.exe, 00000000.00000002.1701548677.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, YyIDUCFWC1.exe, 00000000.00000002.1709833273.0000000005CC0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, MSBuild.exe, 00000001.00000002.2097165559.0000000000FA8000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199673019888
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199673019888/badges
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://steamcommunity.com/profiles/76561199673019888/inventory/
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199673019888;
Source: YyIDUCFWC1.exe, 00000000.00000002.1701548677.0000000003DA5000.00000004.00000800.00020000.00000000.sdmp, YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002E75000.00000004.00000800.00020000.00000000.sdmp, YyIDUCFWC1.exe, 00000000.00000002.1701548677.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, YyIDUCFWC1.exe, 00000000.00000002.1709833273.0000000005CC0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199673019888ve74rMozilla/5.0
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000F68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/s
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://steamcommunity.com/workshop/
Source: 76561199673019888[1].htm.1.dr	String found in binary or memory: https://store.steampowered.com/
Source: 76561199673019888[1].htm.1.dr	String found in binary or memory: https://store.steampowered.com/about/
Source: MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://store.steampowered.com/explore/
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://store.steampowered.com/legal/
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://store.steampowered.com/mobile
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://store.steampowered.com/news/
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://store.steampowered.com/stats/
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: KEHCAFHIJECGCAKFCGDBKEGIDH.1.dr	String found in binary or memory: https://support.mozilla.org
Source: KEHCAFHIJECGCAKFCGDBKEGIDH.1.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: KEHCAFHIJECGCAKFCGDBKEGIDH.1.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: MSBuild.exe, 00000001.00000002.2095584347.0000000000558000.00000040.00000400.00020000.00000000.sdmp, GCBGIIEC.1.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: GCBGIIEC.1.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: MSBuild.exe, 00000001.00000002.2095584347.0000000000558000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exe
Source: MSBuild.exe, 00000001.00000002.2095584347.0000000000558000.00000040.00000400.00020000.00000000.sdmp, GCBGIIEC.1.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: MSBuild.exe, 00000001.00000002.2095584347.0000000000558000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17.exe
Source: MSBuild.exe, 00000001.00000002.2095584347.0000000000558000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e1730.exe
Source: GCBGIIEC.1.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: YyIDUCFWC1.exe	String found in binary or memory: https://system.data.sqlite.org/
Source: YyIDUCFWC1.exe	String found in binary or memory: https://system.data.sqlite.org/X
Source: YyIDUCFWC1.exe, 00000000.00000002.1701548677.0000000003DA5000.00000004.00000800.00020000.00000000.sdmp, YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002E75000.00000004.00000800.00020000.00000000.sdmp, YyIDUCFWC1.exe, 00000000.00000002.1701548677.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, YyIDUCFWC1.exe, 00000000.00000002.1709833273.0000000005CC0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, MSBuild.exe, 00000001.00000002.2095584347.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/irfail
Source: YyIDUCFWC1.exe, 00000000.00000002.1701548677.0000000003DA5000.00000004.00000800.00020000.00000000.sdmp, YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002E75000.00000004.00000800.00020000.00000000.sdmp, YyIDUCFWC1.exe, 00000000.00000002.1701548677.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, YyIDUCFWC1.exe, 00000000.00000002.1709833273.0000000005CC0000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/irfailAt
Source: YyIDUCFWC1.exe	String found in binary or memory: https://urn.to/r/sds_see
Source: YyIDUCFWC1.exe	String found in binary or memory: https://urn.to/r/sds_see=isolation
Source: YyIDUCFWC1.exe, nss3.dll.1.dr, mozglue.dll.1.dr, freebl3.dll.1.dr, mozglue[1].dll.1.dr, nss3[1].dll.1.dr, freebl3[1].dll.1.dr, softokn3[1].dll.1.dr, softokn3.dll.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: FBFCGIDA.1.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: FBFCGIDA.1.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: KEHCAFHIJECGCAKFCGDBKEGIDH.1.dr	String found in binary or memory: https://www.mozilla.org
Source: MSBuild.exe, 00000001.00000002.2095584347.0000000000558000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: MSBuild.exe, 00000001.00000002.2095584347.0000000000558000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/:
Source: KEHCAFHIJECGCAKFCGDBKEGIDH.1.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: MSBuild.exe, 00000001.00000002.2095584347.0000000000558000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: MSBuild.exe, 00000001.00000002.2095584347.0000000000558000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/HCBFHJJJEG
Source: KEHCAFHIJECGCAKFCGDBKEGIDH.1.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: MSBuild.exe, 00000001.00000002.2095584347.0000000000558000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: KEHCAFHIJECGCAKFCGDBKEGIDH.1.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: KEHCAFHIJECGCAKFCGDBKEGIDH.1.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: MSBuild.exe, 00000001.00000002.2095584347.0000000000558000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: MSBuild.exe, 00000001.00000002.2095584347.0000000000558000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/d=enterpk2016&ui=en-us&rs=en-us&ad=us
Source: KEHCAFHIJECGCAKFCGDBKEGIDH.1.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: YyIDUCFWC1.exe	String found in binary or memory: https://www.security.us.panasonic.com
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2095584347.0000000000434000.00000040.00000400.00020000.00000000.sdmp, 76561199673019888[1].htm.1.dr	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443

Source: unknown	HTTPS traffic detected: 23.4.32.216:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 65.109.242.73:443 -> 192.168.2.4:49733 version: TLS 1.2

Contains functionality to record screenshots

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

1_2_00411D10

System Summary

Malicious sample detected (through community Yara rule)

Source: YyIDUCFWC1.exe, type: SAMPLE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.0.YyIDUCFWC1.exe.680000.0.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 1_2_6CC262C0 PR_dtoa,PR_GetCurrentThread,strlen,NtFlushVirtualMemory,PR_GetCurrentThread,memcpy,memcpy,

1_2_6CC262C0

Detected potential crypto function

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CEFB6B0	0_2_6CEFB6B0
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF4AC29	0_2_6CF4AC29
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CEF2D70	0_2_6CEF2D70
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF24EE0	0_2_6CF24EE0
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF14970	0_2_6CF14970
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF14AC0	0_2_6CF14AC0
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF40B89	0_2_6CF40B89
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CED8B30	0_2_6CED8B30
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF14550	0_2_6CF14550
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF4A54D	0_2_6CF4A54D
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CED6650	0_2_6CED6650
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CEDA7E0	0_2_6CEDA7E0
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CEDC7B0	0_2_6CEDC7B0
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CEEA0C0	0_2_6CEEA0C0
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF263B0	0_2_6CF263B0
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF32310	0_2_6CF32310
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF31CA0	0_2_6CF31CA0
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF13C90	0_2_6CF13C90
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF25DD0	0_2_6CF25DD0
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF45DD2	0_2_6CF45DD2
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF25EB9	0_2_6CF25EB9
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF13E50	0_2_6CF13E50
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF4BFF1	0_2_6CF4BFF1
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF49FFC	0_2_6CF49FFC
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF258D7	0_2_6CF258D7
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF258D5	0_2_6CF258D5
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF25830	0_2_6CF25830
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF4B964	0_2_6CF4B964
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF49AAB	0_2_6CF49AAB
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF13460	0_2_6CF13460
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF25050	0_2_6CF25050
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF25274	0_2_6CF25274
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF13260	0_2_6CF13260
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_02D5C2D8	0_2_02D5C2D8
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_02D58EE8	0_2_02D58EE8
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_02D578E0	0_2_02D578E0
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_02D50D80	0_2_02D50D80
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_02D50D70	0_2_02D50D70
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_02D51521	0_2_02D51521
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_05320040	0_2_05320040
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_05320248	0_2_05320248
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_05B00EB3	0_2_05B00EB3
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_05B026F8	0_2_05B026F8
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_05B00930	0_2_05B00930
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_05B026DC	0_2_05B026DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0041D38A	1_2_0041D38A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0041F4C0	1_2_0041F4C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0041CE39	1_2_0041CE39
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0041DFB7	1_2_0041DFB7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CA9ECC0	1_2_6CA9ECC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAFECD0	1_2_6CAFECD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB7AC30	1_2_6CB7AC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB66C00	1_2_6CB66C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAAAC60	1_2_6CAAAC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CC2CDC0	1_2_6CC2CDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAA4DB0	1_2_6CAA4DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB36D90	1_2_6CB36D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB6ED70	1_2_6CB6ED70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CC28D20	1_2_6CC28D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CBCAD50	1_2_6CBCAD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB26E90	1_2_6CB26E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAAAEC0	1_2_6CAAAEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB40EC0	1_2_6CB40EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB80E20	1_2_6CB80E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB3EE70	1_2_6CB3EE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CBE8FB0	1_2_6CBE8FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAAEFB0	1_2_6CAAEFB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB7EFF0	1_2_6CB7EFF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAA0FE0	1_2_6CAA0FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CBE0F20	1_2_6CBE0F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAA6F10	1_2_6CAA6F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB62F70	1_2_6CB62F70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB0EF40	1_2_6CB0EF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CBA68E0	1_2_6CBA68E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAF0820	1_2_6CAF0820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB2A820	1_2_6CB2A820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB74840	1_2_6CB74840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB609B0	1_2_6CB609B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB309A0	1_2_6CB309A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB5A9A0	1_2_6CB5A9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CBBC9E0	1_2_6CBBC9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAD49F0	1_2_6CAD49F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAF6900	1_2_6CAF6900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAD8960	1_2_6CAD8960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB1EA80	1_2_6CB1EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB58A30	1_2_6CB58A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB4EA00	1_2_6CB4EA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB1CA70	1_2_6CB1CA70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB40BA0	1_2_6CB40BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CBA6BE0	1_2_6CBA6BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CBCA480	1_2_6CBCA480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB3A4D0	1_2_6CB3A4D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAE64D0	1_2_6CAE64D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB2A430	1_2_6CB2A430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB04420	1_2_6CB04420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAB8460	1_2_6CAB8460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CA945B0	1_2_6CA945B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB2E5F0	1_2_6CB2E5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB6A5E0	1_2_6CB6A5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB40570	1_2_6CB40570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB02560	1_2_6CB02560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CBE8550	1_2_6CBE8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAF8540	1_2_6CAF8540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CBA4540	1_2_6CBA4540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAFE6E0	1_2_6CAFE6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB3E6E0	1_2_6CB3E6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAC46D0	1_2_6CAC46D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAFC650	1_2_6CAFC650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CACA7D0	1_2_6CACA7D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB20700	1_2_6CB20700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB7C0B0	1_2_6CB7C0B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAB00B0	1_2_6CAB00B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CA98090	1_2_6CA98090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB68010	1_2_6CB68010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB6C000	1_2_6CB6C000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAEE070	1_2_6CAEE070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAA01E0	1_2_6CAA01E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB16130	1_2_6CB16130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB84130	1_2_6CB84130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB08140	1_2_6CB08140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CC262C0	1_2_6CC262C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB6E2B0	1_2_6CB6E2B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB722A0	1_2_6CB722A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB78220	1_2_6CB78220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB6A210	1_2_6CB6A210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB28260	1_2_6CB28260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB38250	1_2_6CB38250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAD23A0	1_2_6CAD23A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAFE3B0	1_2_6CAFE3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAF43E0	1_2_6CAF43E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB12320	1_2_6CB12320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB36370	1_2_6CB36370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CBE2370	1_2_6CBE2370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAA2370	1_2_6CAA2370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CBBC360	1_2_6CBBC360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAA8340	1_2_6CAA8340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB3FC80	1_2_6CB3FC80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB61CE0	1_2_6CB61CE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CBDDCD0	1_2_6CBDDCD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAB1C30	1_2_6CAB1C30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAA3C40	1_2_6CAA3C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CBC9C40	1_2_6CBC9C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CA93D80	1_2_6CA93D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CBE9D90	1_2_6CBE9D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB71DC0	1_2_6CB71DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB03D00	1_2_6CB03D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAC3EC0	1_2_6CAC3EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CC25E60	1_2_6CC25E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CBADE10	1_2_6CBADE10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CBFBE70	1_2_6CBFBE70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CC23FC0	1_2_6CC23FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAC1F90	1_2_6CAC1F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB4BFF0	1_2_6CB4BFF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CBBDFC0	1_2_6CBBDFC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAD5F20	1_2_6CAD5F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CA95F30	1_2_6CA95F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CBF7F20	1_2_6CBF7F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB7F8F0	1_2_6CB7F8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAAD8E0	1_2_6CAAD8E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CAD38E0	1_2_6CAD38E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CBFB8F0	1_2_6CBFB8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB3F8C0	1_2_6CB3F8C0

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 6CAC9B10 appears 76 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 6CC2DAE0 appears 60 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 6CAC3620 appears 74 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 6CC2D930 appears 49 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 6CBD9F30 appears 31 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 00402360 appears 286 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 6CC209D0 appears 268 times
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: String function: 6CF390D8 appears 51 times
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: String function: 6CF3D520 appears 31 times
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: String function: 6CF39B35 appears 141 times

PE / OLE file has an invalid certificate

Source: YyIDUCFWC1.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: YyIDUCFWC1.exe, 00000000.00000002.1701548677.000000000449D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWindowsApp1.dll8 vs YyIDUCFWC1.exe
Source: YyIDUCFWC1.exe, 00000000.00000002.1709795517.0000000005B41000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameProtect.dll8 vs YyIDUCFWC1.exe
Source: YyIDUCFWC1.exe, 00000000.00000002.1701548677.0000000004312000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWindowsApp1.dll8 vs YyIDUCFWC1.exe
Source: YyIDUCFWC1.exe, 00000000.00000002.1709599903.0000000005AD0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameProtect.dll8 vs YyIDUCFWC1.exe
Source: YyIDUCFWC1.exe, 00000000.00000002.1699708698.0000000000F1E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs YyIDUCFWC1.exe
Source: YyIDUCFWC1.exe, 00000000.00000000.1691360547.0000000000682000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll4 vs YyIDUCFWC1.exe
Source: YyIDUCFWC1.exe, 00000000.00000000.1691360547.0000000000682000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameAWSVPNClient.Core.dllD vs YyIDUCFWC1.exe
Source: YyIDUCFWC1.exe, 00000000.00000000.1691360547.0000000000682000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Data.SQLite.dllF vs YyIDUCFWC1.exe
Source: YyIDUCFWC1.exe, 00000000.00000000.1691360547.0000000000682000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamenewsmakeformula_city7.exeL, vs YyIDUCFWC1.exe
Source: YyIDUCFWC1.exe, 00000000.00000002.1708250819.0000000005848000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameWindowsApp1.dll8 vs YyIDUCFWC1.exe
Source: YyIDUCFWC1.exe, 00000000.00000002.1701132649.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameProtect.dll8 vs YyIDUCFWC1.exe
Source: YyIDUCFWC1.exe	Binary or memory string: OriginalFilenameNewtonsoft.Json.dll4 vs YyIDUCFWC1.exe
Source: YyIDUCFWC1.exe	Binary or memory string: OriginalFilenameAWSVPNClient.Core.dllD vs YyIDUCFWC1.exe
Source: YyIDUCFWC1.exe	Binary or memory string: OriginalFilenameSystem.Data.SQLite.dllF vs YyIDUCFWC1.exe
Source: YyIDUCFWC1.exe	Binary or memory string: OriginalFilenamenewsmakeformula_city7.exeL, vs YyIDUCFWC1.exe

Uses 32bit PE files

Source: YyIDUCFWC1.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Yara signature match

Source: YyIDUCFWC1.exe, type: SAMPLE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.0.YyIDUCFWC1.exe.680000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: YyIDUCFWC1.exe, Module1.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: YyIDUCFWC1.exe, mEqmoE9UxRmX9ogcto.cs	Cryptographic APIs: 'CreateDecryptor'
Source: YyIDUCFWC1.exe, mEqmoE9UxRmX9ogcto.cs	Cryptographic APIs: 'CreateDecryptor'
Source: YyIDUCFWC1.exe, mEqmoE9UxRmX9ogcto.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/27@1/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 1_2_6CB00300 MapViewOfFile,GetLastError,FormatMessageA,PR_LogPrint,GetLastError,PR_SetError,

1_2_6CB00300

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 1_2_00410AA0 CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,

1_2_00410AA0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 1_2_00411020 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,FileTimeToSystemTime,GetProcessHeap,HeapAlloc,wsprintfA,VariantClear,

1_2_00411020

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\YyIDUCFWC1.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Protect544cd51a.dll

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe

File created: C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll

Jump to behavior

Source: YyIDUCFWC1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: YyIDUCFWC1.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: nss3.dll.1.dr, nss3[1].dll.1.dr, sqln[1].dll.1.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: nss3.dll.1.dr, nss3[1].dll.1.dr, sqln[1].dll.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: nss3.dll.1.dr, nss3[1].dll.1.dr, sqln[1].dll.1.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: nss3.dll.1.dr, nss3[1].dll.1.dr, sqln[1].dll.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: sqln[1].dll.1.dr	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: sqln[1].dll.1.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: nss3.dll.1.dr, nss3[1].dll.1.dr, sqln[1].dll.1.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: nss3.dll.1.dr, nss3[1].dll.1.dr, sqln[1].dll.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: sqln[1].dll.1.dr	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: KFIEHIIIJDAAAAAAKECB.1.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: sqln[1].dll.1.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: sqln[1].dll.1.dr	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.1.dr, softokn3.dll.1.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: YyIDUCFWC1.exe	ReversingLabs: Detection: 26%
Source: YyIDUCFWC1.exe	Virustotal: Detection: 26%

Source: YyIDUCFWC1.exe	String found in binary or memory: --start
Source: YyIDUCFWC1.exe	String found in binary or memory: AConnecting using command {0} {1}gThe start process did not return within the timeout7Helper app --start output:
Source: YyIDUCFWC1.exe	String found in binary or memory: Action3http://ACVC.WPF.Service.Wcf/IOvpnProcessRunner/StopT
Source: YyIDUCFWC1.exe	String found in binary or memory: Action3http://ACVC.WPF.Service.Wcf/IOvpnProcessRunner/StopT
Source: YyIDUCFWC1.exe	String found in binary or memory: ReplyAction;http://ACVC.WPF.Service.Wcf/IOvpnProcessRunner/StopResponseR
Source: YyIDUCFWC1.exe	String found in binary or memory: ReplyAction;http://ACVC.WPF.Service.Wcf/IOvpnProcessRunner/StopResponseR
Source: YyIDUCFWC1.exe	String found in binary or memory: Download/Install
Source: YyIDUCFWC1.exe	String found in binary or memory: U/configuration/appSettings/add[@key='{0}']

Source: unknown	Process created: C:\Users\user\Desktop\YyIDUCFWC1.exe "C:\Users\user\Desktop\YyIDUCFWC1.exe"
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe	Jump to behavior

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: YyIDUCFWC1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: YyIDUCFWC1.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: YyIDUCFWC1.exe

Static file information: File size 4479608 > 1048576

Source: YyIDUCFWC1.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x431800

Source: YyIDUCFWC1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mozglue.pdbP source: MSBuild.exe, 00000001.00000002.2111715611.000000006CF6D000.00000002.00000001.01000000.0000000B.sdmp, mozglue.dll.1.dr, mozglue[1].dll.1.dr
Source:	Binary string: freebl3.pdb source: freebl3.dll.1.dr, freebl3[1].dll.1.dr
Source:	Binary string: freebl3.pdbp source: freebl3.dll.1.dr, freebl3[1].dll.1.dr
Source:	Binary string: nss3.pdb@ source: MSBuild.exe, 00000001.00000002.2110913060.000000006CC2F000.00000002.00000001.01000000.0000000A.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr
Source:	Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\Win32\Release\Protect32.pdb source: YyIDUCFWC1.exe, 00000000.00000002.1701548677.000000000449D000.00000004.00000800.00020000.00000000.sdmp, YyIDUCFWC1.exe, 00000000.00000002.1701548677.0000000004312000.00000004.00000800.00020000.00000000.sdmp, YyIDUCFWC1.exe, 00000000.00000002.1708250819.00000000056C0000.00000004.08000000.00040000.00000000.sdmp, YyIDUCFWC1.exe, 00000000.00000002.1710476616.000000006CF54000.00000002.00000001.01000000.00000007.sdmp, Protect544cd51a.dll.0.dr
Source:	Binary string: C:\dev\sqlite\dotnet-private\obj\2015\System.Data.SQLite.2015\Release\System.Data.SQLite.pdb source: YyIDUCFWC1.exe
Source:	Binary string: C:\Users\sc-client\Jenkins\workspace\WindowsBuild\SecureConnectClient\ACVC.Core\obj\WinRelease\netstandard2.0\AWSVPNClient.Core.pdbSHA256 source: YyIDUCFWC1.exe
Source:	Binary string: C:\dev\sqlite\dotnet-private\obj\2015\System.Data.SQLite.2015\Release\System.Data.SQLite.pdb\ source: YyIDUCFWC1.exe
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.1.dr, softokn3.dll.1.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140[1].dll.1.dr, vcruntime140.dll.1.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.1.dr, msvcp140[1].dll.1.dr
Source:	Binary string: C:\Users\sc-client\Jenkins\workspace\WindowsBuild\SecureConnectClient\ACVC.Core\obj\WinRelease\netstandard2.0\AWSVPNClient.Core.pdb source: YyIDUCFWC1.exe
Source:	Binary string: nss3.pdb source: MSBuild.exe, 00000001.00000002.2110913060.000000006CC2F000.00000002.00000001.01000000.0000000A.sdmp, nss3.dll.1.dr, nss3[1].dll.1.dr
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: MSBuild.exe, 00000001.00000002.2105558542.0000000019808000.00000002.00001000.00020000.00000000.sdmp, MSBuild.exe, 00000001.00000002.2099739476.0000000013898000.00000004.00000020.00020000.00000000.sdmp, sqln[1].dll.1.dr
Source:	Binary string: mozglue.pdb source: MSBuild.exe, 00000001.00000002.2111715611.000000006CF6D000.00000002.00000001.01000000.0000000B.sdmp, mozglue.dll.1.dr, mozglue[1].dll.1.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.1.dr, softokn3.dll.1.dr
Source:	Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\x64\Release\Protect64.pdb source: YyIDUCFWC1.exe, 00000000.00000002.1708250819.000000000577A000.00000004.08000000.00040000.00000000.sdmp, YyIDUCFWC1.exe, 00000000.00000002.1701548677.00000000043CE000.00000004.00000800.00020000.00000000.sdmp, YyIDUCFWC1.exe, 00000000.00000002.1701548677.0000000004243000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\Temp\Json\Working\Newtonsoft.Json\Src\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdb source: YyIDUCFWC1.exe

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: YyIDUCFWC1.exe, mEqmoE9UxRmX9ogcto.cs

.NET source code contains potential unpacker

Source: YyIDUCFWC1.exe, hrwN54ssk66JhR0d65a.cs

.Net Code: pkqf1sPLYHfD2WBJfKjH System.Reflection.Assembly.Load(byte[])

Binary contains a suspicious time stamp

Source: YyIDUCFWC1.exe

Static PE information: 0xAC500F2F [Wed Aug 10 19:31:59 2061 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe

Code function: 0_2_6CEEB6C0 GetModuleHandleW,GetModuleHandleW,LoadLibraryW,GetProcAddress,__cftoe,GetModuleHandleW,GetProcAddress,

0_2_6CEEB6C0

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF3CC2B push ecx; ret	0_2_6CF3CC3E
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF3D565 push ecx; ret	0_2_6CF3D578
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_02D54743 push ds; iretd	0_2_02D54744
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0041A4E5 push ecx; ret	1_2_0041A4F8

Source: YyIDUCFWC1.exe, hrwN54ssk66JhR0d65a.cs	High entropy of concatenated method names: 'lLHifFIsCLsZtjvFfN0i', 'tsFkXCLB65', 'V2hk1qXaN6', 'VIcAsHPLk0x0qMOGDsUM', 'AlGEkNPLR6uMGdG1y6Fn', 'XbGKZJPLqpgb8KM4dYNO', 'TFKckiPLlTiYWYmTuprl', 'SxfBmKPLsova8eEhejPp', 'fws0jCPLoKnUFSdfYYPp', 'l99dCbPLVe4inAOWaG2i'
Source: YyIDUCFWC1.exe, Context.cs	High entropy of concatenated method names: 'Add', 'ContainsKey', 'Remove', 'TryGetValue', 'Add', 'Clear', 'Contains', 'CopyTo', 'Remove', 'GetEnumerator'
Source: YyIDUCFWC1.exe, Form1.cs	High entropy of concatenated method names: 'Dispose', 'InitializeComponent', 'kWr4EX5Gd857rgq7rv', 'Tnp50ng4OqUnov4Fxb', 'tCSbgiwQoAlj0QLZ36', 'cI0MyEaTG7OotqrxMs', 'OOC1K84P5qL9DRVtmF', 'OiNNB5hg5t7XaB8AG6', 'dxD2y4rqQoZEmsew5J'
Source: YyIDUCFWC1.exe, mEqmoE9UxRmX9ogcto.cs	High entropy of concatenated method names: 'Q5MkM5QYd3', 'Tipv3tPTMYJ73eGHyD8t', 'zGgUq6PTckEu7BpQjCFR', 'sQrX3QPTZiBvbHfgVOBV', 'fHSkdAnkJf', 'k96k7mkjK6', 't26kG3LxyN', 'WBQk3NCaKd', 'AgYkLp4qOr', 'UPXIAdPTAdlLUbv9SeBu'
Source: YyIDUCFWC1.exe, TimesheetDetailView.cs	High entropy of concatenated method names: 'nH2csNPoDkxv3xVMPkEc', 'tI5AITPozrBsvLDxmKkk', 'louZwoPVIx35aw75X1WY', 's3PYHsPVPkUkR6vqItE8', 'QfXCUmPV1Ne1wQ5C6Va5', 'mU6K5PPVtd4ryAqNpWI8', 'yauu6iPVnfvoi7tbbDpj', 'R1WkAMPV6BgQ0IlNt6MB', 'kAc54APoffcgC6emZXhR', 'Q72JRtPo3ltPjl20kZQQ'
Source: YyIDUCFWC1.exe, IoBoardsSet.cs	High entropy of concatenated method names: 'AddIoBoardRow', 'AddIoBoardRow', 'Clone', 'CreateInstance', 'InitVars', 'InitClass', 'NewIoBoardRow', 'NewRowFromBuilder', 'GetRowType', 'OnRowChanged'
Source: YyIDUCFWC1.exe, DoorsSet.cs	High entropy of concatenated method names: 'AddDoorRow', 'AddDoorRow', 'Clone', 'CreateInstance', 'InitVars', 'InitClass', 'NewDoorRow', 'NewRowFromBuilder', 'GetRowType', 'OnRowChanged'
Source: YyIDUCFWC1.exe, TimesheetUsersDetailView.cs	High entropy of concatenated method names: 'wmbaswPYDXyNgv38BvAQ', 'PgPDXZPYzmwP9sje52Ee', 'gwMyRuPdIWxnLajCmGSs', 'PVJy9lPdPhVqL15VO2Bp', 'v2td2SPd1rhqvYRfFdud', 'WlUSX8Pdte2ZhoINriUj', 'Q8ABT6PdnkqMxRM7oKOK', 'feW1XXPd643ep26o9DDA', 'yENk1jPdWCOeNnHyeFD9', 'AoihPKPdJDiR1rpe792v'
Source: YyIDUCFWC1.exe, EventsSet.cs	High entropy of concatenated method names: 'AddEventRow', 'AddEventRow', 'Clone', 'CreateInstance', 'InitVars', 'InitClass', 'NewEventRow', 'NewRowFromBuilder', 'GetRowType', 'OnRowChanged'
Source: YyIDUCFWC1.exe, IoBoardOutputsSet.cs	High entropy of concatenated method names: 'AddIoBoardOutputRow', 'AddIoBoardOutputRow', 'Clone', 'CreateInstance', 'InitVars', 'InitClass', 'NewIoBoardOutputRow', 'NewRowFromBuilder', 'GetRowType', 'OnRowChanged'
Source: YyIDUCFWC1.exe, TimesheetSummaryView.cs	High entropy of concatenated method names: 'hSqRhvP9mgWaYjvT2kDB', 'sjYSeJP9x1aOTX0lQkPX', 'cUt3XtP9vWCHiGkcUYD0', 'LVK7uyP9jQyeekgUG9bc', 'wILFROP9e1VryiymYFrO', 'V5PxZXP9fM1PfkKlVYol', 'q6KxrQP93XF02cxxaigD', 'j29Hd5P9DplPnRdCFEJ5', 'AyGNe8P9StklH3e5lMjc', 'oL01VVP9Xgkk5uaivu9v'
Source: YyIDUCFWC1.exe, IoBoardInputsSet.cs	High entropy of concatenated method names: 'AddIoBoardInputRow', 'AddIoBoardInputRow', 'Clone', 'CreateInstance', 'InitVars', 'InitClass', 'NewIoBoardInputRow', 'NewRowFromBuilder', 'GetRowType', 'OnRowChanged'
Source: YyIDUCFWC1.exe, AccessLevelDetailSet.cs	High entropy of concatenated method names: 'AddAccessLevelDetailRow', 'AddAccessLevelDetailRow', 'Clone', 'CreateInstance', 'InitVars', 'InitClass', 'NewAccessLevelDetailRow', 'NewRowFromBuilder', 'GetRowType', 'OnRowChanged'
Source: YyIDUCFWC1.exe, TimesheetUsersDetailSet.cs	High entropy of concatenated method names: 'AddTimesheetUsersDetailRow', 'AddTimesheetUsersDetailRow', 'Clone', 'CreateInstance', 'InitVars', 'InitClass', 'NewTimesheetUsersDetailRow', 'NewRowFromBuilder', 'GetRowType', 'OnRowChanged'
Source: YyIDUCFWC1.exe, TimesheetCategoriesSet.cs	High entropy of concatenated method names: 'AddTimesheetCategoryRow', 'AddTimesheetCategoryRow', 'Clone', 'CreateInstance', 'InitVars', 'InitClass', 'NewTimesheetCategoryRow', 'NewRowFromBuilder', 'GetRowType', 'OnRowChanged'
Source: YyIDUCFWC1.exe, TimesheetSummarySet.cs	High entropy of concatenated method names: 'AddTimesheetSummaryRow', 'AddTimesheetSummaryRow', 'Clone', 'CreateInstance', 'InitVars', 'InitClass', 'NewTimesheetSummaryRow', 'NewRowFromBuilder', 'GetRowType', 'OnRowChanged'
Source: YyIDUCFWC1.exe, OemClient.cs	High entropy of concatenated method names: 'Initialise', 'GetListOfOperators', 'GetOperatorLevel', 'GetOperatorLevel', 'AuthenticateUser', 'AuthenticateUser', 'AuthenticateUser', 'AuthenticateUser', 'ValidateOperator', 'CheckUserPermissionLevel'
Source: YyIDUCFWC1.exe, TimezonesSet.cs	High entropy of concatenated method names: 'AddTimezonesRow', 'AddTimezonesRow', 'Clone', 'CreateInstance', 'InitVars', 'InitClass', 'NewTimezonesRow', 'NewRowFromBuilder', 'GetRowType', 'OnRowChanged'
Source: YyIDUCFWC1.exe, CardView.cs	High entropy of concatenated method names: 'bjvf5H2abDegFgs1fxu', 'Me8Z0724J4Kn8R0QfhI', 'qyN8Uk2hHSSkwpRCVq1', 'xXW7U42rr8UNYmVWo5t', 'cinJtk2uf1OBbHj6MUk', 'qV0rv02NUaesGv8k8xr', 'RnOZbO2UGlVuxXILDX2', 'UUafni2pTG7LRa9a1q8'
Source: YyIDUCFWC1.exe, UsersSet.cs	High entropy of concatenated method names: 'AddUserRow', 'AddUserRow', 'Clone', 'CreateInstance', 'InitVars', 'InitClass', 'NewUserRow', 'NewRowFromBuilder', 'GetRowType', 'OnRowChanged'
Source: YyIDUCFWC1.exe, UserView.cs	High entropy of concatenated method names: 'qOCWirPOJ8NTP6oVysLn', 'N1lqtGPObLhnSMJaG8rG', 'QkUP2APOkj6prMtU4pXx', 'PQCc7cPORCZqCrUdpBBM', 'PD5PW2POq4LMvIxvrvBh', 'a182U5POluS17AlCURGD', 'wuoISIPOsr71qS0TwRTv', 'DaTfU5POonDkEGZltIAP', 'kOWhc0POVDKtXBXPOWxa', 'mTdN8FPOyN389U1yLthS'
Source: YyIDUCFWC1.exe, StaffCategoriesSet.cs	High entropy of concatenated method names: 'AddStaffCategoryRow', 'AddStaffCategoryRow', 'Clone', 'CreateInstance', 'InitVars', 'InitClass', 'NewStaffCategoryRow', 'NewRowFromBuilder', 'GetRowType', 'OnRowChanged'
Source: YyIDUCFWC1.exe, CardsSet.cs	High entropy of concatenated method names: 'AddCardRow', 'AddCardRow', 'GetEnumerator', 'Clone', 'CreateInstance', 'InitVars', 'InitClass', 'NewCardRow', 'NewRowFromBuilder', 'GetRowType'
Source: YyIDUCFWC1.exe, CameraAuthenticationsSet.cs	High entropy of concatenated method names: 'AddCameraAuthenticationRow', 'AddCameraAuthenticationRow', 'Clone', 'CreateInstance', 'InitVars', 'InitClass', 'NewCameraAuthenticationRow', 'NewRowFromBuilder', 'GetRowType', 'OnRowChanged'
Source: YyIDUCFWC1.exe, DepartmentsSet.cs	High entropy of concatenated method names: 'AddDepartmentRow', 'AddDepartmentRow', 'Clone', 'CreateInstance', 'InitVars', 'InitClass', 'NewDepartmentRow', 'NewRowFromBuilder', 'GetRowType', 'OnRowChanged'
Source: YyIDUCFWC1.exe, OperatorSet.cs	High entropy of concatenated method names: 'AddOperatorRow', 'AddOperatorRow', 'Clone', 'CreateInstance', 'InitVars', 'InitClass', 'NewOperatorRow', 'NewRowFromBuilder', 'GetRowType', 'OnRowChanged'
Source: YyIDUCFWC1.exe, CardTemplateSet.cs	High entropy of concatenated method names: 'AddCardTemplatesRow', 'AddCardTemplatesRow', 'FindByCardId', 'Clone', 'CreateInstance', 'InitVars', 'InitClass', 'NewCardTemplatesRow', 'NewRowFromBuilder', 'GetRowType'
Source: YyIDUCFWC1.exe, TimesheetEventLogsSet.cs	High entropy of concatenated method names: 'AddTimesheetEventLogRow', 'AddTimesheetEventLogRow', 'Clone', 'CreateInstance', 'InitVars', 'InitClass', 'NewTimesheetEventLogRow', 'NewRowFromBuilder', 'GetRowType', 'OnRowChanged'
Source: YyIDUCFWC1.exe, CamerasSet.cs	High entropy of concatenated method names: 'AddCameraRow', 'AddCameraRow', 'FindByID', 'Clone', 'CreateInstance', 'InitVars', 'InitClass', 'NewCameraRow', 'NewRowFromBuilder', 'GetRowType'
Source: YyIDUCFWC1.exe, CardTypesSet.cs	High entropy of concatenated method names: 'AddCardTypeRow', 'AddCardTypeRow', 'Clone', 'CreateInstance', 'InitVars', 'InitClass', 'NewCardTypeRow', 'NewRowFromBuilder', 'GetRowType', 'OnRowChanged'
Source: YyIDUCFWC1.exe, IndividualReaderAreasSet.cs	High entropy of concatenated method names: 'AddIndividualReaderAreasRow', 'AddIndividualReaderAreasRow', 'Clone', 'CreateInstance', 'InitVars', 'InitClass', 'NewIndividualReaderAreasRow', 'NewRowFromBuilder', 'GetRowType', 'OnRowChanged'
Source: YyIDUCFWC1.exe, RawEvent.cs	High entropy of concatenated method names: 'AddEventRow', 'AddEventRow', 'Clone', 'CreateInstance', 'InitVars', 'InitClass', 'NewEventRow', 'NewRowFromBuilder', 'GetRowType', 'OnRowChanged'
Source: YyIDUCFWC1.exe, TimesheetDetailsSet.cs	High entropy of concatenated method names: 'AddTimesheetDetailRow', 'AddTimesheetDetailRow', 'Clone', 'CreateInstance', 'InitVars', 'InitClass', 'NewTimesheetDetailRow', 'NewRowFromBuilder', 'GetRowType', 'OnRowChanged'
Source: YyIDUCFWC1.exe, ClientHeartBeat.cs	High entropy of concatenated method names: '_003CRunHeartBeat_003Eb__2', '_003CRunHeartBeat_003Eb__5', '_003CChangeServerConnectionState_003Eb__18', '_003CGetNextClientInstance_003Eb__1c', '_003CUnregisterClient_003Eb__23', 'RunHeartBeat', 'RunClientChecks', 'CheckServerReconnection', 'ChangeServerConnectionState', 'GetNextClientInstance'
Source: YyIDUCFWC1.exe, AccessLevelsSet.cs	High entropy of concatenated method names: 'AddAccessLevelRow', 'AddAccessLevelRow', 'Clone', 'CreateInstance', 'InitVars', 'InitClass', 'NewAccessLevelRow', 'NewRowFromBuilder', 'GetRowType', 'OnRowChanged'
Source: YyIDUCFWC1.exe, EventView.cs	High entropy of concatenated method names: 'VaMcMrvcxjskXqJcyAu', 'VWedAqvZu0IinNUcmHM', 'mYUvsEvEXQwrXQZwd5c', 'xXs6euvi8x4jSIfmTxW', 'Mv1ZLDv8bNktrRIvW0s', 'gd91ChvQy6x9g6lVj8y', 'Q0w6UGvGZrXC2QO5H9L', 'D2YH2Wv2YqdPWVGxRVw', 'qiqwyavAaXPnHMuRpnB', 'mq2BjxvS08IURxeCXIp'

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	File created: C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqln[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

1_2_004185A0

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: YyIDUCFWC1.exe PID: 5480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6360, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: MSBuild.exe	Binary or memory string: DIR_WATCH.DLL
Source: MSBuild.exe	Binary or memory string: SBIEDLL.DLL
Source: MSBuild.exe	Binary or memory string: API_LOG.DLL
Source: MSBuild.exe, 00000001.00000002.2095584347.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: AAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Memory allocated: 2C00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Memory allocated: 2DA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Memory allocated: 4DA0000 memory reserve \| memory write watch	Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqln[1].dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

API coverage: 5.6 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe TID: 6576	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe TID: 6740	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 1_2_00410370 GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 004104A2h

1_2_00410370

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0040B030 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,	1_2_0040B030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_004011E0 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_004011E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0040D320 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_0040D320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_004164A0 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcat,strtok_s,strtok_s,memset,lstrcat,strtok_s,PathMatchSpecA,wsprintfA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,DeleteFileA,FindNextFileA,FindClose,	1_2_004164A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_00417550 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_00417550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0040A530 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	1_2_0040A530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_00416CF0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	1_2_00416CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_00417140 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	1_2_00417140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0040A980 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	1_2_0040A980

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 1_2_004168E0 GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpy,lstrcpy,lstrcpy,lstrlen,

1_2_004168E0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 1_2_00410540 GetSystemInfo,wsprintfA,

1_2_00410540

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Thread delayed: delay time: 30000			Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000F68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000F68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000F68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware)g

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe

Code function: 0_2_6CF3948B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_6CF3948B

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe

Code function: 0_2_6CEEB6C0 GetModuleHandleW,GetModuleHandleW,LoadLibraryW,GetProcAddress,__cftoe,GetModuleHandleW,GetProcAddress,

0_2_6CEEB6C0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 1_2_00411020 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,VariantInit,FileTimeToSystemTime,GetProcessHeap,HeapAlloc,wsprintfA,VariantClear,

1_2_00411020

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF3948B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6CF3948B
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CF3B144 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6CF3B144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0041A68F memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0041A68F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0041F768 SetUnhandledExceptionFilter,	1_2_0041F768
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_0041BBB7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_0041BBB7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CBDAC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_6CBDAC62

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Jump to behavior

Searches for specific processes (likely to inject)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 1_2_00411BD0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

1_2_00411BD0

Writes to foreign memory regions

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 423000	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 42E000	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 641000	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 642000	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: ACB008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

1_2_6CC24760

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

1_2_6CB01C30

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe

Code function: 0_2_6CF384B0 cpuid

0_2_6CF384B0

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,		1_2_00410370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: GetLocaleInfoA,LocalFree,		1_2_004103E9

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Queries volume information: C:\Users\user\Desktop\YyIDUCFWC1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe

Code function: 0_2_6CF3A25A GetSystemTimeAsFileTime,__aulldiv,

0_2_6CF3A25A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 1_2_00410220 GetProcessHeap,HeapAlloc,GetUserNameA,

1_2_00410220

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 1_2_00410300 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

1_2_00410300

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 1_2_6CB28390 NSS_GetVersion,

1_2_6CB28390

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: YyIDUCFWC1.exe, type: SAMPLE
Source: Yara match	File source: 0.0.YyIDUCFWC1.exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1691360547.0000000000682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.YyIDUCFWC1.exe.3e0c1e0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.YyIDUCFWC1.exe.3e3f810.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.YyIDUCFWC1.exe.3e3f810.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.YyIDUCFWC1.exe.3e0c1e0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1701548677.0000000003DA5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1701132649.0000000002E75000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2095584347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1701548677.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1709833273.0000000005CC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: YyIDUCFWC1.exe PID: 5480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6360, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: YyIDUCFWC1.exe, type: SAMPLE
Source: Yara match	File source: 0.0.YyIDUCFWC1.exe.680000.0.unpack, type: UNPACKEDPE

Found many strings related to Crypto-Wallets (likely being stolen)

Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000F60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000F60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000F60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000F60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000F60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000F60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000F60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000F60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000F60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000F60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000FA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: MetaMask\|1\|nkbihfbeogaeaoehlefnkodbefgpgknn\|1\|0\|0\|MetaMask\|1\|djclckkglechooblngghdinmeemkbgci\|1\|0\|0\|MetaMask\|1\|ejbalbakoplchlghecdalmeeeajnimhm\|1\|0\|0\|TronLink\|1\|ibnejdfjmmkpcnlpebklmnkoeoihofec\|1\|0\|0\|BinanceChainWallet\|1\|fhbohimaelbohpjbbldcngcnapndodjp\|1\|1\|0\|Yoroi\|1\|ffnbelfdoeiohenkjibnmadjiehjhajb\|1\|0\|0\|Coinbase\|1\|hnfanknocfeofbddgcijnmhnfnkdnaad\|1\|0\|1\|Guarda\|1\|hpglfhgfnhbgpjdenjgmdgoeiappafln\|1\|0\|1\|iWallet\|1\|kncchdigobghenbbaddojjnnaogfppfj\|1\|0\|0\|RoninWallet\|1\|fnjhmkhhmkbjkkabndcnnogagogbneec\|1\|0\|0\|NeoLine\|1\|cphhlgmgameodnhkjdmkpanlelnlohao\|1\|0\|0\|CloverWallet\|1\|nhnkbkgjikgcigadomkphalanndcapjk\|1\|0\|0\|LiqualityWallet\|1\|kpfopkelmapcoipemfendmdcghnegimn\|1\|0\|0\|Terra_Station\|1\|aiifbnbfobpmeekipheeijimdpnlpgpp\|1\|0\|0\|Keplr\|1\|dmkamcknogkgcdfhhbddcghachkejeap\|1\|0\|0\|AuroWallet\|1\|cnmamaachppnkjgnildpdmkaakejnhae\|1\|0\|0\|PolymeshWallet\|1\|jojhfeoedkpkglbfimdfabpdfjaoolaf\|1\|0\|0\|ICONex\|1\|flpiciilemghbmfalicajoolhkkenfel\|1\|0\|0\|Coin98\|1\|aeachknmefphepccionboohckonoeemg\|1\|0\|0\|EVER Wallet\|1\|cgeeodpfagjceefieflmdfphplkenlfk\|1\|0\|0\|KardiaChain\|1\|pdadjkfkgcafgbceimcpbkalnfnepbnk\|1\|0\|0\|Rabby\|1\|acmacodkjbdgmoleebolmdjonilkdbch\|1\|0\|0\|Phantom\|1\|bfnaelmomeimhlpmgjnjophhpkkoljpa\|1\|0\|0\|Oxygen (Atomic)\|1\|fhilaheimglignddkjgofkcbgekhenbh\|1\|0\|0\|PaliWallet\|1\|mgffkfbidihjpoaomajlbgchddlicgpn\|1\|0\|0\|NamiWallet\|1\|lpfcbjknijpeeillifnkikgncikgfhdo\|1\|0\|0\|Solflare\|1\|bhhhlbepdkbapadjdnnojkbgioiodbic\|1\|0\|0\|CyanoWallet\|1\|dkdedlpgdmmkkfjabffeganieamfklkm\|1\|0\|0\|KHC\|1\|hcflpincpppdclinealmandijcmnkbgn\|1\|0\|0\|TezBox\|1\|mnfifefkajgofkcjkemidiaecocnkjeh\|1\|0\|0\|Goby\|1\|jnkelfanjkeadonecabehalmbgpfodjm\|1\|0\|0\|RoninWalletEdge\|1\|kjmoohlgokccodicjjfebfomlbljgfhk\|1\|0\|0\|UniSat Wallet\|1\|ppbibelpcjmhbdihakflkdcoccbgbkpo\|1\|0\|0\|Authenticator\|0\|bhghoamapcdpbohphigoooaddinpkbai\|1\|1\|0\|GAuth Authenticator\|0\|ilgcnhelpchnceeipipijaljkblbcobl\|1\|1\|1\|Tronium\|1\|pnndplcbkakcplkjnolgbkdgjikjednm\|1\|0\|0\|Trust Wallet\|1\|egjidjbpglichdcondbcbdnbeeppgdph\|1\|0\|0\|Exodus Web3 Wallet\|1\|aholpfdialjgjfhomihkjbmgjidlcdno\|1\|0\|0\|Braavos\|1\|jnlgamecbpmbajjfhmmmlhejkemejdma\|1\|0\|0\|Enkrypt\|1\|kkpllkodjeloidieedojogacfhpaihoh\|1\|0\|0\|OKX Web3 Wallet\|1\|mcohilncbfahbmgdjkbpemcciiolgcge\|1\|0\|0\|Sender\|1\|epapihdplajcdnnkdeiahlgigofloibg\|1\|0\|0\|Hashpack\|1\|gjagmgiddbbciopjhllkdnddhcglnemk\|1\|0\|0\|GeroWallet\|1\|bgpipimickeadkjlklgciifhnalhdjhe\|1\|0\|0\|Pontem Wallet\|1\|phkbamefinggmakgklpkljjmgibohnba\|1\|0\|0\|Finnie\|1\|cjmkndjhnagcfbpiemnkdpomccnjblmj\|1\|0\|0\|Leap Terra\|1\|aijcbedoijmgnlmjeegjaglmepbmpkpi\|1\|0\|0\|Microsoft AutoFill\|0\|fiedbfgcleddlbcmgdigjgdfcggjcion\|1\|0\|0\|Bitwarden\|0\|nngceckbapebfimnlniiiahkandclblb\|1\|0\|0\|KeePass Tusk\|0\|fmhmiaejopepamlcjkncpgpdjichnecm\|1\|0\|0\|KeePassXC-Browser\|0\|oboonakemofpalcgghocfoadofidjkkk\|1\|0\|0\|Rise - Aptos Wallet\|1\|hbbgbephgojikajhfbomhlmmollphcad\|1\|0\|0\|Rainbow Wallet\|1\|opfgelmcmbiajamepnmloijbpoleiama\|1\|0\|0\|Nightly\|1\|fiikommddbeccaoicoejoniammnalkfa\|1\|0\|0\|Ecto Wallet\|1\|bgjogpoidejdemgoochpnkmdjpocgkha\|1\|0\|0\|Coinhub\|1\|jgaaimajipbpdogpdglhaphldakikgef\|1\|0\|0\|Leap Cosmos Wallet\|1\|fcfcfllfndlomdhbehjjcoimbgofdncg\|1\|0\|0\|MultiversX DeFi Wal
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000F60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000F60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000F60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000F60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000F60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: YyIDUCFWC1.exe, 00000000.00000000.1691360547.0000000000682000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: set_UseMachineKeyStore
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000001044000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\."~
Source: MSBuild.exe, 00000001.00000002.2097165559.0000000000F60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000001.00000002.2095584347.0000000000558000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6360, type: MEMORYSTR

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: YyIDUCFWC1.exe, type: SAMPLE
Source: Yara match	File source: 0.0.YyIDUCFWC1.exe.680000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1691360547.0000000000682000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 1.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.YyIDUCFWC1.exe.3e0c1e0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.YyIDUCFWC1.exe.3e3f810.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.YyIDUCFWC1.exe.3e3f810.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.YyIDUCFWC1.exe.3e0c1e0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1701548677.0000000003DA5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1701132649.0000000002E75000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2095584347.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1701548677.0000000003E3F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1709833273.0000000005CC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2097165559.0000000000FD3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: YyIDUCFWC1.exe PID: 5480, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 6360, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: YyIDUCFWC1.exe, type: SAMPLE
Source: Yara match	File source: 0.0.YyIDUCFWC1.exe.680000.0.unpack, type: UNPACKEDPE

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\YyIDUCFWC1.exe	Code function: 0_2_6CEEA0C0 CorBindToRuntimeEx,GetModuleHandleW,GetModuleHandleW,__cftoe,GetModuleHandleW,GetProcAddress,	0_2_6CEEA0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CBE0C40 sqlite3_bind_zeroblob,	1_2_6CBE0C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CBE0D60 sqlite3_bind_parameter_name,	1_2_6CBE0D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB08EA0 sqlite3_clear_bindings,	1_2_6CB08EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CBE0B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	1_2_6CBE0B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB06410 bind,WSAGetLastError,	1_2_6CB06410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB060B0 listen,WSAGetLastError,	1_2_6CB060B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB0C030 sqlite3_bind_parameter_count,	1_2_6CB0C030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB06070 PR_Listen,	1_2_6CB06070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB0C050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp,	1_2_6CB0C050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CA922D0 sqlite3_bind_blob,	1_2_6CA922D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 1_2_6CB063C0 PR_Bind,	1_2_6CB063C0

Windows Analysis Report
YyIDUCFWC1.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1427891
Product:	CloudBasic
Start time:	10:09:22
Start date:	18.04.2024
Sample:	YyIDUCFWC1.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	6d59b75f2b8bf7590c144cd4b3d24516
SHA1:	6325d9ea89692248cf599493743f637b7fefe726
SHA256:	50ccd3682708ff0e7a6bfe46730937d469ca29e0ae405f3607b70fb15ad2e5c0
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\BKECAEBG	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2	780853CDDEAEE8DE70F28A4B255A600B	AD7A5DA33F7AD12946153C497E990720B09005ED	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
C:\ProgramData\FBFCGIDA	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3	28591AA4E12D1C4FC761BE7C0A468622	BC4968A84C19377D05A8BB3F208FBFAC49F4820B	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
C:\ProgramData\GCBGIIEC	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4	6A6BAD38068B0F6F2CADC6464C4FE8F0	4E3B235898D8E900548613DDB6EA59CDA5EB4E68	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
C:\ProgramData\GHDHDGHJ	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2	A2D1F4CF66465F9F0CAC61C4A95C7EDE	BA6A845E247B221AAEC96C4213E1FD3744B10A27	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
C:\ProgramData\GIDBKKKKKFBGDGDHIDBGHIEBGD	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11	41EA9A4112F057AE6BA17E2838AEAC26	F2B389103BFD1A1A050C4857A995B09FEAFE8903	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
C:\ProgramData\HJJJDAEGIDHCBFHJJJEG	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1	349E6EB110E34A08924D92F6B334801D	BDFB289DAFF51890CC71697B6322AA4B35EC9169	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
C:\ProgramData\IDBKFHJEBAAEBGDGDBFBGIEBAA	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3	369B6DD66F1CAD49D0952C40FEB9AD41	D05B2DE29433FB113EC4C558FF33087ED7481DD4	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
C:\ProgramData\KEHCAFHIJECGCAKFCGDBKEGIDH	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2	C0FDF21AE11A6D1FA1201D502614B622	11724034A1CC915B061316A96E79E9DA6A00ADE8	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
C:\ProgramData\KFIEHIIIJDAAAAAAKECB	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1	28222628A3465C5F0D4B28F70F97F482	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
C:\ProgramData\freebl3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	550686C0EE48C386DFCB40199BD076AC	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
C:\ProgramData\mozglue.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C8FD9BE83BC728CC04BEFFAFC2907FE9	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
C:\ProgramData\msvcp140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5FF1FCA37C466D6723EC67BE93B51442	34CC4E158092083B13D67D6D2BC9E57B798A303B	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
C:\ProgramData\nss3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1CC453CDF74F31E4D913FF9C10ACDDE2	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
C:\ProgramData\softokn3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4E52D739C324DB8225BD9AB2695F262F	71C3DA43DC5A0D2A1941E874A6D015A071783889	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
C:\ProgramData\vcruntime140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A37EE36B536409056A86F50E67777DD7	1CAFA159292AA736FC595FC04E16325B27CD6750	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\YyIDUCFWC1.exe.log	ASCII text, with CRLF line terminators	93E4C46884CB6EE7CDCC4AACE78CDFAC	29B12D9409BA9AFE4C949F02F7D232233C0B5228	2690023A62F22AB7B27B09351205BA31173B50B77ACA89A5759EDF29A1FB17F7
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\76561199673019888[1].htm	HTML document, Unicode text, UTF-8 text, with very long lines (2969), with CRLF, LF line terminators	B6A9CADDAB9B3456E9382D978E8D6E1E	F29AED0E232864DD97958D4504F2A229BA1D70FB	645512B7CF2CCE499D43804DDD26EF4D3AA2FBA2CFF60E951D573B2406A44294
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqln[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	90E744829865D57082A7F452EDC90DE5	833B178775F39675FA4E55EAB1032353514E1052	036A57102385D7F0D7B2DEACF932C1C372AE30D924365B7A88F8A26657DD7550
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	550686C0EE48C386DFCB40199BD076AC	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C8FD9BE83BC728CC04BEFFAFC2907FE9	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5FF1FCA37C466D6723EC67BE93B51442	34CC4E158092083B13D67D6D2BC9E57B798A303B	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1CC453CDF74F31E4D913FF9C10ACDDE2	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4E52D739C324DB8225BD9AB2695F262F	71C3DA43DC5A0D2A1941E874A6D015A071783889	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A37EE36B536409056A86F50E67777DD7	1CAFA159292AA736FC595FC04E16325B27CD6750	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	544CD51A596619B78E9B54B70088307D	4769DDD2DBC1DC44B758964ED0BD231B85880B65	DFCE2D4D06DE6452998B3C5B2DC33EAA6DB2BD37810D04E3D02DC931887CFDDD
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB

Windows Analysis Report YyIDUCFWC1.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
YyIDUCFWC1.exe

Malware Threat Intel
Provided by