Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Rd_client_w_a_s_d_patched.exe

Overview

General Information

Sample name:Rd_client_w_a_s_d_patched.exe
Analysis ID:1663630
MD5:f5da593bdc36baaa12c0ef40151bbb63
SHA1:be3c4f36a218f260463da1c9b8ee7b98fc434556
SHA256:c9c02ecd68c213b37cda55c8506f71f4be4eea441a639f925634a76202f00467
Tags:de-pumpedexeLummaStealeruser-aachum
Infos:

Detection

LummaC Stealer
Score:84
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Yara detected LummaC Stealer
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops certificate files (DER)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry

Classification

Process Tree

  • System is w10x64
  • Rd_client_w_a_s_d_patched.exe (PID: 8348 cmdline: "C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exe" MD5: F5DA593BDC36BAAA12C0EF40151BBB63)
    • K069N633L4KOJ1FJIGV7OZ.exe (PID: 8772 cmdline: "C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exe" MD5: 58DBF2DF74DD9B5F7538C649B494F9C4)
      • cmd.exe (PID: 8904 cmdline: cmd /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v afcdpsrv /t REG_SZ /d C:\ProgramData\afcdpsrv.exe /f" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 8912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • reg.exe (PID: 8952 cmdline: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v afcdpsrv /t REG_SZ /d C:\ProgramData\afcdpsrv.exe /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
  • afcdpsrv.exe (PID: 9132 cmdline: "C:\ProgramData\afcdpsrv.exe" MD5: 58DBF2DF74DD9B5F7538C649B494F9C4)
  • afcdpsrv.exe (PID: 9208 cmdline: "C:\ProgramData\afcdpsrv.exe" MD5: 58DBF2DF74DD9B5F7538C649B494F9C4)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.1607016935.000000000400A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
      00000000.00000003.1606833529.0000000004004000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
        00000000.00000003.1563255145.0000000004015000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
          Process Memory Space: Rd_client_w_a_s_d_patched.exe PID: 8348JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
            Process Memory Space: Rd_client_w_a_s_d_patched.exe PID: 8348JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security

              Sigma Signatures

              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\afcdpsrv.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 8952, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\afcdpsrv
              Sigma detected: Direct Autorun Keys Modification
              Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v afcdpsrv /t REG_SZ /d C:\ProgramData\afcdpsrv.exe /f, CommandLine: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v afcdpsrv /t REG_SZ /d C:\ProgramData\afcdpsrv.exe /f, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: cmd /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v afcdpsrv /t REG_SZ /d C:\ProgramData\afcdpsrv.exe /f", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 8904, ParentProcessName: cmd.exe, ProcessCommandLine: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v afcdpsrv /t REG_SZ /d C:\ProgramData\afcdpsrv.exe /f, ProcessId: 8952, ProcessName: reg.exe
              Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: cmd /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v afcdpsrv /t REG_SZ /d C:\ProgramData\afcdpsrv.exe /f", CommandLine: cmd /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v afcdpsrv /t REG_SZ /d C:\ProgramData\afcdpsrv.exe /f", CommandLine|base64offset|contains: rg, Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exe", ParentImage: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exe, ParentProcessId: 8772, ParentProcessName: K069N633L4KOJ1FJIGV7OZ.exe, ProcessCommandLine: cmd /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v afcdpsrv /t REG_SZ /d C:\ProgramData\afcdpsrv.exe /f", ProcessId: 8904, ProcessName: cmd.exe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-04-12T02:17:54.155929+020020283713Unknown Traffic192.168.2.549692104.21.40.117443TCP
              2025-04-12T02:17:55.787632+020020283713Unknown Traffic192.168.2.549693104.21.40.117443TCP
              2025-04-12T02:17:57.678562+020020283713Unknown Traffic192.168.2.549695104.21.40.117443TCP
              2025-04-12T02:17:58.810698+020020283713Unknown Traffic192.168.2.549697104.21.40.117443TCP
              2025-04-12T02:18:02.217597+020020283713Unknown Traffic192.168.2.549698104.21.40.117443TCP
              2025-04-12T02:18:03.619271+020020283713Unknown Traffic192.168.2.549699104.21.40.117443TCP
              2025-04-12T02:18:06.048330+020020283713Unknown Traffic192.168.2.549700104.21.40.117443TCP
              2025-04-12T02:18:07.066738+020020283713Unknown Traffic192.168.2.549701104.21.53.21443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for dropped file
              Source: C:\ProgramData\afcdpsrv.exeReversingLabs: Detection: 45%
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeReversingLabs: Detection: 45%
              Source: Rd_client_w_a_s_d_patched.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 104.21.40.117:443 -> 192.168.2.5:49692 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.40.117:443 -> 192.168.2.5:49693 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.40.117:443 -> 192.168.2.5:49695 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.40.117:443 -> 192.168.2.5:49697 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.40.117:443 -> 192.168.2.5:49698 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.40.117:443 -> 192.168.2.5:49699 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.40.117:443 -> 192.168.2.5:49700 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.53.21:443 -> 192.168.2.5:49701 version: TLS 1.2
              Source: Rd_client_w_a_s_d_patched.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: Binary string: @R:\rohos\Disk-Win\DiskAgent\Agent___Win32_Release_EN\Agent.pdb4 source: Rd_client_w_a_s_d_patched.exe
              Source: Binary string: R:\rohos\Disk-Win\DiskAgent\Agent___Win32_Release_EN\Agent.pdb source: Rd_client_w_a_s_d_patched.exe
              Source: Binary string: e.pDB.fu(nc13 source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3209061327.0000000003166000.00000004.00000020.00020000.00000000.sdmp, afcdpsrv.exe, 00000008.00000003.2268729071.0000000003093000.00000004.00000020.00020000.00000000.sdmp, afcdpsrv.exe, 00000009.00000003.2365292449.00000000030AA000.00000004.00000020.00020000.00000000.sdmp
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_00403648 FindFirstFileW,4_2_00403648
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_00408C37 DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,4_2_00408C37
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_00408B4B FindFirstFileW,FindClose,4_2_00408B4B
              Source: C:\ProgramData\afcdpsrv.exeCode function: 9_2_00403648 FindFirstFileW,9_2_00403648
              Source: C:\ProgramData\afcdpsrv.exeCode function: 9_2_00408C37 DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,9_2_00408C37
              Source: C:\ProgramData\afcdpsrv.exeCode function: 9_2_00408B4B FindFirstFileW,FindClose,9_2_00408B4B
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax4_2_03A22EB0
              Source: C:\ProgramData\afcdpsrv.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax8_3_03952EB0
              Source: C:\ProgramData\afcdpsrv.exeCode function: 4x nop then mov dword ptr [esp+0Ch], eax9_3_03962EB0
              Source: global trafficTCP traffic: 192.168.2.5:49703 -> 3.33.196.84:8545
              Source: global trafficTCP traffic: 192.168.2.5:49706 -> 62.60.234.80:1466
              Source: global trafficHTTP traffic detected: GET /PA.bin HTTP/1.1Connection: Keep-AliveHost: h1.passionwhenever.shop
              Source: Joe Sandbox ViewIP Address: 62.60.234.80 62.60.234.80
              Source: Joe Sandbox ViewIP Address: 3.33.196.84 3.33.196.84
              Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49695 -> 104.21.40.117:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49700 -> 104.21.40.117:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49693 -> 104.21.40.117:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49697 -> 104.21.40.117:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49698 -> 104.21.40.117:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49699 -> 104.21.40.117:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49701 -> 104.21.53.21:443
              Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49692 -> 104.21.40.117:443
              Source: global trafficHTTP traffic detected: POST /thnb HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 51Host: proenhann.digital
              Source: global trafficHTTP traffic detected: POST /thnb HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=KdSUOEW9x1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 14883Host: proenhann.digital
              Source: global trafficHTTP traffic detected: POST /thnb HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=dWUbKIvtUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 15022Host: proenhann.digital
              Source: global trafficHTTP traffic detected: POST /thnb HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=3ACM040U2C2d8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 20536Host: proenhann.digital
              Source: global trafficHTTP traffic detected: POST /thnb HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=O2Opt1b880ntIxQx24User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 2671Host: proenhann.digital
              Source: global trafficHTTP traffic detected: POST /thnb HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=KzbfI7j84hbUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 576974Host: proenhann.digital
              Source: global trafficHTTP traffic detected: POST /thnb HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 89Host: proenhann.digital
              Source: unknownTCP traffic detected without corresponding DNS query: 62.60.234.80
              Source: unknownTCP traffic detected without corresponding DNS query: 62.60.234.80
              Source: unknownTCP traffic detected without corresponding DNS query: 62.60.234.80
              Source: unknownTCP traffic detected without corresponding DNS query: 62.60.234.80
              Source: unknownTCP traffic detected without corresponding DNS query: 62.60.234.80
              Source: unknownTCP traffic detected without corresponding DNS query: 62.60.234.80
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /PA.bin HTTP/1.1Connection: Keep-AliveHost: h1.passionwhenever.shop
              Source: global trafficHTTP traffic detected: GET /x.cer HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/10.0Host: x.ss2.us
              Source: global trafficDNS traffic detected: DNS query: c.pki.goog
              Source: global trafficDNS traffic detected: DNS query: proenhann.digital
              Source: global trafficDNS traffic detected: DNS query: h1.passionwhenever.shop
              Source: global trafficDNS traffic detected: DNS query: data-seed-prebsc-1-s1.binance.org
              Source: global trafficDNS traffic detected: DNS query: x.ss2.us
              Source: unknownHTTP traffic detected: POST /thnb HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 51Host: proenhann.digital
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069849217.00000000258B9000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069770605.000000002589F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ac.economia.gob.mx/cps.html0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069849217.00000000258B9000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069770605.000000002589F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ac.economia.gob.mx/last.crl0G
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070405451.0000000000E6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://acedicom.edicomgroup.com/doc0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069959524.0000000025891000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069959524.0000000025891000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070187229.0000000025869000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070158138.0000000025863000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069770605.000000002589F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069959524.0000000025891000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069959524.0000000025891000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv10.crl0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070187229.0000000025869000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070158138.0000000025863000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069770605.000000002589F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv5.crl0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3217265220.00000000258C1000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069770605.00000000258C1000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069708548.00000000258BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069959524.0000000025891000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069959524.0000000025891000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0g
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069959524.0000000025891000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz03
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069959524.0000000025891000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ca.mtin.es/mtin/ocsp0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069959524.0000000025891000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1511100131.000000000411D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1511100131.000000000411D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069770605.000000002589F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://certificates.starfieldtech.com/repository/1604
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2668916730.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2064588587.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070478248.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2064696146.0000000000DF9000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069099189.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3208576278.0000000000E24000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://certificates.starfieldtech.com/repository/root.crl0Q
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2668916730.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2064588587.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070478248.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2064696146.0000000000DF9000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069099189.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3208576278.0000000000E24000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://certificates.starfieldtech.com/repository0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069770605.000000002589F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://certs.oati.net/repository/OATICA2.crl0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069770605.000000002589F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://certs.oati.net/repository/OATICA2.crt0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069770605.000000002589F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crl
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069770605.000000002589F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crt08
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069849217.00000000258B9000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069770605.000000002589F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069959524.0000000025891000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069770605.000000002589F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cps.siths.se/sithsrootcav1.html0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3217265220.00000000258C1000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069770605.00000000258C1000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069708548.00000000258BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069849217.00000000258B9000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069770605.000000002589F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069959524.0000000025891000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070187229.0000000025852000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070187229.0000000025869000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070158138.0000000025863000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.defence.gov.au/pki0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3217265220.00000000258C1000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069770605.00000000258C1000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069708548.00000000258BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069959524.0000000025891000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069770605.000000002589F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.oces.trust2408.com/oces.crl0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070158138.0000000025863000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.postsignum.cz/crl/psrootqca4.crl02
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070158138.0000000025863000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.postsignum.eu/crl/psrootqca4.crl0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3212758977.0000000004910000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.r2m02.amazontrust.com/r2m02.crl
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3208409382.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3213042209.000000000673E000.00000004.00001000.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3212758977.0000000004928000.00000004.00001000.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3213042209.000000000499E000.00000004.00001000.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3213042209.00000000049A4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.r2m02.amazontrust.com/r2m02.crl0u
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3212758977.0000000004910000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1511100131.000000000411D000.00000004.00000800.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3208409382.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3211041884.0000000004858000.00000004.00001000.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3213042209.000000000499E000.00000004.00001000.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3213042209.00000000049A4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3212758977.0000000004910000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.rootg2.amazontrust.com/rootg2.crl
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3208409382.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3212758977.0000000004928000.00000004.00001000.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3213042209.000000000499E000.00000004.00001000.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3213042209.00000000049A4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.rootg2.amazontrust.com/rootg2.crl0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069913577.00000000258B6000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069770605.000000002589F000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3217238570.00000000258B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/SGCA.crl0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070053411.0000000025880000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070013453.000000002587C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069770605.000000002589F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069770605.000000002589F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069686004.00000000258C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070187229.0000000025852000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070158138.0000000025863000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070158138.0000000025863000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl2.postsignum.cz/crl/psrootqca4.crl01
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1511100131.000000000411D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1511100131.000000000411D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1511100131.000000000411D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3212758977.0000000004910000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.r2m02.amazontrust.com/r2m02.cer
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3208409382.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3213042209.000000000673E000.00000004.00001000.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3212758977.0000000004928000.00000004.00001000.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3213042209.000000000499E000.00000004.00001000.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3213042209.00000000049A4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.r2m02.amazontrust.com/r2m02.cer0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3212758977.0000000004910000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1511100131.000000000411D000.00000004.00000800.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3208409382.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3211041884.0000000004858000.00000004.00001000.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3213042209.000000000499E000.00000004.00001000.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3213042209.00000000049A4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3212758977.0000000004910000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cerhttp://crl.rootca1.amazontrust.com/rootca1.crl
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3212758977.0000000004910000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.rootg2.amazontrust.com/rootg2.cer
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3208409382.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3212758977.0000000004928000.00000004.00001000.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3213042209.000000000499E000.00000004.00001000.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3213042209.00000000049A4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.rootg2.amazontrust.com/rootg2.cer0=
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3212758977.0000000004910000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.rootg2.amazontrust.com/rootg2.cerhttp://crl.rootg2.amazontrust.com/rootg2.crl
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2669230160.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3208480488.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2669230160.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3208480488.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/I
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2668916730.0000000000E0C000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070478248.0000000000E0C000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2064588587.0000000000E15000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069099189.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3208576278.0000000000E19000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2669145286.0000000000E18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2668916730.0000000000E0C000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070478248.0000000000E0C000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069099189.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3208555044.0000000000E0D000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2064588587.0000000000E0E000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.4.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069980706.0000000025887000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069980706.0000000025887000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070405451.0000000000E6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070650256.0000000000E6C000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070478248.0000000000E24000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070158138.0000000025863000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070053411.0000000025878000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c0
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1606138626.000000000421E000.00000004.00000800.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1609053148.00000000047D5000.00000004.00000800.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1610085446.00000000048A9000.00000004.00000800.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1609685503.0000000004727000.00000004.00000800.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1606203783.000000000415E000.00000004.00000800.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1607781777.00000000047BC000.00000004.00000800.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1606049538.000000000415E000.00000004.00000800.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1607719848.0000000004720000.00000004.00000800.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1605986911.000000000420E000.00000004.00000800.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1608403737.0000000004723000.00000004.00000800.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1607652794.00000000047B5000.00000004.00000800.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1607601783.0000000004729000.00000004.00000800.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1610899408.00000000048CF000.00000004.00000800.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1606472513.0000000004321000.00000004.00000800.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1606788963.0000000004111000.00000004.00000800.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1609451464.0000000004723000.00000004.00000800.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1606361218.000000000415E000.00000004.00000800.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1610368430.0000000004729000.00000004.00000800.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1608942816.0000000004724000.00000004.00000800.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1607987591.00000000047CE000.00000004.00000800.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1606688262.000000000415E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3211041884.0000000004808000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://o.ss2.us/
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3208409382.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3211041884.0000000004858000.00000004.00001000.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3213042209.000000000499E000.00000004.00001000.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3213042209.00000000049A4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://o.ss2.us/0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070119283.000000002586B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.accv.es0
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1511100131.000000000411D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070033136.0000000025884000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070053411.0000000025885000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3217145517.0000000025885000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070013453.000000002587C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.ncdc.gov.sa0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070119283.000000002586B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.pki.gva.es0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3212758977.0000000004910000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.r2m02.amazontrust.com
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3208409382.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3213042209.000000000673E000.00000004.00001000.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3212758977.0000000004928000.00000004.00001000.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3213042209.000000000499E000.00000004.00001000.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3213042209.00000000049A4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.r2m02.amazontrust.com06
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3212758977.0000000004910000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1511100131.000000000411D000.00000004.00000800.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3208409382.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3211041884.0000000004858000.00000004.00001000.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3213042209.000000000499E000.00000004.00001000.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3213042209.00000000049A4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3212758977.0000000004910000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootg2.amazontrust.com
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3208409382.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3212758977.0000000004928000.00000004.00001000.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3213042209.000000000499E000.00000004.00001000.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3213042209.00000000049A4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootg2.amazontrust.com08
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2668916730.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2064588587.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070478248.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2064696146.0000000000DF9000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069099189.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3208576278.0000000000E24000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.starfieldtech.com0J
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070450539.0000000000E7B000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069913577.00000000258B6000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069770605.000000002589F000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070405451.0000000000E6F000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3217238570.00000000258B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.suscerte.gob.ve0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070405451.0000000000E6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pki.digidentity.eu/validatie0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069686004.00000000258C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pki.registradores.org/normativa/index.htm0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069980706.0000000025887000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069770605.000000002589F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://policy.camerfirma.com0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070119283.000000002586B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://postsignum.ttc.cz/crl/psrootqca2.crl0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070250638.000000002584D000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070119283.000000002586B000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069770605.000000002589F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://repository.swisssign.com/0
              Source: Rd_client_w_a_s_d_patched.exeString found in binary or memory: http://rohos.com
              Source: Rd_client_w_a_s_d_patched.exeString found in binary or memory: http://rohos.com/order
              Source: Rd_client_w_a_s_d_patched.exeString found in binary or memory: http://rohos.com/products/rohos-disk-encryption/
              Source: Rd_client_w_a_s_d_patched.exeString found in binary or memory: http://rohos.com/products/rohos-logon-key/
              Source: Rd_client_w_a_s_d_patched.exeString found in binary or memory: http://rohos.comopenAboutelcome.exe
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3211041884.0000000004814000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://s.ss2.us/r.crl
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3208409382.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3211041884.0000000004858000.00000004.00001000.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3213042209.000000000499E000.00000004.00001000.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3213042209.00000000049A4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://s.ss2.us/r.crl0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070250638.000000002584D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070119283.000000002586B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070033136.0000000025884000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070053411.0000000025885000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3217145517.0000000025885000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070013453.000000002587C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://web.ncdc.gov.sa/crl/nrcacomb1.crl0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070033136.0000000025884000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070053411.0000000025885000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3217145517.0000000025885000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070013453.000000002587C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://web.ncdc.gov.sa/crl/nrcaparta1.crl
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070250638.000000002584D000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069980706.0000000025887000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.acabogacia.org/doc0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069980706.0000000025887000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.acabogacia.org0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070119283.000000002586B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070119283.000000002586B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070119283.000000002586B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es/legislacion_c.htm0U
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070119283.000000002586B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.accv.es00
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069980706.0000000025887000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.agesic.gub.uy/acrn/acrn.crl0)
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069980706.0000000025887000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.agesic.gub.uy/acrn/cps_acrn.pdf0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069686004.00000000258C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ancert.com/cps0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069770605.000000002589F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.anf.es
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070187229.0000000025852000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.anf.es/AC/RC/ocsp0c
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069770605.000000002589F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.anf.es/es/address-direccion.html
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070250638.000000002584D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ca.posta.rs/dokumentacija0h
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070187229.0000000025852000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070405451.0000000000E6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.cert.fnmt.es/dpcs/0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070478248.0000000000E0C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certeurope.fr/reference/pc-root2.pdf0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070478248.0000000000E0C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certeurope.fr/reference/root2.crl0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070187229.0000000025852000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certicamara.com/dpc/0Z
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069959524.0000000025891000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class1.crl0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069959524.0000000025891000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class2.crl0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070250638.000000002584D000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3217081032.0000000025850000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3.crl0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069686004.00000000258C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070650256.0000000000E6C000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3208668216.0000000000E6D000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070478248.0000000000E24000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3TS.crl0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069849217.00000000258B9000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069959524.0000000025891000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069770605.000000002589F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.chambersign.org1
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069980706.0000000025887000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.comsign.co.il/cps0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2668916730.0000000000E0C000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070478248.0000000000E0C000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3208555044.0000000000E0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.correo.com.uy/correocert/cps.pdf0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069849217.00000000258B9000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070250638.000000002584D000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069770605.000000002589F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-bt0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3217120566.0000000025875000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070119283.000000002586B000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069770605.000000002589F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-int0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070158138.0000000025863000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069748931.00000000258D3000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069686004.00000000258C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-std0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070033136.0000000025884000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070013453.000000002587C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.defence.gov.au/pki0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3217265220.00000000258C1000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069770605.00000000258C1000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069708548.00000000258BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3217265220.00000000258C1000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069770605.00000000258C1000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069708548.00000000258BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.disig.sk/ca0f
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070158138.0000000025863000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.dnie.es/dpc0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069663799.00000000258D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.e-me.lv/repository0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069686004.00000000258C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crl
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069686004.00000000258C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069686004.00000000258C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.e-szigno.hu/SZSZ/0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069959524.0000000025891000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069663799.00000000258D7000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070119283.000000002586B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.e-trust.be/CPS/QNcerts
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069849217.00000000258B9000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069770605.000000002589F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ecee.gov.pt/dpc0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070187229.0000000025852000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070187229.0000000025852000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.eme.lv/repository0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070158138.0000000025863000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.firmaprofesional.com/cps0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2668916730.0000000000E0C000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070478248.0000000000E0C000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3208576278.0000000000E19000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2669145286.0000000000E18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.globaltrust.info0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2668916730.0000000000E0C000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070478248.0000000000E0C000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3208576278.0000000000E19000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2669145286.0000000000E18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.globaltrust.info0=
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069770605.000000002589F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069686004.00000000258C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069770605.000000002589F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.oaticerts.com/repository.
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070119283.000000002586B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_1_0.pdf09
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070187229.0000000025852000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_21_1.pdf0:
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069959524.0000000025891000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070119283.000000002586B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pki.gva.es/cps0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070119283.000000002586B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pki.gva.es/cps0%
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069770605.000000002589F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069663799.00000000258D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070119283.000000002586B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.postsignum.cz/crl/psrootqca2.crl02
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070405451.0000000000E6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069686004.00000000258C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070119283.000000002586B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.rcsc.lt/repository0
              Source: Rd_client_w_a_s_d_patched.exeString found in binary or memory: http://www.rohos.com/
              Source: Rd_client_w_a_s_d_patched.exeString found in binary or memory: http://www.rohos.com/2013/12/login-unlock-computer-by-using-smartphone/
              Source: Rd_client_w_a_s_d_patched.exeString found in binary or memory: http://www.rohos.com/2016/07/rohos-logon-key-3-3/
              Source: Rd_client_w_a_s_d_patched.exeString found in binary or memory: http://www.rohos.com/2016/07/rohos_disk2-3-dropbox/
              Source: Rd_client_w_a_s_d_patched.exeString found in binary or memory: http://www.rohos.com/computer_protection_0.htm
              Source: Rd_client_w_a_s_d_patched.exeString found in binary or memory: http://www.rohos.com/desktop-security/buy_on-line.htm
              Source: Rd_client_w_a_s_d_patched.exeString found in binary or memory: http://www.rohos.com/desktop_security_howto.htm
              Source: Rd_client_w_a_s_d_patched.exeString found in binary or memory: http://www.rohos.com/free-encryption/upgrade-with-discount/
              Source: Rd_client_w_a_s_d_patched.exeString found in binary or memory: http://www.rohos.com/how-to-change-action-with-removable-media.htm
              Source: Rd_client_w_a_s_d_patched.exeString found in binary or memory: http://www.rohos.com/howto.htm
              Source: Rd_client_w_a_s_d_patched.exeString found in binary or memory: http://www.rohos.com/prevent_forgotten_password.htm
              Source: Rd_client_w_a_s_d_patched.exeString found in binary or memory: http://www.rohos.com/products/rohos-logon-free/upgrade/
              Source: Rd_client_w_a_s_d_patched.exeString found in binary or memory: http://www.rohos.com/protecting_ms_office_documents.htm
              Source: Rd_client_w_a_s_d_patched.exeString found in binary or memory: http://www.rohos.com/support
              Source: Rd_client_w_a_s_d_patched.exeString found in binary or memory: http://www.rohos.com/welcome-screen/buy_on-line.htm
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069770605.000000002589F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sk.ee/cps/0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069770605.000000002589F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sk.ee/juur/crl/0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069770605.000000002589F000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069686004.00000000258C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ssc.lt/cps03
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070450539.0000000000E7B000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069913577.00000000258B6000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069770605.000000002589F000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070405451.0000000000E6F000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3217238570.00000000258B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.suscerte.gob.ve/dpc0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070450539.0000000000E7B000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069913577.00000000258B6000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069770605.000000002589F000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070405451.0000000000E6F000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3217238570.00000000258B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.suscerte.gob.ve/lcr0#
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069980706.0000000025887000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069980706.0000000025887000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.uce.gub.uy/acrn/acrn.crl0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069980706.0000000025887000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2668916730.0000000000E0C000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2668916730.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2064588587.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070478248.0000000000E0C000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2064588587.0000000000E15000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070478248.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069099189.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2064696146.0000000000DF9000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3208555044.0000000000E0D000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069099189.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3208576278.0000000000E24000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.valicert.com/1
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070119283.000000002586B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www2.postsignum.cz/crl/psrootqca2.crl01
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2669230160.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3211041884.0000000004814000.00000004.00001000.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3208480488.0000000000DB9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x.ss2.us/x.cer
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3208409382.0000000000D8E000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3211041884.0000000004858000.00000004.00001000.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3213042209.000000000499E000.00000004.00001000.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3213042209.00000000049A4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://x.ss2.us/x.cer0&
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3211041884.0000000004814000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://x.ss2.us/x.cerhttp://s.ss2.us/r.crl
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1511100131.000000000411D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1511100131.000000000411D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1480389661.0000000004128000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org?q=
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1523635807.0000000003FF5000.00000004.00000800.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1525566039.0000000003FF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1523635807.0000000003FF5000.00000004.00000800.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1525566039.0000000003FF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1480389661.0000000004128000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1480389661.0000000004128000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1480389661.0000000004128000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1523635807.0000000003FF5000.00000004.00000800.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1525566039.0000000003FF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1523635807.0000000003FF5000.00000004.00000800.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1525566039.0000000003FF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070187229.0000000025852000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://crl.anf.es/AC/ANFServerCA.crl0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3209251867.0000000003496000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3209934126.0000000003CE2000.00000002.00001000.00020000.00000000.sdmp, afcdpsrv.exe, 00000008.00000003.2269201476.00000000033C4000.00000004.00000020.00020000.00000000.sdmp, afcdpsrv.exe, 00000008.00000003.2264054446.0000000003C12000.00000002.00001000.00020000.00000000.sdmp, afcdpsrv.exe, 00000009.00000003.2365638924.00000000033D6000.00000004.00000020.00020000.00000000.sdmp, afcdpsrv.exe, 00000009.00000003.2357126708.0000000003C22000.00000002.00001000.00020000.00000000.sdmpString found in binary or memory: https://data-seed-prebsc-1-s1.binance.org:8545/RtlDosPathNameToRelativeNtPathName_U_WithStatushttp:
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1480389661.0000000004128000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1480389661.0000000004128000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabv209h
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1480389661.0000000004128000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1480389661.0000000004128000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gemini.google.com/app?q=
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1607145456.00000000010C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://h1.passionwhenever.shop/
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1607145456.00000000010C4000.00000004.00000020.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1607206344.0000000001091000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://h1.passionwhenever.shop/PA.bin
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1607145456.00000000010C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://h1.passionwhenever.shop/PA.bin6
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1607206344.0000000001052000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://h1.passionwhenever.shop:443/PA.bin
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1525566039.0000000003FF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070405451.0000000000E6F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1545682373.000000000103A000.00000004.00000020.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1544812716.000000000103A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://proenhann.digi
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1556873329.000000000103A000.00000004.00000020.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1584313208.000000000103A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://proenhann.digital/
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1606833529.0000000003FEB000.00000004.00000800.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1556661259.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1510253762.0000000003FF1000.00000004.00000800.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1475527852.0000000001052000.00000004.00000020.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1607145456.00000000010C4000.00000004.00000020.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1556776784.0000000003FF9000.00000004.00000800.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1510684471.0000000003FF6000.00000004.00000800.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1584132622.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1563518067.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1563366920.0000000003FF9000.00000004.00000800.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1510753742.0000000003FF7000.00000004.00000800.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1584220557.0000000003FF9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://proenhann.digital/thnb
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1584132622.00000000010B7000.00000004.00000020.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1607145456.00000000010B0000.00000004.00000020.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1563518067.00000000010B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://proenhann.digital/thnb-
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1607145456.00000000010B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://proenhann.digital/thnb2
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1607145456.00000000010B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://proenhann.digital/thnb6Mg
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1584132622.00000000010B7000.00000004.00000020.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1607145456.00000000010B0000.00000004.00000020.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1563518067.00000000010B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://proenhann.digital/thnbG
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1556661259.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1584132622.00000000010C5000.00000004.00000020.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1563518067.00000000010C5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://proenhann.digital/thnbO
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1525233260.0000000004005000.00000004.00000800.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1563481076.0000000004009000.00000004.00000800.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1606833529.0000000004004000.00000004.00000800.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1529141688.0000000004009000.00000004.00000800.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1527316556.0000000004009000.00000004.00000800.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1523635807.0000000004004000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://proenhann.digital/thnbl
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1523635807.0000000003FF5000.00000004.00000800.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1545615308.0000000003FF9000.00000004.00000800.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1527337089.0000000003FF9000.00000004.00000800.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1525566039.0000000003FF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://proenhann.digital:443/thnb
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069686004.00000000258C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rca.e-szigno.hu/ocsp0-
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069686004.00000000258C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://repository.luxtrust.lu0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069849217.00000000258B9000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069770605.000000002589F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://repository.tsp.zetes.com0
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1512332718.0000000004331000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1512332718.0000000004331000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069770605.000000002589F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web.certicamara.com/marco-legal0Z
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1523635807.0000000003FF5000.00000004.00000800.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1525566039.0000000003FF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070187229.0000000025852000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.anf.es/AC/ACTAS/789230
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070187229.0000000025852000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.anf.es/AC/ANFServerCA.crl0
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070187229.0000000025852000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.anf.es/address/)1(0&
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1523635807.0000000003FF5000.00000004.00000800.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1525566039.0000000003FF7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069686004.00000000258C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.catcert.net/verarrel
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069686004.00000000258C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.catcert.net/verarrel05
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1480389661.0000000004128000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/v20
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1480389661.0000000004128000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1512332718.0000000004331000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1512332718.0000000004331000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1512332718.0000000004331000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1512332718.0000000004331000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1512332718.0000000004331000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1512332718.0000000004331000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069663799.00000000258D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.netlock.hu/docs/
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2070158138.0000000025863000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.netlock.net/docs
              Source: Rd_client_w_a_s_d_patched.exeString found in binary or memory: https://www.rohos.com/2021/06/30/2fa-bypass-notification-in-rohos-logon-key-4-8/
              Source: Rd_client_w_a_s_d_patched.exeString found in binary or memory: https://www.rohos.com/welcome-screen/buy_on-line.htm
              Source: Rd_client_w_a_s_d_patched.exeString found in binary or memory: https://www.rohos.com/welcome-screen/buy_on-line.htmmini.exehttp://www.rohos.com/welcome-screen/buy_
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3217265220.00000000258C1000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069770605.00000000258C1000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2069708548.00000000258BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://wwww.certigna.fr/autorites/0m
              Source: unknownNetwork traffic detected: HTTP traffic on port 49698 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
              Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49698
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
              Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
              Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49692
              Source: unknownNetwork traffic detected: HTTP traffic on port 49692 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49693 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
              Source: unknownHTTPS traffic detected: 104.21.40.117:443 -> 192.168.2.5:49692 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.40.117:443 -> 192.168.2.5:49693 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.40.117:443 -> 192.168.2.5:49695 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.40.117:443 -> 192.168.2.5:49697 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.40.117:443 -> 192.168.2.5:49698 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.40.117:443 -> 192.168.2.5:49699 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.40.117:443 -> 192.168.2.5:49700 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.53.21:443 -> 192.168.2.5:49701 version: TLS 1.2
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_004075EC GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,4_2_004075EC
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416Jump to dropped file
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeProcess Stats: CPU usage > 49%
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_00AE0CD8 NtAllocateVirtualMemory,4_2_00AE0CD8
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_00AE066E NtProtectVirtualMemory,4_2_00AE066E
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_00AE11E5 CreateThread,malloc,NtClose,free,4_2_00AE11E5
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_00AE0B72 NtGetContextThread,NtSetContextThread,NtResumeThread,4_2_00AE0B72
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_00AE1084 NtClose,4_2_00AE1084
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_00AE10E8 NtClose,4_2_00AE10E8
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_00AE19C5 free,NtClose,free,4_2_00AE19C5
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_00AE114C NtClose,4_2_00AE114C
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_02A32000 NtProtectVirtualMemory,4_2_02A32000
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_02A31FC2 NtFreeVirtualMemory,4_2_02A31FC2
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_02A31F6F NtAllocateVirtualMemory,4_2_02A31F6F
              Source: C:\ProgramData\afcdpsrv.exeCode function: 8_3_028A066E NtProtectVirtualMemory,8_3_028A066E
              Source: C:\ProgramData\afcdpsrv.exeCode function: 8_3_028A0B72 NtGetContextThread,NtSetContextThread,NtResumeThread,8_3_028A0B72
              Source: C:\ProgramData\afcdpsrv.exeCode function: 8_3_028A1084 NtSuspendThread,8_3_028A1084
              Source: C:\ProgramData\afcdpsrv.exeCode function: 8_3_028A0CD8 NtAllocateVirtualMemory,NtFreeVirtualMemory,8_3_028A0CD8
              Source: C:\ProgramData\afcdpsrv.exeCode function: 8_3_028A10E8 NtTerminateThread,8_3_028A10E8
              Source: C:\ProgramData\afcdpsrv.exeCode function: 8_3_028A114C NtClose,8_3_028A114C
              Source: C:\ProgramData\afcdpsrv.exeCode function: 8_2_02962000 NtProtectVirtualMemory,8_2_02962000
              Source: C:\ProgramData\afcdpsrv.exeCode function: 8_2_02961FC2 NtFreeVirtualMemory,8_2_02961FC2
              Source: C:\ProgramData\afcdpsrv.exeCode function: 8_2_02961F6F NtAllocateVirtualMemory,8_2_02961F6F
              Source: C:\ProgramData\afcdpsrv.exeCode function: 9_3_00AE1084 NtSuspendThread,9_3_00AE1084
              Source: C:\ProgramData\afcdpsrv.exeCode function: 9_3_00AE10E8 NtTerminateThread,9_3_00AE10E8
              Source: C:\ProgramData\afcdpsrv.exeCode function: 9_3_00AE0CD8 NtAllocateVirtualMemory,NtFreeVirtualMemory,9_3_00AE0CD8
              Source: C:\ProgramData\afcdpsrv.exeCode function: 9_3_00AE114C NtClose,9_3_00AE114C
              Source: C:\ProgramData\afcdpsrv.exeCode function: 9_3_00AE066E NtProtectVirtualMemory,9_3_00AE066E
              Source: C:\ProgramData\afcdpsrv.exeCode function: 9_3_00AE0B72 NtGetContextThread,NtSetContextThread,NtResumeThread,9_3_00AE0B72
              Source: C:\ProgramData\afcdpsrv.exeCode function: 9_2_02972000 NtProtectVirtualMemory,9_2_02972000
              Source: C:\ProgramData\afcdpsrv.exeCode function: 9_2_02971FC2 NtFreeVirtualMemory,9_2_02971FC2
              Source: C:\ProgramData\afcdpsrv.exeCode function: 9_2_02971F6F NtAllocateVirtualMemory,9_2_02971F6F
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_00405A234_2_00405A23
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_004045904_2_00404590
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_00404E544_2_00404E54
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_00409A394_2_00409A39
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_00404EC24_2_00404EC2
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_00409AC74_2_00409AC7
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_00406AC84_2_00406AC8
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_004050BE4_2_004050BE
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_004098BE4_2_004098BE
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_004051594_2_00405159
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_00409B134_2_00409B13
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_0040511E4_2_0040511E
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_004091364_2_00409136
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_00404DD24_2_00404DD2
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_004075EC4_2_004075EC
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_02A300004_2_02A30000
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_03A2BBF04_2_03A2BBF0
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_03A4BEA04_2_03A4BEA0
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_03A22EB04_2_03A22EB0
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_03A4C6E04_2_03A4C6E0
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_03A8C2304_2_03A8C230
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_03A312104_2_03A31210
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_03A4B9204_2_03A4B920
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_03A4E5704_2_03A4E570
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_03A46D704_2_03A46D70
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_03A28D404_2_03A28D40
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_03A300804_2_03A30080
              Source: C:\ProgramData\afcdpsrv.exeCode function: 8_3_0395BBF08_3_0395BBF0
              Source: C:\ProgramData\afcdpsrv.exeCode function: 8_3_03952EB08_3_03952EB0
              Source: C:\ProgramData\afcdpsrv.exeCode function: 8_3_0397BEA08_3_0397BEA0
              Source: C:\ProgramData\afcdpsrv.exeCode function: 8_3_0397C6E08_3_0397C6E0
              Source: C:\ProgramData\afcdpsrv.exeCode function: 8_3_039612108_3_03961210
              Source: C:\ProgramData\afcdpsrv.exeCode function: 8_3_039BC2308_3_039BC230
              Source: C:\ProgramData\afcdpsrv.exeCode function: 8_3_0397B9208_3_0397B920
              Source: C:\ProgramData\afcdpsrv.exeCode function: 8_3_03958D408_3_03958D40
              Source: C:\ProgramData\afcdpsrv.exeCode function: 8_3_0397E5708_3_0397E570
              Source: C:\ProgramData\afcdpsrv.exeCode function: 8_3_03976D708_3_03976D70
              Source: C:\ProgramData\afcdpsrv.exeCode function: 8_3_039600808_3_03960080
              Source: C:\ProgramData\afcdpsrv.exeCode function: 8_2_029600008_2_02960000
              Source: C:\ProgramData\afcdpsrv.exeCode function: 9_3_0396BBF09_3_0396BBF0
              Source: C:\ProgramData\afcdpsrv.exeCode function: 9_3_03962EB09_3_03962EB0
              Source: C:\ProgramData\afcdpsrv.exeCode function: 9_3_0398BEA09_3_0398BEA0
              Source: C:\ProgramData\afcdpsrv.exeCode function: 9_3_0398C6E09_3_0398C6E0
              Source: C:\ProgramData\afcdpsrv.exeCode function: 9_3_039712109_3_03971210
              Source: C:\ProgramData\afcdpsrv.exeCode function: 9_3_039CC2309_3_039CC230
              Source: C:\ProgramData\afcdpsrv.exeCode function: 9_3_0398B9209_3_0398B920
              Source: C:\ProgramData\afcdpsrv.exeCode function: 9_3_03968D409_3_03968D40
              Source: C:\ProgramData\afcdpsrv.exeCode function: 9_3_0398E5709_3_0398E570
              Source: C:\ProgramData\afcdpsrv.exeCode function: 9_3_03986D709_3_03986D70
              Source: C:\ProgramData\afcdpsrv.exeCode function: 9_3_039700809_3_03970080
              Source: C:\ProgramData\afcdpsrv.exeCode function: 9_2_00405A239_2_00405A23
              Source: C:\ProgramData\afcdpsrv.exeCode function: 9_2_004045909_2_00404590
              Source: C:\ProgramData\afcdpsrv.exeCode function: 9_2_00404E549_2_00404E54
              Source: C:\ProgramData\afcdpsrv.exeCode function: 9_2_00409A399_2_00409A39
              Source: C:\ProgramData\afcdpsrv.exeCode function: 9_2_00404EC29_2_00404EC2
              Source: C:\ProgramData\afcdpsrv.exeCode function: 9_2_00409AC79_2_00409AC7
              Source: C:\ProgramData\afcdpsrv.exeCode function: 9_2_00406AC89_2_00406AC8
              Source: C:\ProgramData\afcdpsrv.exeCode function: 9_2_004050BE9_2_004050BE
              Source: C:\ProgramData\afcdpsrv.exeCode function: 9_2_004098BE9_2_004098BE
              Source: C:\ProgramData\afcdpsrv.exeCode function: 9_2_004051599_2_00405159
              Source: C:\ProgramData\afcdpsrv.exeCode function: 9_2_00409B139_2_00409B13
              Source: C:\ProgramData\afcdpsrv.exeCode function: 9_2_0040511E9_2_0040511E
              Source: C:\ProgramData\afcdpsrv.exeCode function: 9_2_004091369_2_00409136
              Source: C:\ProgramData\afcdpsrv.exeCode function: 9_2_00404DD29_2_00404DD2
              Source: C:\ProgramData\afcdpsrv.exeCode function: 9_2_004075EC9_2_004075EC
              Source: C:\ProgramData\afcdpsrv.exeCode function: 9_2_029700009_2_02970000
              Source: Joe Sandbox ViewDropped File: C:\ProgramData\afcdpsrv.exe A6D4406683626AA86A4B4CCA84EA4E3B9C744803F3FF396B916F4562FE8336F0
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exe A6D4406683626AA86A4B4CCA84EA4E3B9C744803F3FF396B916F4562FE8336F0
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: String function: 03A8B9D0 appears 140 times
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: String function: 03A58A80 appears 109 times
              Source: C:\ProgramData\afcdpsrv.exeCode function: String function: 03988A80 appears 111 times
              Source: C:\ProgramData\afcdpsrv.exeCode function: String function: 03998A80 appears 111 times
              Source: C:\ProgramData\afcdpsrv.exeCode function: String function: 039BB9D0 appears 141 times
              Source: C:\ProgramData\afcdpsrv.exeCode function: String function: 039CB9D0 appears 141 times
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000000.1344958184.00000000008F7000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameagent.exe^ vs Rd_client_w_a_s_d_patched.exe
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1462691319.0000000003803000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameagent.exe^ vs Rd_client_w_a_s_d_patched.exe
              Source: Rd_client_w_a_s_d_patched.exeBinary or memory string: OriginalFilenameagent.exe^ vs Rd_client_w_a_s_d_patched.exe
              Source: Rd_client_w_a_s_d_patched.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v afcdpsrv /t REG_SZ /d C:\ProgramData\afcdpsrv.exe /f
              Source: Rd_client_w_a_s_d_patched.exeBinary string: \device\%c:00000000
              Source: Rd_client_w_a_s_d_patched.exeBinary string: Mode:%d KeySize:%d Ver:%X Key:%s... DefineDosDevice2 %d %c: %X\device\%c:00000000%08lXDefineDosDevice. fail %X %sDefineDosDevice DDD_REMOVE_DEFINITION. fail %X %s
              Source: classification engineClassification label: mal84.troj.spyw.evad.winEXE@10/6@5/5
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_00405A23 VirtualAlloc,GetDiskFreeSpaceW,4_2_00405A23
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_02A30C75 CreateToolhelp32Snapshot,Thread32First,Wow64SuspendThread,CloseHandle,Thread32Next,4_2_02A30C75
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_00402AB8 CoCreateInstance,4_2_00402AB8
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeMutant created: \Sessions\1\BaseNamedObjects\Global\afcdpsrv
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8912:120:WilError_03
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile created: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeJump to behavior
              Source: Rd_client_w_a_s_d_patched.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1480534203.0000000004019000.00000004.00000800.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1499192962.0000000004019000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: K069N633L4KOJ1FJIGV7OZ.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
              Source: K069N633L4KOJ1FJIGV7OZ.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
              Source: K069N633L4KOJ1FJIGV7OZ.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
              Source: K069N633L4KOJ1FJIGV7OZ.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
              Source: K069N633L4KOJ1FJIGV7OZ.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
              Source: K069N633L4KOJ1FJIGV7OZ.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
              Source: K069N633L4KOJ1FJIGV7OZ.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
              Source: K069N633L4KOJ1FJIGV7OZ.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
              Source: K069N633L4KOJ1FJIGV7OZ.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
              Source: K069N633L4KOJ1FJIGV7OZ.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
              Source: K069N633L4KOJ1FJIGV7OZ.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable t
              Source: K069N633L4KOJ1FJIGV7OZ.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable t
              Source: K069N633L4KOJ1FJIGV7OZ.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime:
              Source: K069N633L4KOJ1FJIGV7OZ.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime:
              Source: K069N633L4KOJ1FJIGV7OZ.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser are
              Source: K069N633L4KOJ1FJIGV7OZ.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser are
              Source: K069N633L4KOJ1FJIGV7OZ.exeString found in binary or memory: ) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
              Source: K069N633L4KOJ1FJIGV7OZ.exeString found in binary or memory: ) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
              Source: afcdpsrv.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
              Source: afcdpsrv.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
              Source: afcdpsrv.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
              Source: afcdpsrv.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
              Source: afcdpsrv.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
              Source: afcdpsrv.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
              Source: afcdpsrv.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
              Source: afcdpsrv.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
              Source: afcdpsrv.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
              Source: afcdpsrv.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
              Source: afcdpsrv.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable t
              Source: afcdpsrv.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable t
              Source: afcdpsrv.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime:
              Source: afcdpsrv.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime:
              Source: afcdpsrv.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser are
              Source: afcdpsrv.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser are
              Source: afcdpsrv.exeString found in binary or memory: ) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
              Source: afcdpsrv.exeString found in binary or memory: ) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
              Source: afcdpsrv.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
              Source: afcdpsrv.exeString found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
              Source: afcdpsrv.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
              Source: afcdpsrv.exeString found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
              Source: afcdpsrv.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
              Source: afcdpsrv.exeString found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
              Source: afcdpsrv.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
              Source: afcdpsrv.exeString found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
              Source: afcdpsrv.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
              Source: afcdpsrv.exeString found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
              Source: afcdpsrv.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable t
              Source: afcdpsrv.exeString found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable t
              Source: afcdpsrv.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime:
              Source: afcdpsrv.exeString found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime:
              Source: afcdpsrv.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser are
              Source: afcdpsrv.exeString found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser are
              Source: afcdpsrv.exeString found in binary or memory: ) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
              Source: afcdpsrv.exeString found in binary or memory: ) is larger than maximum page size (key size not a multiple of key alignruntime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
              Source: Rd_client_w_a_s_d_patched.exeString found in binary or memory: Please ensure you have sufficient permissions (Domain Schema / Enterprise Admin..) and current DC has Schema Master role. Check with 'netdom query fsmo' command line, re-start application and try again.2Error configuring Rohos database replica setting: *Please choose a file in order to continue.
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile read: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exe "C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exe"
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeProcess created: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exe "C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exe"
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v afcdpsrv /t REG_SZ /d C:\ProgramData\afcdpsrv.exe /f"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v afcdpsrv /t REG_SZ /d C:\ProgramData\afcdpsrv.exe /f
              Source: unknownProcess created: C:\ProgramData\afcdpsrv.exe "C:\ProgramData\afcdpsrv.exe"
              Source: unknownProcess created: C:\ProgramData\afcdpsrv.exe "C:\ProgramData\afcdpsrv.exe"
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeProcess created: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exe "C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exe"Jump to behavior
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v afcdpsrv /t REG_SZ /d C:\ProgramData\afcdpsrv.exe /f"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v afcdpsrv /t REG_SZ /d C:\ProgramData\afcdpsrv.exe /fJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeSection loaded: netapi32.dllJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeSection loaded: wtsapi32.dllJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeSection loaded: msimg32.dllJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeSection loaded: oledlg.dllJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeSection loaded: oleacc.dllJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeSection loaded: cryptnet.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeSection loaded: cabinet.dllJump to behavior
              Source: C:\ProgramData\afcdpsrv.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\ProgramData\afcdpsrv.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\ProgramData\afcdpsrv.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\ProgramData\afcdpsrv.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\ProgramData\afcdpsrv.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\ProgramData\afcdpsrv.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\ProgramData\afcdpsrv.exeSection loaded: umpdc.dllJump to behavior
              Source: Rd_client_w_a_s_d_patched.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
              Source: Rd_client_w_a_s_d_patched.exeStatic file information: File size 5975040 > 1048576
              Source: Rd_client_w_a_s_d_patched.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x374c00
              Source: Rd_client_w_a_s_d_patched.exeStatic PE information: More than 200 imports for KERNEL32.dll
              Source: Rd_client_w_a_s_d_patched.exeStatic PE information: More than 200 imports for USER32.dll
              Source: Rd_client_w_a_s_d_patched.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: Rd_client_w_a_s_d_patched.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: Rd_client_w_a_s_d_patched.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: Rd_client_w_a_s_d_patched.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Rd_client_w_a_s_d_patched.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: Rd_client_w_a_s_d_patched.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: Rd_client_w_a_s_d_patched.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
              Source: Rd_client_w_a_s_d_patched.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: @R:\rohos\Disk-Win\DiskAgent\Agent___Win32_Release_EN\Agent.pdb4 source: Rd_client_w_a_s_d_patched.exe
              Source: Binary string: R:\rohos\Disk-Win\DiskAgent\Agent___Win32_Release_EN\Agent.pdb source: Rd_client_w_a_s_d_patched.exe
              Source: Binary string: e.pDB.fu(nc13 source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3209061327.0000000003166000.00000004.00000020.00020000.00000000.sdmp, afcdpsrv.exe, 00000008.00000003.2268729071.0000000003093000.00000004.00000020.00020000.00000000.sdmp, afcdpsrv.exe, 00000009.00000003.2365292449.00000000030AA000.00000004.00000020.00020000.00000000.sdmp
              Source: Rd_client_w_a_s_d_patched.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
              Source: Rd_client_w_a_s_d_patched.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
              Source: Rd_client_w_a_s_d_patched.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
              Source: Rd_client_w_a_s_d_patched.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
              Source: Rd_client_w_a_s_d_patched.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
              Source: Rd_client_w_a_s_d_patched.exeStatic PE information: real checksum: 0xc4433 should be: 0x5b4983
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_00405A23 push ebx; mov dword ptr [esp], 00430AE0h4_2_004063A7
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_00404590 push eax; mov dword ptr [esp], ebx4_2_00404693
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_00404E54 push ebx; mov dword ptr [esp], 00430AE0h4_2_004063A7
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_00403255 push edi; mov dword ptr [esp], eax4_2_004032CF
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_00406A74 push edx; mov dword ptr [esp], esi4_2_00406AA9
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_00401000 push eax; mov dword ptr [esp], ebx4_2_0040120E
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_00402804 push esi; mov dword ptr [esp], eax4_2_00402811
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_00408C37 push eax; mov dword ptr [esp], ebx4_2_00408C9A
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_00408C37 push ecx; mov dword ptr [esp], ebx4_2_00408D06
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_00402CC6 push esi; mov dword ptr [esp], eax4_2_00402D69
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_004018C8 push eax; mov dword ptr [esp], ebx4_2_004019A4
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_004044D0 push eax; mov dword ptr [esp], ebx4_2_004044ED
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_004044D0 push eax; mov dword ptr [esp], ebx4_2_0040450D
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_00401E84 push esi; mov dword ptr [esp], eax4_2_00401E91
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_0040368E push eax; mov dword ptr [esp], esi4_2_004036B7
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_00402E93 push edx; mov dword ptr [esp], esi4_2_00402EC0
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_00402E93 push ecx; mov dword ptr [esp], esi4_2_00402ED1
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_00401E9E push edx; mov dword ptr [esp], eax4_2_00401EC9
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_004026A5 push ecx; mov dword ptr [esp], FFFFFFECh4_2_004026DD
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_004014AA push edx; mov dword ptr [esp], eax4_2_004014CC
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_004074BA push eax; mov dword ptr [esp], 0042FAC0h4_2_004074F3
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_004088BD push ecx; mov dword ptr [esp], edi4_2_00408AF4
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_00401541 push eax; mov dword ptr [esp], 00000003h4_2_00401669
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_00401B66 push edx; mov dword ptr [esp], eax4_2_00401BB9
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_00401B66 push ecx; mov dword ptr [esp], 00418100h4_2_00401BD0
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_00402F74 push eax; mov dword ptr [esp], 00419100h4_2_00403005
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_0040411D push ecx; mov dword ptr [esp], edi4_2_004041A7
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_004019C5 push ebx; mov dword ptr [esp], eax4_2_004019D0
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_004075EC push eax; mov dword ptr [esp], 00000004h4_2_0040769A
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_004075EC push eax; mov dword ptr [esp], ebx4_2_004078FE
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_004075EC push edx; mov dword ptr [esp], ebx4_2_0040790D
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile created: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeFile created: C:\ProgramData\afcdpsrv.exeJump to dropped file
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeFile created: C:\ProgramData\afcdpsrv.exeJump to dropped file
              Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce afcdpsrvJump to behavior
              Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce afcdpsrvJump to behavior
              Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce afcdpsrvJump to behavior
              Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce afcdpsrvJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\afcdpsrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\afcdpsrv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\afcdpsrv.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\ProgramData\afcdpsrv.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
              Query firmware table information (likely to detect VMs)
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeSystem information queried: FirmwareTableInformationJump to behavior
              Source: C:\ProgramData\afcdpsrv.exeAPI coverage: 6.7 %
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exe TID: 8460Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exe TID: 8460Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exe TID: 8984Thread sleep time: -60000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_00403648 FindFirstFileW,4_2_00403648
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_00408C37 DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,4_2_00408C37
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_00408B4B FindFirstFileW,FindClose,4_2_00408B4B
              Source: C:\ProgramData\afcdpsrv.exeCode function: 9_2_00403648 FindFirstFileW,9_2_00403648
              Source: C:\ProgramData\afcdpsrv.exeCode function: 9_2_00408C37 DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,9_2_00408C37
              Source: C:\ProgramData\afcdpsrv.exeCode function: 9_2_00408B4B FindFirstFileW,FindClose,9_2_00408B4B
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1499460358.0000000004017000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1499460358.0000000004017000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1499460358.0000000004017000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
              Source: Rd_client_w_a_s_d_patched.exeBinary or memory string: t hgFshRFsj`j
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1499460358.0000000004017000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1499460358.000000000401C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696428655p
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1499460358.0000000004017000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1499460358.0000000004017000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1475527852.0000000001069000.00000004.00000020.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1584313208.000000000105D000.00000004.00000020.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1556873329.0000000001069000.00000004.00000020.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1544692409.0000000001069000.00000004.00000020.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1607206344.000000000105D000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3208532809.0000000000E02000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2668916730.0000000000E24000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2668916730.0000000000DFF000.00000004.00000020.00020000.00000000.sdmp, K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000003.2064588587.0000000000E24000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: Rd_client_w_a_s_d_patched.exeBinary or memory string: hgFsj`j
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1499460358.0000000004017000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1499460358.0000000004017000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1499460358.0000000004017000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1499460358.0000000004017000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1499460358.0000000004017000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1499460358.0000000004017000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1499460358.0000000004017000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1499460358.0000000004017000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1499460358.0000000004017000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
              Source: afcdpsrv.exe, 00000009.00000002.2366902082.0000000000D48000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1499460358.0000000004017000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1499460358.0000000004017000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1499460358.0000000004017000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1499460358.0000000004017000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1499460358.0000000004017000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
              Source: afcdpsrv.exe, 00000008.00000002.2270745121.0000000000A3E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlly
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1499460358.0000000004017000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1499460358.0000000004017000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1499460358.0000000004017000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1499460358.0000000004017000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1499460358.0000000004017000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1499460358.0000000004017000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1499460358.0000000004017000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
              Source: K069N633L4KOJ1FJIGV7OZ.exe, 00000004.00000002.3208409382.0000000000D8E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`5
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1499460358.0000000004017000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
              Source: Rd_client_w_a_s_d_patched.exeBinary or memory string: QVhgFs
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1499460358.0000000004017000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1499460358.0000000004017000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
              Source: Rd_client_w_a_s_d_patched.exeBinary or memory string: t hgFs
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1499460358.0000000004017000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_00AE143D RtlInitAnsiString,LdrGetProcedureAddress,4_2_00AE143D
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_02A30000 mov edx, dword ptr fs:[00000030h]4_2_02A30000
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_02A30B25 mov eax, dword ptr fs:[00000030h]4_2_02A30B25
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_02A30ED5 mov eax, dword ptr fs:[00000030h]4_2_02A30ED5
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_02A31B63 mov eax, dword ptr fs:[00000030h]4_2_02A31B63
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_02A31175 mov eax, dword ptr fs:[00000030h]4_2_02A31175
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_02A31174 mov eax, dword ptr fs:[00000030h]4_2_02A31174
              Source: C:\ProgramData\afcdpsrv.exeCode function: 8_2_02960000 mov edx, dword ptr fs:[00000030h]8_2_02960000
              Source: C:\ProgramData\afcdpsrv.exeCode function: 8_2_02960B25 mov eax, dword ptr fs:[00000030h]8_2_02960B25
              Source: C:\ProgramData\afcdpsrv.exeCode function: 8_2_02960ED5 mov eax, dword ptr fs:[00000030h]8_2_02960ED5
              Source: C:\ProgramData\afcdpsrv.exeCode function: 8_2_02961174 mov eax, dword ptr fs:[00000030h]8_2_02961174
              Source: C:\ProgramData\afcdpsrv.exeCode function: 8_2_02961175 mov eax, dword ptr fs:[00000030h]8_2_02961175
              Source: C:\ProgramData\afcdpsrv.exeCode function: 8_2_02961B63 mov eax, dword ptr fs:[00000030h]8_2_02961B63
              Source: C:\ProgramData\afcdpsrv.exeCode function: 9_2_02970000 mov edx, dword ptr fs:[00000030h]9_2_02970000
              Source: C:\ProgramData\afcdpsrv.exeCode function: 9_2_02970B25 mov eax, dword ptr fs:[00000030h]9_2_02970B25
              Source: C:\ProgramData\afcdpsrv.exeCode function: 9_2_02970ED5 mov eax, dword ptr fs:[00000030h]9_2_02970ED5
              Source: C:\ProgramData\afcdpsrv.exeCode function: 9_2_02971175 mov eax, dword ptr fs:[00000030h]9_2_02971175
              Source: C:\ProgramData\afcdpsrv.exeCode function: 9_2_02971174 mov eax, dword ptr fs:[00000030h]9_2_02971174
              Source: C:\ProgramData\afcdpsrv.exeCode function: 9_2_02971B63 mov eax, dword ptr fs:[00000030h]9_2_02971B63
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v afcdpsrv /t REG_SZ /d C:\ProgramData\afcdpsrv.exe /f"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v afcdpsrv /t REG_SZ /d C:\ProgramData\afcdpsrv.exe /fJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeQueries volume information: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Local\Temp\K069N633L4KOJ1FJIGV7OZ.exeCode function: 4_2_00404590 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,GetModuleHandleA,4_2_00404590
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1584132622.00000000010B7000.00000004.00000020.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1556744570.00000000010B4000.00000004.00000020.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1556873329.0000000001051000.00000004.00000020.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1607145456.00000000010B0000.00000004.00000020.00020000.00000000.sdmp, Rd_client_w_a_s_d_patched.exe, 00000000.00000003.1563518067.00000000010B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: 00000000.00000003.1607016935.000000000400A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1606833529.0000000004004000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1563255145.0000000004015000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Rd_client_w_a_s_d_patched.exe PID: 8348, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.dbJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqliteJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.jsJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.jsonJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pdliaogehgdbhbnmkklieghmmjkpigpaJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
              Tries to harvest and steal ftp login credentials
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
              Tries to steal Crypto Currency Wallets
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLOJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeDirectory queried: C:\Users\user\Documents\BNAGMGSPLOJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeDirectory queried: C:\Users\user\Documents\SQRKHNBNYNJump to behavior
              Source: C:\Users\user\Desktop\Rd_client_w_a_s_d_patched.exeDirectory queried: C:\Users\user\Documents\SQRKHNBNYNJump to behavior

              Remote Access Functionality

              barindex
              Yara detected LummaC Stealer
              Source: Yara matchFile source: 00000000.00000003.1607016935.000000000400A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1606833529.0000000004004000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1563255145.0000000004015000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: Rd_client_w_a_s_d_patched.exe PID: 8348, type: MEMORYSTR
              Source: Yara matchFile source: sslproxydump.pcap, type: PCAP

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
              Windows Management Instrumentation              		1
              Registry Run Keys / Startup Folder              		11
              Process Injection              		1
              Masquerading              		2
              OS Credential Dumping              		321
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts2
              Command and Scripting Interpreter              		1
              DLL Side-Loading              		1
              Registry Run Keys / Startup Folder              		1
              Modify Registry              		LSASS Memory21
              Virtualization/Sandbox Evasion              		Remote Desktop Protocol31
              Data from Local System              		1
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
              DLL Side-Loading              		21
              Virtualization/Sandbox Evasion              		Security Account Manager2
              Process Discovery              		SMB/Windows Admin Shares1
              Clipboard Data              		1
              Ingress Tool Transfer              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
              Process Injection              		NTDS11
              File and Directory Discovery              		Distributed Component Object ModelInput Capture3
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets24
              System Information Discovery              		SSHKeylogging14
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
              Obfuscated Files or Information              		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              DLL Side-Loading              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1663630 Sample: Rd_client_w_a_s_d_patched.exe Startdate: 12/04/2025 Architecture: WINDOWS Score: 84 33 x.ss2.us 2->33 35 proenhann.digital 2->35 37 6 other IPs or domains 2->37 49 Yara detected LummaC Stealer 2->49 9 Rd_client_w_a_s_d_patched.exe 1 2->9         started        14 afcdpsrv.exe 2->14         started        16 afcdpsrv.exe 2->16         started        signatures3 process4 dnsIp5 45 proenhann.digital 104.21.40.117, 443, 49692, 49693 CLOUDFLARENETUS United States 9->45 47 h1.passionwhenever.shop 104.21.53.21, 443, 49701 CLOUDFLARENETUS United States 9->47 31 C:\Users\user\...\K069N633L4KOJ1FJIGV7OZ.exe, PE32 9->31 dropped 53 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 9->53 55 Query firmware table information (likely to detect VMs) 9->55 57 Tries to harvest and steal ftp login credentials 9->57 61 2 other signatures 9->61 18 K069N633L4KOJ1FJIGV7OZ.exe 3 9->18         started        59 Multi AV Scanner detection for dropped file 14->59 file6 signatures7 process8 dnsIp9 39 x.ss2.us 18.64.155.37, 49704, 80 MIT-GATEWAYSUS United States 18->39 41 62.60.234.80, 1466 ASLINE-AS-APASLINELIMITEDHK Iran (ISLAMIC Republic Of) 18->41 43 a8a00b7a27dd309f6.awsglobalaccelerator.com 3.33.196.84, 49703, 8545 AMAZONEXPANSIONGB United States 18->43 29 C:\ProgramData\afcdpsrv.exe, PE32 18->29 dropped 51 Multi AV Scanner detection for dropped file 18->51 23 cmd.exe 1 18->23         started        file10 signatures11 process12 process13 25 conhost.exe 23->25         started        27 reg.exe 1 1 23->27         started       

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.