Windows Analysis Report
Gj8P0mbklo.exe

Overview

General Information

Sample name: Gj8P0mbklo.exe
renamed because original name is a hash value
Original sample name: f7d15a3027d3a430511630c91898c72b91b5fb42bf99315cc5a5ef009a473835.exe
Analysis ID: 1436772
MD5: bad3fa5127efcc9c678c5d71fce0d0b2
SHA1: c5f49dd54b71eaf4e1ba3a9fdfc51c7fb8afbea8
SHA256: f7d15a3027d3a430511630c91898c72b91b5fb42bf99315cc5a5ef009a473835
Tags: ACRStealerexe
Infos:

Detection

Arc Stealer
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Arc Stealer
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Gj8P0mbklo.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: Gj8P0mbklo.exe ReversingLabs: Detection: 57%
Source: Gj8P0mbklo.exe Virustotal: Detection: 61% Perma Link
Machine Learning detection for sample
Source: Gj8P0mbklo.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_00356F10 Concurrency::cancel_current_task,lstrlenA,GetProcessHeap,HeapAlloc,CryptUnprotectData,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetFileAttributesA,GetFileAttributesA,GetFileAttributesA, 0_2_00356F10
Uses 32bit PE files
Source: Gj8P0mbklo.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP
Source: unknown HTTPS traffic detected: 23.61.62.148:443 -> 192.168.2.6:49699 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.13.203:443 -> 192.168.2.6:49700 version: TLS 1.2
Source: Gj8P0mbklo.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_003701C0 FindFirstFileA,PathMatchSpecA, 0_2_003701C0
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_0035CE40 FindFirstFileA,FindNextFileA,Sleep, 0_2_0035CE40
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_00389AFB FindFirstFileExW, 0_2_00389AFB
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 23.61.62.148 23.61.62.148
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_0036F560 InternetOpenUrlA,Sleep,InternetReadFile,InternetReadFile, 0_2_0036F560
Source: global traffic HTTP traffic detected: GET /profiles/76561199609719039 HTTP/1.1User-Agent: MyApp/1.0Host: steamcommunity.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /ujs/89737b57-777d-400d-bb7f-77b7e024920e HTTP/1.1User-Agent: MyApp/1.0Host: dervinko.bizCache-Control: no-cache
Source: Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: dervinko.biz
Source: unknown HTTP traffic detected: POST /Up HTTP/1.1Content-Type: application/octet-stream; boundary=----User-Agent: MyApp/1.0Host: dervinko.bizContent-Length: 341Cache-Control: no-cache
Source: Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:27060
Source: Gj8P0mbklo.exe, 00000000.00000003.2145279946.00000000052ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: Gj8P0mbklo.exe, 00000000.00000003.2145279946.00000000052ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: Gj8P0mbklo.exe, 00000000.00000003.2145279946.00000000052ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: Gj8P0mbklo.exe, 00000000.00000003.2145279946.00000000052ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: Gj8P0mbklo.exe, 00000000.00000003.2145279946.00000000052ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: Gj8P0mbklo.exe, 00000000.00000003.2145279946.00000000052ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: Gj8P0mbklo.exe, 00000000.00000003.2145279946.00000000052ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: Gj8P0mbklo.exe, 00000000.00000003.2145279946.00000000052ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: Gj8P0mbklo.exe, 00000000.00000003.2145279946.00000000052ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.dr String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.dr String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.dr String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.dr String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: Gj8P0mbklo.exe, 00000000.00000003.2145279946.00000000052ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: Gj8P0mbklo.exe, 00000000.00000003.2145279946.00000000052ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: Gj8P0mbklo.exe, 00000000.00000003.2108844417.0000000005138000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.steampowered.com/
Source: 76561199609719039[1].htm.0.dr String found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
Source: Gj8P0mbklo.exe, 00000000.00000003.2108844417.0000000005138000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Gj8P0mbklo.exe, 00000000.00000003.2108844417.0000000005138000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Gj8P0mbklo.exe, 00000000.00000003.2108844417.0000000005138000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkout.steampowered.com/
Source: Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.akamai.steamstatic.com/
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=tIrWyaxi8ABA&a
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=roSu8uqw
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=_Vry
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=english
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=L35TrLJDfqtD&l=engl
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=english
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=KyfgrihL0xta&l=e
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: 76561199609719039[1].htm.0.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&l=en
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.dr String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.00000000027B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dervinko.biz
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.00000000027B1000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000002.2152864496.000000000507F000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2151826752.000000000507F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dervinko.biz/
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002835000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2098131315.00000000050CE000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2098197482.00000000050CE000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2108525906.00000000050C8000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2108951092.00000000050CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dervinko.biz/Up
Source: Gj8P0mbklo.exe, 00000000.00000003.2151826752.000000000507F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dervinko.biz/Up/b
Source: Gj8P0mbklo.exe, 00000000.00000003.2145448565.000000000507F000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000002.2152864496.000000000507F000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2151826752.000000000507F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dervinko.biz/Up/b/
Source: Gj8P0mbklo.exe, 00000000.00000003.2151751922.000000000509F000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2151712465.0000000005090000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dervinko.biz/Up/bAW
Source: Gj8P0mbklo.exe, 00000000.00000003.2108951092.00000000050CE000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dervinko.biz/Up/bLocal
Source: Gj8P0mbklo.exe, 00000000.00000003.2151826752.000000000507F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dervinko.biz/Up/b_
Source: Gj8P0mbklo.exe, 00000000.00000003.2151712465.00000000050CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dervinko.biz/Up/bistAndAuditAlarmByHandle
Source: Gj8P0mbklo.exe, 00000000.00000003.2145426350.00000000050CE000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2145176778.00000000050CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dervinko.biz/Up/bistAndAuditAlarmByHandleerta
Source: Gj8P0mbklo.exe, 00000000.00000003.2151751922.000000000509F000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2151712465.0000000005090000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dervinko.biz/Up/byDllc
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002794000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dervinko.biz/nd-point:b
Source: Gj8P0mbklo.exe, 00000000.00000002.2152864496.000000000507F000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2151826752.000000000507F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dervinko.biz/q
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.000000000274E000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000002.2152455570.00000000027B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dervinko.biz/ujs/89737b57-777d-400d-bb7f-77b7e024920e
Source: Gj8P0mbklo.exe, 00000000.00000003.2108844417.0000000005138000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Gj8P0mbklo.exe, 00000000.00000003.2108844417.0000000005138000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Gj8P0mbklo.exe, 00000000.00000003.2108844417.0000000005138000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/
Source: Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.dr String found in binary or memory: https://help.steampowered.com/en/
Source: Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.steampowered.com/
Source: Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lv.queniujq.cn
Source: Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://medal.tv
Source: Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://player.vimeo.com
Source: Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net
Source: Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s.ytimg.com;
Source: Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sketchfab.com
Source: Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steam.tv/
Source: Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast.akamaized.net
Source: Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: 76561199609719039[1].htm.0.dr String found in binary or memory: https://steamcommunity.com/
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002794000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/-
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.dr String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.dr String found in binary or memory: https://steamcommunity.com/discussions/
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.dr String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 76561199609719039[1].htm.0.dr String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199609719039
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.dr String found in binary or memory: https://steamcommunity.com/market/
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.dr String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: Gj8P0mbklo.exe String found in binary or memory: https://steamcommunity.com/profiles/76561199609719039
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002794000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199609719039(
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.dr String found in binary or memory: https://steamcommunity.com/profiles/76561199609719039/badges
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.dr String found in binary or memory: https://steamcommunity.com/profiles/76561199609719039/inventory/
Source: Gj8P0mbklo.exe String found in binary or memory: https://steamcommunity.com/profiles/76561199609719039/ujs/strwvfncostrbrCHbrGk
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002794000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199609719039B
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.dr String found in binary or memory: https://steamcommunity.com/workshop/
Source: 76561199609719039[1].htm.0.dr String found in binary or memory: https://store.steampowered.com/
Source: Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;
Source: 76561199609719039[1].htm.0.dr String found in binary or memory: https://store.steampowered.com/about/
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.dr String found in binary or memory: https://store.steampowered.com/explore/
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.dr String found in binary or memory: https://store.steampowered.com/legal/
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.dr String found in binary or memory: https://store.steampowered.com/mobile
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.dr String found in binary or memory: https://store.steampowered.com/news/
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.dr String found in binary or memory: https://store.steampowered.com/points/shop/
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.dr String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.dr String found in binary or memory: https://store.steampowered.com/stats/
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.dr String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.dr String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: Gj8P0mbklo.exe, 00000000.00000003.2108844417.0000000005138000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: Gj8P0mbklo.exe, 00000000.00000003.2108844417.0000000005138000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/recaptcha/
Source: Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.dr String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com
Source: Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown HTTPS traffic detected: 23.61.62.148:443 -> 192.168.2.6:49699 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.13.203:443 -> 192.168.2.6:49700 version: TLS 1.2
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_00373C10 NtCreateFile,GetProcessHeap,RtlAllocateHeap,NtReadFile, 0_2_00373C10
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_0036BCD0 NtQuerySystemInformation, 0_2_0036BCD0
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_0036BE50 NtQuerySystemInformation, 0_2_0036BE50
Detected potential crypto function
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_003648B3 0_2_003648B3
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_00370940 0_2_00370940
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_003701C0 0_2_003701C0
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_00355340 0_2_00355340
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_0036B4B0 0_2_0036B4B0
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_0036C490 0_2_0036C490
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_00356560 0_2_00356560
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_00359630 0_2_00359630
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_0035CE40 0_2_0035CE40
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_00356F10 0_2_00356F10
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_0035D7D0 0_2_0035D7D0
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_00368030 0_2_00368030
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_00367820 0_2_00367820
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_0036A070 0_2_0036A070
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_0035D8C1 0_2_0035D8C1
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_003558C0 0_2_003558C0
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_0038F109 0_2_0038F109
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_003619F0 0_2_003619F0
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_0038E9E7 0_2_0038E9E7
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_00377220 0_2_00377220
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_00357A4E 0_2_00357A4E
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_00357A49 0_2_00357A49
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_00367290 0_2_00367290
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_00351A80 0_2_00351A80
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_00351310 0_2_00351310
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_00370B19 0_2_00370B19
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_0036A370 0_2_0036A370
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_00368B80 0_2_00368B80
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_00363BE3 0_2_00363BE3
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_003683D0 0_2_003683D0
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_00353BC0 0_2_00353BC0
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_00367C30 0_2_00367C30
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_0039142E 0_2_0039142E
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_003524A0 0_2_003524A0
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_003634E0 0_2_003634E0
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_00363D20 0_2_00363D20
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_00380564 0_2_00380564
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_00354DB0 0_2_00354DB0
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_00351580 0_2_00351580
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_00363E2C 0_2_00363E2C
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_00373E50 0_2_00373E50
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_00352EB0 0_2_00352EB0
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_003666E0 0_2_003666E0
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_0036A720 0_2_0036A720
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_0038C720 0_2_0038C720
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_00368770 0_2_00368770
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_00354780 0_2_00354780
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_0037BF8E 0_2_0037BF8E
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_0037DFC0 0_2_0037DFC0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: String function: 00375550 appears 42 times
Uses 32bit PE files
Source: Gj8P0mbklo.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP
Source: classification engine Classification label: mal84.troj.spyw.winEXE@1/2@2/2
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_003741E0 CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,TerminateProcess,CloseHandle,Process32NextW,CloseHandle,Sleep, 0_2_003741E0
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\76561199609719039[1].htm Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Command line argument: .I9 0_2_00394880
Source: Gj8P0mbklo.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Gj8P0mbklo.exe, 00000000.00000003.2127679527.0000000005125000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2108951092.00000000050BD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Gj8P0mbklo.exe ReversingLabs: Detection: 57%
Source: Gj8P0mbklo.exe Virustotal: Detection: 61%
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: Gj8P0mbklo.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Gj8P0mbklo.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_00365C3B push 8B003961h; iretd 0_2_00365C40
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_00394785 push ecx; ret 0_2_00394798
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_003701C0 FindFirstFileA,PathMatchSpecA, 0_2_003701C0
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_0035CE40 FindFirstFileA,FindNextFileA,Sleep, 0_2_0035CE40
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_00389AFB FindFirstFileExW, 0_2_00389AFB
Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696487552f
Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.000000000274E000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000002.2152455570.00000000027B1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050DA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: - GDCDYNVMware20,11696487552p
Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696487552
Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696487552o
Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696487552
Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696487552j
Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696487552s
Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.00000000027B1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWL
Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_00375363 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00375363
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_00374780 mov eax, dword ptr fs:[00000030h] 0_2_00374780
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_00370940 SHGetFolderPathA,SHGetFolderPathA,GetProcessHeap,HeapFree,Sleep, 0_2_00370940
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_00374A1F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00374A1F
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_00375363 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00375363
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_003754D5 SetUnhandledExceptionFilter, 0_2_003754D5
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_00380DCC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00380DCC
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_0037517F cpuid 0_2_0037517F
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: EnumSystemLocalesW, 0_2_0038D00D
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_0038D0A0
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: EnumSystemLocalesW, 0_2_0038694D
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: GetLocaleInfoW, 0_2_0038D300
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_0038D429
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 0_2_0038CC79
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: GetLocaleInfoW, 0_2_0038D52F
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_0038D605
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: GetLocaleInfoW, 0_2_00386E79
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: EnumSystemLocalesW, 0_2_0038CF27
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: EnumSystemLocalesW, 0_2_0038CF72
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_00376125 GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime, 0_2_00376125
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe Code function: 0_2_00387A30 GetTimeZoneInformation, 0_2_00387A30

Stealing of Sensitive Information
barindex
Yara detected Arc Stealer
Source: Yara match File source: Process Memory Space: Gj8P0mbklo.exe PID: 6256, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: Gj8P0mbklo.exe, 00000000.00000002.2152864496.00000000050CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Roaming\Electrum\wallets
Source: Gj8P0mbklo.exe, 00000000.00000002.2152864496.00000000050CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Roaming\ElectronCash\wallets
Source: Gj8P0mbklo.exe, 00000000.00000002.2152864496.00000000050CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: Gj8P0mbklo.exe, 00000000.00000002.2152864496.00000000050CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
Source: Gj8P0mbklo.exe, 00000000.00000002.2152864496.00000000050CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: exodus.conf.json
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002835000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: info.seco
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002794000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\*
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002835000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: passphrase.json
Source: Gj8P0mbklo.exe, 00000000.00000002.2152864496.00000000050CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: aming\Exodus
Source: Gj8P0mbklo.exe, 00000000.00000002.2152864496.0000000005097000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Binance
Source: Gj8P0mbklo.exe, 00000000.00000002.2152864496.00000000050CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Roaming\Ethereum
Source: Gj8P0mbklo.exe, 00000000.00000002.2152864496.00000000050CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets
Source: Gj8P0mbklo.exe, 00000000.00000002.2152864496.00000000050CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Roaming\MultiDoge
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002835000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: seed.seco
Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002835000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: keystore
Source: Gj8P0mbklo.exe, 00000000.00000002.2152864496.00000000050CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \Roaming\Ledger Live
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla\ Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe File opened: C:\Users\user\AppData\Roaming\FTP Now\ Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo\ Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe File opened: C:\Program Files (x86)\DeluxeFTP\ Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe File opened: C:\Users\user\AppData\Roaming\Notepad++\plugins\config\NppFTP\ Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe File opened: C:\Users\user\AppData\Roaming\UltraFXP\ Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe File opened: C:\Users\user\AppData\Roaming\BitKinex\ Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe File opened: C:\Users\user\AppData\Roaming\BlazeFtp\ Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter\ Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe File opened: C:\Users\user\AppData\Local\INSoftware\NovaFTP\ Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe File opened: C:\Users\user\AppData\Roaming\FTPBox\ Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe File opened: C:\Program Files (x86)\GoFTP\settings\ Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe File opened: C:\Users\user\AppData\Roaming\Estsoft\ALFTP\ Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe File opened: C:\Users\user\AppData\Roaming\BBQCoin\ Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe File opened: C:\Users\user\AppData\Roaming\Megacoin\ Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe File opened: C:\Users\user\AppData\Roaming\Mincoin\ Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe File opened: C:\Users\user\AppData\Roaming\Namecoin\ Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe File opened: C:\Users\user\AppData\Roaming\Primecoin\ Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe File opened: C:\Users\user\AppData\Roaming\Terracoin\ Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Users\user\Desktop\Gj8P0mbklo.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000000.00000002.2152455570.00000000027B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Gj8P0mbklo.exe PID: 6256, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Arc Stealer
Source: Yara match File source: Process Memory Space: Gj8P0mbklo.exe PID: 6256, type: MEMORYSTR
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
23.61.62.148
 steamcommunity.com United States
16625 AKAMAI-ASUS false
104.21.13.203
 dervinko.biz United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
steamcommunity.com 23.61.62.148 true
dervinko.biz 104.21.13.203 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://dervinko.biz/Up false
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
https://dervinko.biz/ujs/89737b57-777d-400d-bb7f-77b7e024920e false
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
https://steamcommunity.com/profiles/76561199609719039 false
    		high
    https://dervinko.biz/Up/b false
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		 unknown