Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Gj8P0mbklo.exe

Overview

General Information

Sample name:Gj8P0mbklo.exe
renamed because original name is a hash value
Original sample name:f7d15a3027d3a430511630c91898c72b91b5fb42bf99315cc5a5ef009a473835.exe
Analysis ID:1436772
MD5:bad3fa5127efcc9c678c5d71fce0d0b2
SHA1:c5f49dd54b71eaf4e1ba3a9fdfc51c7fb8afbea8
SHA256:f7d15a3027d3a430511630c91898c72b91b5fb42bf99315cc5a5ef009a473835
Tags:ACRStealerexe
Infos:

Detection

Arc Stealer
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Arc Stealer
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

  • System is w10x64
  • Gj8P0mbklo.exe (PID: 6256 cmdline: "C:\Users\user\Desktop\Gj8P0mbklo.exe" MD5: BAD3FA5127EFCC9C678C5D71FCE0D0B2)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000000.00000002.2152455570.00000000027B1000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    Process Memory Space: Gj8P0mbklo.exe PID: 6256JoeSecurity_ArcStealerYara detected Arc StealerJoe Security
      Process Memory Space: Gj8P0mbklo.exe PID: 6256JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        No Sigma rule has matched
        No Snort rule has matched

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: Gj8P0mbklo.exeAvira: detected
        Source: Gj8P0mbklo.exeReversingLabs: Detection: 57%
        Source: Gj8P0mbklo.exeVirustotal: Detection: 61%Perma Link
        Source: Gj8P0mbklo.exeJoe Sandbox ML: detected
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_00356F10 Concurrency::cancel_current_task,lstrlenA,GetProcessHeap,HeapAlloc,CryptUnprotectData,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetFileAttributesA,GetFileAttributesA,GetFileAttributesA,
        Source: Gj8P0mbklo.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP
        Source: unknownHTTPS traffic detected: 23.61.62.148:443 -> 192.168.2.6:49699 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 104.21.13.203:443 -> 192.168.2.6:49700 version: TLS 1.2
        Source: Gj8P0mbklo.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_003701C0 FindFirstFileA,PathMatchSpecA,
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_0035CE40 FindFirstFileA,FindNextFileA,Sleep,
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_00389AFB FindFirstFileExW,
        Source: Joe Sandbox ViewIP Address: 23.61.62.148 23.61.62.148
        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_0036F560 InternetOpenUrlA,Sleep,InternetReadFile,InternetReadFile,
        Source: global trafficHTTP traffic detected: GET /profiles/76561199609719039 HTTP/1.1User-Agent: MyApp/1.0Host: steamcommunity.comCache-Control: no-cache
        Source: global trafficHTTP traffic detected: GET /ujs/89737b57-777d-400d-bb7f-77b7e024920e HTTP/1.1User-Agent: MyApp/1.0Host: dervinko.bizCache-Control: no-cache
        Source: Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
        Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
        Source: global trafficDNS traffic detected: DNS query: dervinko.biz
        Source: unknownHTTP traffic detected: POST /Up HTTP/1.1Content-Type: application/octet-stream; boundary=----User-Agent: MyApp/1.0Host: dervinko.bizContent-Length: 341Cache-Control: no-cache
        Source: Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:27060
        Source: Gj8P0mbklo.exe, 00000000.00000003.2145279946.00000000052ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
        Source: Gj8P0mbklo.exe, 00000000.00000003.2145279946.00000000052ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
        Source: Gj8P0mbklo.exe, 00000000.00000003.2145279946.00000000052ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
        Source: Gj8P0mbklo.exe, 00000000.00000003.2145279946.00000000052ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
        Source: Gj8P0mbklo.exe, 00000000.00000003.2145279946.00000000052ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
        Source: Gj8P0mbklo.exe, 00000000.00000003.2145279946.00000000052ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
        Source: Gj8P0mbklo.exe, 00000000.00000003.2145279946.00000000052ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
        Source: Gj8P0mbklo.exe, 00000000.00000003.2145279946.00000000052ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
        Source: Gj8P0mbklo.exe, 00000000.00000003.2145279946.00000000052ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drString found in binary or memory: http://store.steampowered.com/privacy_agreement/
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drString found in binary or memory: http://www.valvesoftware.com/legal.htm
        Source: Gj8P0mbklo.exe, 00000000.00000003.2145279946.00000000052ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
        Source: Gj8P0mbklo.exe, 00000000.00000003.2145279946.00000000052ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
        Source: Gj8P0mbklo.exe, 00000000.00000003.2108844417.0000000005138000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
        Source: Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.steampowered.com/
        Source: 76561199609719039[1].htm.0.drString found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
        Source: Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://broadcast.st.dl.eccdnx.com
        Source: Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/
        Source: Gj8P0mbklo.exe, 00000000.00000003.2108844417.0000000005138000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
        Source: Gj8P0mbklo.exe, 00000000.00000003.2108844417.0000000005138000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
        Source: Gj8P0mbklo.exe, 00000000.00000003.2108844417.0000000005138000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
        Source: Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkout.steampowered.com/
        Source: Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=tIrWyaxi8ABA&a
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=roSu8uqw
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=_Vry
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=english
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=L35TrLJDfqtD&l=engl
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=english
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=KyfgrihL0xta&l=e
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
        Source: 76561199609719039[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&l=en
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.00000000027B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dervinko.biz
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.00000000027B1000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000002.2152864496.000000000507F000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2151826752.000000000507F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dervinko.biz/
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002835000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2098131315.00000000050CE000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2098197482.00000000050CE000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2108525906.00000000050C8000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2108951092.00000000050CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dervinko.biz/Up
        Source: Gj8P0mbklo.exe, 00000000.00000003.2151826752.000000000507F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dervinko.biz/Up/b
        Source: Gj8P0mbklo.exe, 00000000.00000003.2145448565.000000000507F000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000002.2152864496.000000000507F000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2151826752.000000000507F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dervinko.biz/Up/b/
        Source: Gj8P0mbklo.exe, 00000000.00000003.2151751922.000000000509F000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2151712465.0000000005090000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dervinko.biz/Up/bAW
        Source: Gj8P0mbklo.exe, 00000000.00000003.2108951092.00000000050CE000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dervinko.biz/Up/bLocal
        Source: Gj8P0mbklo.exe, 00000000.00000003.2151826752.000000000507F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dervinko.biz/Up/b_
        Source: Gj8P0mbklo.exe, 00000000.00000003.2151712465.00000000050CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dervinko.biz/Up/bistAndAuditAlarmByHandle
        Source: Gj8P0mbklo.exe, 00000000.00000003.2145426350.00000000050CE000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2145176778.00000000050CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dervinko.biz/Up/bistAndAuditAlarmByHandleerta
        Source: Gj8P0mbklo.exe, 00000000.00000003.2151751922.000000000509F000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2151712465.0000000005090000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dervinko.biz/Up/byDllc
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002794000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dervinko.biz/nd-point:b
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152864496.000000000507F000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2151826752.000000000507F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dervinko.biz/q
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.000000000274E000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000002.2152455570.00000000027B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dervinko.biz/ujs/89737b57-777d-400d-bb7f-77b7e024920e
        Source: Gj8P0mbklo.exe, 00000000.00000003.2108844417.0000000005138000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
        Source: Gj8P0mbklo.exe, 00000000.00000003.2108844417.0000000005138000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
        Source: Gj8P0mbklo.exe, 00000000.00000003.2108844417.0000000005138000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
        Source: Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.steampowered.com/
        Source: Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drString found in binary or memory: https://help.steampowered.com/en/
        Source: Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.steampowered.com/
        Source: Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lv.queniujq.cn
        Source: Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://medal.tv
        Source: Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://player.vimeo.com
        Source: Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net
        Source: Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net/recaptcha/;
        Source: Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://s.ytimg.com;
        Source: Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sketchfab.com
        Source: Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steam.tv/
        Source: Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast-test.akamaized.net
        Source: Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcast.akamaized.net
        Source: Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steambroadcastchat.akamaized.net
        Source: 76561199609719039[1].htm.0.drString found in binary or memory: https://steamcommunity.com/
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002794000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/-
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drString found in binary or memory: https://steamcommunity.com/discussions/
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
        Source: 76561199609719039[1].htm.0.drString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199609719039
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drString found in binary or memory: https://steamcommunity.com/market/
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drString found in binary or memory: https://steamcommunity.com/my/wishlist/
        Source: Gj8P0mbklo.exeString found in binary or memory: https://steamcommunity.com/profiles/76561199609719039
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002794000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199609719039(
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drString found in binary or memory: https://steamcommunity.com/profiles/76561199609719039/badges
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drString found in binary or memory: https://steamcommunity.com/profiles/76561199609719039/inventory/
        Source: Gj8P0mbklo.exeString found in binary or memory: https://steamcommunity.com/profiles/76561199609719039/ujs/strwvfncostrbrCHbrGk
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002794000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199609719039B
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drString found in binary or memory: https://steamcommunity.com/workshop/
        Source: 76561199609719039[1].htm.0.drString found in binary or memory: https://store.steampowered.com/
        Source: Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/;
        Source: 76561199609719039[1].htm.0.drString found in binary or memory: https://store.steampowered.com/about/
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drString found in binary or memory: https://store.steampowered.com/explore/
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drString found in binary or memory: https://store.steampowered.com/legal/
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drString found in binary or memory: https://store.steampowered.com/mobile
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drString found in binary or memory: https://store.steampowered.com/news/
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drString found in binary or memory: https://store.steampowered.com/points/shop/
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drString found in binary or memory: https://store.steampowered.com/privacy_agreement/
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drString found in binary or memory: https://store.steampowered.com/stats/
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drString found in binary or memory: https://store.steampowered.com/steam_refunds/
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
        Source: Gj8P0mbklo.exe, 00000000.00000003.2108844417.0000000005138000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
        Source: Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
        Source: Gj8P0mbklo.exe, 00000000.00000003.2108844417.0000000005138000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
        Source: Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
        Source: Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.cn/recaptcha/
        Source: Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
        Source: Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com
        Source: Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
        Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
        Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
        Source: unknownHTTPS traffic detected: 23.61.62.148:443 -> 192.168.2.6:49699 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 104.21.13.203:443 -> 192.168.2.6:49700 version: TLS 1.2
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_00373C10 NtCreateFile,GetProcessHeap,RtlAllocateHeap,NtReadFile,
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_0036BCD0 NtQuerySystemInformation,
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_0036BE50 NtQuerySystemInformation,
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_003648B3
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_00370940
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_003701C0
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_00355340
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_0036B4B0
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_0036C490
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_00356560
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_00359630
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_0035CE40
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_00356F10
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_0035D7D0
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_00368030
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_00367820
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_0036A070
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_0035D8C1
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_003558C0
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_0038F109
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_003619F0
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_0038E9E7
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_00377220
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_00357A4E
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_00357A49
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_00367290
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_00351A80
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_00351310
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_00370B19
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_0036A370
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_00368B80
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_00363BE3
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_003683D0
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_00353BC0
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_00367C30
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_0039142E
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_003524A0
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_003634E0
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_00363D20
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_00380564
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_00354DB0
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_00351580
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_00363E2C
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_00373E50
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_00352EB0
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_003666E0
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_0036A720
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_0038C720
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_00368770
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_00354780
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_0037BF8E
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_0037DFC0
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: String function: 00375550 appears 42 times
        Source: Gj8P0mbklo.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP
        Source: classification engineClassification label: mal84.troj.spyw.winEXE@1/2@2/2
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_003741E0 CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,TerminateProcess,CloseHandle,Process32NextW,CloseHandle,Sleep,
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\76561199609719039[1].htmJump to behavior
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCommand line argument: .I9
        Source: Gj8P0mbklo.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: Gj8P0mbklo.exe, 00000000.00000003.2127679527.0000000005125000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2108951092.00000000050BD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
        Source: Gj8P0mbklo.exeReversingLabs: Detection: 57%
        Source: Gj8P0mbklo.exeVirustotal: Detection: 61%
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeSection loaded: apphelp.dll
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeSection loaded: wininet.dll
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeSection loaded: iertutil.dll
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeSection loaded: sspicli.dll
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeSection loaded: windows.storage.dll
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeSection loaded: wldp.dll
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeSection loaded: profapi.dll
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeSection loaded: kernel.appcore.dll
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeSection loaded: ondemandconnroutehelper.dll
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeSection loaded: winhttp.dll
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeSection loaded: mswsock.dll
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeSection loaded: iphlpapi.dll
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeSection loaded: winnsi.dll
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeSection loaded: urlmon.dll
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeSection loaded: srvcli.dll
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeSection loaded: netutils.dll
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeSection loaded: dnsapi.dll
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeSection loaded: rasadhlp.dll
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeSection loaded: fwpuclnt.dll
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeSection loaded: schannel.dll
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeSection loaded: mskeyprotect.dll
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeSection loaded: ntasn1.dll
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeSection loaded: msasn1.dll
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeSection loaded: dpapi.dll
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeSection loaded: cryptsp.dll
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeSection loaded: rsaenh.dll
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeSection loaded: cryptbase.dll
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeSection loaded: gpapi.dll
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeSection loaded: ncrypt.dll
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeSection loaded: ncryptsslp.dll
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeSection loaded: uxtheme.dll
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeSection loaded: dxgi.dll
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeSection loaded: resourcepolicyclient.dll
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32
        Source: Gj8P0mbklo.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
        Source: Gj8P0mbklo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_00365C3B push 8B003961h; iretd
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_00394785 push ecx; ret
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_003701C0 FindFirstFileA,PathMatchSpecA,
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_0035CE40 FindFirstFileA,FindNextFileA,Sleep,
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_00389AFB FindFirstFileExW,
        Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
        Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
        Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
        Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696487552f
        Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696487552x
        Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.000000000274E000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000002.2152455570.00000000027B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696487552
        Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
        Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050DA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696487552p
        Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
        Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696487552
        Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696487552o
        Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696487552
        Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
        Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696487552
        Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696487552j
        Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
        Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
        Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
        Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
        Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
        Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
        Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696487552t
        Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
        Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
        Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
        Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696487552s
        Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.00000000027B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWL
        Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696487552t
        Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
        Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
        Source: Gj8P0mbklo.exe, 00000000.00000003.2126302476.00000000050D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeProcess information queried: ProcessInformation
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_00375363 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_00374780 mov eax, dword ptr fs:[00000030h]
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_00370940 SHGetFolderPathA,SHGetFolderPathA,GetProcessHeap,HeapFree,Sleep,
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_00374A1F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_00375363 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_003754D5 SetUnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_00380DCC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_0037517F cpuid
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: EnumSystemLocalesW,
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: EnumSystemLocalesW,
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: GetLocaleInfoW,
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: GetLocaleInfoW,
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: GetLocaleInfoW,
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: EnumSystemLocalesW,
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: EnumSystemLocalesW,
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_00376125 GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime,
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeCode function: 0_2_00387A30 GetTimeZoneInformation,

        Stealing of Sensitive Information

        barindex
        Source: Yara matchFile source: Process Memory Space: Gj8P0mbklo.exe PID: 6256, type: MEMORYSTR
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152864496.00000000050CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Roaming\Electrum\wallets
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152864496.00000000050CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Roaming\ElectronCash\wallets
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152864496.00000000050CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152864496.00000000050CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152864496.00000000050CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: exodus.conf.json
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002835000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: info.seco
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002794000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\*
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002835000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: passphrase.json
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152864496.00000000050CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: aming\Exodus
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152864496.0000000005097000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Binance
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152864496.00000000050CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Roaming\Ethereum
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152864496.00000000050CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152864496.00000000050CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Roaming\MultiDoge
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002835000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: seed.seco
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002835000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
        Source: Gj8P0mbklo.exe, 00000000.00000002.2152864496.00000000050CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Roaming\Ledger Live
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla\
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeFile opened: C:\Users\user\AppData\Roaming\FTP Now\
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfo\
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeFile opened: C:\Program Files (x86)\DeluxeFTP\
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeFile opened: C:\Users\user\AppData\Roaming\Notepad++\plugins\config\NppFTP\
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeFile opened: C:\Users\user\AppData\Roaming\UltraFXP\
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeFile opened: C:\Users\user\AppData\Roaming\BitKinex\
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeFile opened: C:\Users\user\AppData\Roaming\BlazeFtp\
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetter\
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeFile opened: C:\Users\user\AppData\Local\INSoftware\NovaFTP\
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeFile opened: C:\Users\user\AppData\Roaming\FTPBox\
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeFile opened: C:\Program Files (x86)\GoFTP\settings\
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeFile opened: C:\Users\user\AppData\Roaming\Estsoft\ALFTP\
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeFile opened: C:\Users\user\AppData\Roaming\Binance\
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeFile opened: C:\Users\user\AppData\Roaming\BBQCoin\
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeFile opened: C:\Users\user\AppData\Roaming\Megacoin\
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeFile opened: C:\Users\user\AppData\Roaming\Mincoin\
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeFile opened: C:\Users\user\AppData\Roaming\Namecoin\
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeFile opened: C:\Users\user\AppData\Roaming\Primecoin\
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeFile opened: C:\Users\user\AppData\Roaming\Terracoin\
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeFile opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeFile opened: C:\Users\user\AppData\Roaming\MultiDoge\
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeFile opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live\
        Source: C:\Users\user\Desktop\Gj8P0mbklo.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\
        Source: Yara matchFile source: 00000000.00000002.2152455570.00000000027B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: Gj8P0mbklo.exe PID: 6256, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Source: Yara matchFile source: Process Memory Space: Gj8P0mbklo.exe PID: 6256, type: MEMORYSTR
        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
        Command and Scripting Interpreter
        1
        DLL Side-Loading
        1
        DLL Side-Loading
        1
        Masquerading
        2
        OS Credential Dumping
        2
        System Time Discovery
        Remote Services1
        Archive Collected Data
        21
        Encrypted Channel
        Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
        Deobfuscate/Decode Files or Information
        LSASS Memory21
        Security Software Discovery
        Remote Desktop Protocol4
        Data from Local System
        2
        Ingress Tool Transfer
        Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
        Obfuscated Files or Information
        Security Account Manager2
        Process Discovery
        SMB/Windows Admin SharesData from Network Shared Drive3
        Non-Application Layer Protocol
        Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
        DLL Side-Loading
        NTDS1
        File and Directory Discovery
        Distributed Component Object ModelInput Capture4
        Application Layer Protocol
        Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets22
        System Information Discovery
        SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand
        SourceDetectionScannerLabelLink
        Gj8P0mbklo.exe58%ReversingLabsWin32.Trojan.Barys
        Gj8P0mbklo.exe62%VirustotalBrowse
        Gj8P0mbklo.exe100%AviraTR/PSW.Coins.ujryq
        Gj8P0mbklo.exe100%Joe Sandbox ML
        No Antivirus matches
        No Antivirus matches
        SourceDetectionScannerLabelLink
        dervinko.biz1%VirustotalBrowse
        SourceDetectionScannerLabelLink
        http://crl.rootca1.amazontrust.com/rootca1.crl00%URL Reputationsafe
        https://broadcast.st.dl.eccdnx.com0%URL Reputationsafe
        http://x1.c.lencr.org/00%URL Reputationsafe
        http://x1.i.lencr.org/00%URL Reputationsafe
        https://recaptcha.net0%URL Reputationsafe
        https://s.ytimg.com;0%Avira URL Cloudsafe
        https://www.gstatic.cn/recaptcha/0%Avira URL Cloudsafe
        https://dervinko.biz/Up/b_0%Avira URL Cloudsafe
        https://dervinko.biz/Up/bAW0%Avira URL Cloudsafe
        https://dervinko.biz/Up0%Avira URL Cloudsafe
        https://dervinko.biz/Up/bistAndAuditAlarmByHandle0%Avira URL Cloudsafe
        https://steam.tv/0%Avira URL Cloudsafe
        https://dervinko.biz/ujs/89737b57-777d-400d-bb7f-77b7e024920e0%Avira URL Cloudsafe
        http://ocsp.rootca1.amazontrust.com0:0%Avira URL Cloudsafe
        https://dervinko.biz/Up0%VirustotalBrowse
        https://lv.queniujq.cn0%Avira URL Cloudsafe
        https://dervinko.biz/q0%Avira URL Cloudsafe
        https://steam.tv/0%VirustotalBrowse
        https://www.gstatic.cn/recaptcha/0%VirustotalBrowse
        https://dervinko.biz0%Avira URL Cloudsafe
        https://recaptcha.net/recaptcha/;0%Avira URL Cloudsafe
        https://dervinko.biz/Up/bistAndAuditAlarmByHandleerta0%Avira URL Cloudsafe
        https://dervinko.biz/ujs/89737b57-777d-400d-bb7f-77b7e024920e0%VirustotalBrowse
        https://medal.tv0%Avira URL Cloudsafe
        https://dervinko.biz/0%Avira URL Cloudsafe
        https://dervinko.biz/Up/byDllc0%Avira URL Cloudsafe
        https://recaptcha.net/recaptcha/;0%VirustotalBrowse
        https://dervinko.biz0%VirustotalBrowse
        https://medal.tv0%VirustotalBrowse
        https://dervinko.biz/Up/b0%Avira URL Cloudsafe
        https://lv.queniujq.cn0%VirustotalBrowse
        http://127.0.0.1:270600%Avira URL Cloudsafe
        https://dervinko.biz/0%VirustotalBrowse
        http://127.0.0.1:270600%VirustotalBrowse
        https://dervinko.biz/Up/b0%VirustotalBrowse
        NameIPActiveMaliciousAntivirus DetectionReputation
        steamcommunity.com
        23.61.62.148
        truefalse
          high
          dervinko.biz
          104.21.13.203
          truefalseunknown
          NameMaliciousAntivirus DetectionReputation
          https://dervinko.biz/Upfalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          unknown
          https://dervinko.biz/ujs/89737b57-777d-400d-bb7f-77b7e024920efalse
          • 0%, Virustotal, Browse
          • Avira URL Cloud: safe
          unknown
          https://steamcommunity.com/profiles/76561199609719039false
            high
            https://dervinko.biz/Up/bfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            unknown
            NameSourceMaliciousAntivirus DetectionReputation
            https://duckduckgo.com/chrome_newtabGj8P0mbklo.exe, 00000000.00000003.2108844417.0000000005138000.00000004.00000020.00020000.00000000.sdmpfalse
              high
              https://player.vimeo.comGj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmpfalse
                high
                https://duckduckgo.com/ac/?q=Gj8P0mbklo.exe, 00000000.00000003.2108844417.0000000005138000.00000004.00000020.00020000.00000000.sdmpfalse
                  high
                  https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=_VryGj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drfalse
                    high
                    https://steamcommunity.com/?subsection=broadcastsGj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drfalse
                      high
                      https://store.steampowered.com/subscriber_agreement/Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drfalse
                        high
                        https://www.gstatic.cn/recaptcha/Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmpfalse
                        • 0%, Virustotal, Browse
                        • Avira URL Cloud: safe
                        unknown
                        https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drfalse
                          high
                          https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=L35TrLJDfqtD&l=englGj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drfalse
                            high
                            http://www.valvesoftware.com/legal.htmGj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drfalse
                              high
                              https://www.youtube.comGj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                high
                                https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&ampGj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drfalse
                                  high
                                  https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngGj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drfalse
                                    high
                                    https://www.google.comGj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                      high
                                      https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pngGj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drfalse
                                        high
                                        https://dervinko.biz/Up/bAWGj8P0mbklo.exe, 00000000.00000003.2151751922.000000000509F000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2151712465.0000000005090000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        https://dervinko.biz/Up/b_Gj8P0mbklo.exe, 00000000.00000003.2151826752.000000000507F000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=englishGj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drfalse
                                          high
                                          https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drfalse
                                            high
                                            https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20FeedbackGj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drfalse
                                              high
                                              https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=englishGj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drfalse
                                                high
                                                https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&l=enGj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drfalse
                                                  high
                                                  https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tLGj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drfalse
                                                    high
                                                    https://steamcommunity.com/profiles/76561199609719039/badgesGj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drfalse
                                                      high
                                                      https://s.ytimg.com;Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      low
                                                      https://steam.tv/Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • 0%, Virustotal, Browse
                                                      • Avira URL Cloud: safe
                                                      unknown
                                                      https://dervinko.biz/Up/bistAndAuditAlarmByHandleGj8P0mbklo.exe, 00000000.00000003.2151712465.00000000050CE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      unknown
                                                      https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=englishGj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drfalse
                                                        high
                                                        http://store.steampowered.com/privacy_agreement/Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drfalse
                                                          high
                                                          https://store.steampowered.com/points/shop/Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drfalse
                                                            high
                                                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=Gj8P0mbklo.exe, 00000000.00000003.2108844417.0000000005138000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              high
                                                              http://crl.rootca1.amazontrust.com/rootca1.crl0Gj8P0mbklo.exe, 00000000.00000003.2145279946.00000000052ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              unknown
                                                              http://ocsp.rootca1.amazontrust.com0:Gj8P0mbklo.exe, 00000000.00000003.2145279946.00000000052ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              unknown
                                                              https://sketchfab.comGj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                high
                                                                https://www.ecosia.org/newtab/Gj8P0mbklo.exe, 00000000.00000003.2108844417.0000000005138000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  high
                                                                  https://lv.queniujq.cnGj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • 0%, Virustotal, Browse
                                                                  • Avira URL Cloud: safe
                                                                  unknown
                                                                  https://www.youtube.com/Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    high
                                                                    https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg76561199609719039[1].htm.0.drfalse
                                                                      high
                                                                      https://store.steampowered.com/privacy_agreement/Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drfalse
                                                                        high
                                                                        https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drfalse
                                                                          high
                                                                          https://dervinko.biz/qGj8P0mbklo.exe, 00000000.00000002.2152864496.000000000507F000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2151826752.000000000507F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          unknown
                                                                          https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&amGj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drfalse
                                                                            high
                                                                            https://www.google.com/recaptcha/Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              high
                                                                              https://checkout.steampowered.com/Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                high
                                                                                https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=englishGj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drfalse
                                                                                  high
                                                                                  https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=englishGj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drfalse
                                                                                    high
                                                                                    https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.pngGj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drfalse
                                                                                      high
                                                                                      https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englisGj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drfalse
                                                                                        high
                                                                                        https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhCGj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drfalse
                                                                                          high
                                                                                          https://store.steampowered.com/;Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            high
                                                                                            https://store.steampowered.com/about/76561199609719039[1].htm.0.drfalse
                                                                                              high
                                                                                              https://steamcommunity.com/my/wishlist/Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drfalse
                                                                                                high
                                                                                                https://steamcommunity.com/-Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002794000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  high
                                                                                                  https://help.steampowered.com/en/Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drfalse
                                                                                                    high
                                                                                                    https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      high
                                                                                                      https://steamcommunity.com/market/Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drfalse
                                                                                                        high
                                                                                                        https://store.steampowered.com/news/Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drfalse
                                                                                                          high
                                                                                                          https://community.akamai.steamstatic.com/Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            high
                                                                                                            https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=roSu8uqwGj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drfalse
                                                                                                              high
                                                                                                              https://dervinko.bizGj8P0mbklo.exe, 00000000.00000002.2152455570.00000000027B1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              • 0%, Virustotal, Browse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              unknown
                                                                                                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=Gj8P0mbklo.exe, 00000000.00000003.2108844417.0000000005138000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                high
                                                                                                                http://store.steampowered.com/subscriber_agreement/Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drfalse
                                                                                                                  high
                                                                                                                  https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgGj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drfalse
                                                                                                                    high
                                                                                                                    https://recaptcha.net/recaptcha/;Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    • 0%, Virustotal, Browse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    unknown
                                                                                                                    https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=enGj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drfalse
                                                                                                                      high
                                                                                                                      https://steamcommunity.com/discussions/Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drfalse
                                                                                                                        high
                                                                                                                        https://dervinko.biz/Up/bistAndAuditAlarmByHandleertaGj8P0mbklo.exe, 00000000.00000003.2145426350.00000000050CE000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2145176778.00000000050CA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        unknown
                                                                                                                        https://store.steampowered.com/stats/Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drfalse
                                                                                                                          high
                                                                                                                          https://medal.tvGj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          • 0%, Virustotal, Browse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          unknown
                                                                                                                          https://broadcast.st.dl.eccdnx.comGj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          unknown
                                                                                                                          https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drfalse
                                                                                                                            high
                                                                                                                            https://store.steampowered.com/steam_refunds/Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drfalse
                                                                                                                              high
                                                                                                                              http://x1.c.lencr.org/0Gj8P0mbklo.exe, 00000000.00000003.2145279946.00000000052ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              unknown
                                                                                                                              http://x1.i.lencr.org/0Gj8P0mbklo.exe, 00000000.00000003.2145279946.00000000052ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              unknown
                                                                                                                              https://steamcommunity.com/profiles/76561199609719039(Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002794000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                high
                                                                                                                                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchGj8P0mbklo.exe, 00000000.00000003.2108844417.0000000005138000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  high
                                                                                                                                  https://dervinko.biz/Gj8P0mbklo.exe, 00000000.00000002.2152455570.00000000027B1000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000002.2152864496.000000000507F000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2151826752.000000000507F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  • 0%, Virustotal, Browse
                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                  unknown
                                                                                                                                  https://steamcommunity.com/profiles/76561199609719039BGj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002794000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    high
                                                                                                                                    https://steamcommunity.com/workshop/Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drfalse
                                                                                                                                      high
                                                                                                                                      https://login.steampowered.com/Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        high
                                                                                                                                        https://store.steampowered.com/legal/Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drfalse
                                                                                                                                          high
                                                                                                                                          https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=eGj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drfalse
                                                                                                                                            high
                                                                                                                                            https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=tIrWyaxi8ABA&aGj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drfalse
                                                                                                                                              high
                                                                                                                                              https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSvGj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drfalse
                                                                                                                                                high
                                                                                                                                                https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl76561199609719039[1].htm.0.drfalse
                                                                                                                                                  high
                                                                                                                                                  https://www.google.com/images/branding/product/ico/googleg_lodp.icoGj8P0mbklo.exe, 00000000.00000003.2108844417.0000000005138000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    high
                                                                                                                                                    https://dervinko.biz/Up/byDllcGj8P0mbklo.exe, 00000000.00000003.2151751922.000000000509F000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2151712465.0000000005090000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                                    unknown
                                                                                                                                                    https://recaptcha.netGj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                    unknown
                                                                                                                                                    https://store.steampowered.com/76561199609719039[1].htm.0.drfalse
                                                                                                                                                      high
                                                                                                                                                      https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvwGj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drfalse
                                                                                                                                                        high
                                                                                                                                                        https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gifGj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drfalse
                                                                                                                                                          high
                                                                                                                                                          http://127.0.0.1:27060Gj8P0mbklo.exe, 00000000.00000003.2077523999.00000000027C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          • 0%, Virustotal, Browse
                                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                                          unknown
                                                                                                                                                          https://steamcommunity.com/profiles/76561199609719039/inventory/Gj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drfalse
                                                                                                                                                            high
                                                                                                                                                            https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLhGj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drfalse
                                                                                                                                                              high
                                                                                                                                                              https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=KyfgrihL0xta&l=eGj8P0mbklo.exe, 00000000.00000002.2152455570.0000000002805000.00000004.00000020.00020000.00000000.sdmp, Gj8P0mbklo.exe, 00000000.00000003.2083094344.0000000002803000.00000004.00000020.00020000.00000000.sdmp, 76561199609719039[1].htm.0.drfalse
                                                                                                                                                                high
                                                                                                                                                                https://ac.ecosia.org/autocomplete?q=Gj8P0mbklo.exe, 00000000.00000003.2108844417.0000000005138000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  high
                                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                                  • 75% < No. of IPs
                                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                  23.61.62.148
                                                                                                                                                                  steamcommunity.comUnited States
                                                                                                                                                                  16625AKAMAI-ASUSfalse
                                                                                                                                                                  104.21.13.203
                                                                                                                                                                  dervinko.bizUnited States
                                                                                                                                                                  13335CLOUDFLARENETUSfalse
                                                                                                                                                                  Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                                                                  Analysis ID:1436772
                                                                                                                                                                  Start date and time:2024-05-06 15:19:09 +02:00
                                                                                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                                                                                  Overall analysis duration:0h 4m 18s
                                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                                  Report type:light
                                                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                  Number of analysed new started processes analysed:7
                                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                                  Technologies:
                                                                                                                                                                  • HCA enabled
                                                                                                                                                                  • EGA enabled
                                                                                                                                                                  • AMSI enabled
                                                                                                                                                                  Analysis Mode:default
                                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                                  Sample name:Gj8P0mbklo.exe
                                                                                                                                                                  renamed because original name is a hash value
                                                                                                                                                                  Original Sample Name:f7d15a3027d3a430511630c91898c72b91b5fb42bf99315cc5a5ef009a473835.exe
                                                                                                                                                                  Detection:MAL
                                                                                                                                                                  Classification:mal84.troj.spyw.winEXE@1/2@2/2
                                                                                                                                                                  EGA Information:
                                                                                                                                                                  • Successful, ratio: 100%
                                                                                                                                                                  HCA Information:
                                                                                                                                                                  • Successful, ratio: 99%
                                                                                                                                                                  • Number of executed functions: 0
                                                                                                                                                                  • Number of non-executed functions: 0
                                                                                                                                                                  Cookbook Comments:
                                                                                                                                                                  • Found application associated with file extension: .exe
                                                                                                                                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                                                                  • TCP Packets have been reduced to 100
                                                                                                                                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                  • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                  • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                  No simulations
                                                                                                                                                                  No context
                                                                                                                                                                  No context
                                                                                                                                                                  No context
                                                                                                                                                                  No context
                                                                                                                                                                  No context
                                                                                                                                                                  Process:C:\Users\user\Desktop\Gj8P0mbklo.exe
                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with very long lines (2969), with CRLF, LF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):34789
                                                                                                                                                                  Entropy (8bit):5.386073524863294
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:768:/dpqm+0Ih3YAA9CWGEmfcDAfPzzgiJmDzJtxvrfJkPVoEAdmPzzgiJmDzJtxvJ2w:/d8m+0Ih3YAA9CWGEmFfPzzgiJmDzJtT
                                                                                                                                                                  MD5:A3CECEDB9036A82F050828BAA42E21D0
                                                                                                                                                                  SHA1:B4DE8B997C26E3CEAEB0C647B593E131E21BC6DB
                                                                                                                                                                  SHA-256:75F75C4403BFE3AFD61DDF8898252F488713CE759C5B3E08AD15657158912B6C
                                                                                                                                                                  SHA-512:7BA36300556F6BD255A6D414C70C032C276A72558F1457BEF08537B5A640A50D50C9A124736638696812A19A23C01722F4013DC96746567063053FC9A5C00949
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Reputation:low
                                                                                                                                                                  Preview:<!DOCTYPE html>..<html class=" responsive" lang="en">..<head>...<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.....<meta name="viewport" content="width=device-width,initial-scale=1">....<meta name="theme-color" content="#171a21">....<title>Steam Community :: 3e3 aHR0cHM6Ly9kZXJ2aW5rby5iaXo=</title>...<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">...........<link href="https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&amp;l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&amp;l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=SPpMitTYp6ku&amp;l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=english" rel="stylesheet" type="text/css" >.<lin
                                                                                                                                                                  Process:C:\Users\user\Desktop\Gj8P0mbklo.exe
                                                                                                                                                                  File Type:ASCII text, with very long lines (47680), with no line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):47680
                                                                                                                                                                  Entropy (8bit):5.362966359018906
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:768:vzsNZzFhOnDMIf19+kXSV0brSxnb22fnc6KWWhv6GYcnvabaMi9idvbU0nagalQb:v0zPO9f1ouYgLvRMymbU0ni4xKjo
                                                                                                                                                                  MD5:0B236AC4395E5E40F5AB3140CB892115
                                                                                                                                                                  SHA1:9AC2290905D9996E95291C84E14FF1006BFEE483
                                                                                                                                                                  SHA-256:ECB0B0F87288C16207310A58C67A25AC557A54FA328E74F592C051F1C44176FB
                                                                                                                                                                  SHA-512:87422C27CD7039C6A15CE32DE54E7733075F000A099191BE456594F2730F25559BB32862FE189159C2A8FADB3A52C863E052A44F66CE3CA24968A95FCE4F7E09
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Reputation:low
                                                                                                                                                                  Preview:Qz8SERZbFQgTWzIVEhEUQj0SEyAYFRITWhsNEhFiZGlRCRYVPRITIBgVEhNEGw0SEVxkeV1SVVVrbnRvV1JeVGhldFpBb1VQbm1hSlJAE0RZQVMTGDMXEhMgGBUQRRYDFwMfChgVEhEUGRVCXSICFRBSXEtYX1YuXU1XEz4ZFxITfRQ/EhEUGUw4EyAYFRIRFlcVCBMiWmluUgwbGzgTIBgVEhEWSRUIEyJkaX5eV1hbbm9HV1pVXVFla3FbcldYVxFnQWRub1VLUEARcFhDUxEsMhUSERQZFxBHIgIVAx0+GRcSEyAYF0JfFgMXEFBoSlpfVBpcT1cRChgVEhFJFT0SEyAYTjgRFBkXEhMiVhcIERZba25QOBoZOBEUGRcSEyJIFwgRFmVrflxjWVlubXNWWFVfZWRpcVlGVlpXE0JdQVNtaGxEV0EgfFRGUBYVPRITIBgVEhNAGw0SAiwyFRIRFBkXEENuGg8SE1dRRV1eZRZQSlQWMxcSEyBFGTgRFBkXSTkgGBUSERQbWRAJIBpXbm1XARUeOSAYFRIRFBtHEAkgGmlufVtaVl5vXH9aXVZYXGtucGhKWl9UFH1SRG9cbUZXQxR9VkZSIhQ/EhEUGRcSEXQaDxIAGDMXEhMgGBUQQVobDRIRY1BHXVxRF1JKViIyFRIRFEQbOBMgGBVJOxQZFxITIBpbEAsUG1Vub2MAFx47FBkXEhMgGkUQCxQba25/b1tUXm1oflhdVGxdaW5yXEtYX1YgbVtBRVVbW1dvXG1GV0MUfVZGUiIUPxIRFBkXEhF0Gg8SABgzFxITIBgVEEFaGw0SEWNQR11cURdSSlYiMhUSERREGzgTIBgVSTsUGRcSEyAaWxALFBtVbm9jABceOxQZFxITIBpFEAsUG2tuf29bVF5taH5YXVRsXWluclxLWF9WIHtUXFBGQGtuZnNdRxJ1VU1WEB8KGBUSERQZFUYROhgEHjsUGRcSEyAaRVwTDhkVUVty
                                                                                                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                  Entropy (8bit):6.621191048042736
                                                                                                                                                                  TrID:
                                                                                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                  File name:Gj8P0mbklo.exe
                                                                                                                                                                  File size:362'496 bytes
                                                                                                                                                                  MD5:bad3fa5127efcc9c678c5d71fce0d0b2
                                                                                                                                                                  SHA1:c5f49dd54b71eaf4e1ba3a9fdfc51c7fb8afbea8
                                                                                                                                                                  SHA256:f7d15a3027d3a430511630c91898c72b91b5fb42bf99315cc5a5ef009a473835
                                                                                                                                                                  SHA512:5b6d5efa4dcf49a43e992652194d45a407e9482dcd21ff887ae709a98944c21d6b7ea67dc518493c0416e3fd2ee38ed0f02c3b75a762b6784af14f0ce69e78ab
                                                                                                                                                                  SSDEEP:6144:5OvAYHNayUljnWrd+VKTEK/AeI8eajd8j4xET4YAOqz/B:5mjNadljnWrd+V0EXzS+4CTNo7B
                                                                                                                                                                  TLSH:81747E11F182C032D4A202B11A65EFB696BCA93057A29CEF6BD05E7BDD342D26531F37
                                                                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K...............D.......D.......D.......@...D...@.......@.......D.......................................Rich...................
                                                                                                                                                                  Icon Hash:00928e8e8686b000
                                                                                                                                                                  Entrypoint:0x425140
                                                                                                                                                                  Entrypoint Section:.text
                                                                                                                                                                  Digitally signed:false
                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                  Subsystem:windows gui
                                                                                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, REMOVABLE_RUN_FROM_SWAP
                                                                                                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                                                                                                                  Time Stamp:0x66115E48 [Sat Apr 6 14:38:00 2024 UTC]
                                                                                                                                                                  TLS Callbacks:
                                                                                                                                                                  CLR (.Net) Version:
                                                                                                                                                                  OS Version Major:6
                                                                                                                                                                  OS Version Minor:0
                                                                                                                                                                  File Version Major:6
                                                                                                                                                                  File Version Minor:0
                                                                                                                                                                  Subsystem Version Major:6
                                                                                                                                                                  Subsystem Version Minor:0
                                                                                                                                                                  Import Hash:2897cecb00338038ddfd70ec9000340f
                                                                                                                                                                  Instruction
                                                                                                                                                                  call 00007FBA6CC321B0h
                                                                                                                                                                  jmp 00007FBA6CC31B6Eh
                                                                                                                                                                  and dword ptr [ecx+04h], 00000000h
                                                                                                                                                                  mov eax, ecx
                                                                                                                                                                  and dword ptr [ecx+08h], 00000000h
                                                                                                                                                                  mov dword ptr [ecx+04h], 00446568h
                                                                                                                                                                  mov dword ptr [ecx], 00446560h
                                                                                                                                                                  ret
                                                                                                                                                                  push ebp
                                                                                                                                                                  mov ebp, esp
                                                                                                                                                                  sub esp, 0Ch
                                                                                                                                                                  lea ecx, dword ptr [ebp-0Ch]
                                                                                                                                                                  call 00007FBA6CC31CDFh
                                                                                                                                                                  push 0045527Ch
                                                                                                                                                                  lea eax, dword ptr [ebp-0Ch]
                                                                                                                                                                  push eax
                                                                                                                                                                  call 00007FBA6CC33095h
                                                                                                                                                                  int3
                                                                                                                                                                  push ebp
                                                                                                                                                                  mov ebp, esp
                                                                                                                                                                  and dword ptr [00458278h], 00000000h
                                                                                                                                                                  sub esp, 24h
                                                                                                                                                                  or dword ptr [0045700Ch], 01h
                                                                                                                                                                  push 0000000Ah
                                                                                                                                                                  call dword ptr [00446070h]
                                                                                                                                                                  test eax, eax
                                                                                                                                                                  je 00007FBA6CC31EB2h
                                                                                                                                                                  and dword ptr [ebp-10h], 00000000h
                                                                                                                                                                  xor eax, eax
                                                                                                                                                                  push ebx
                                                                                                                                                                  push esi
                                                                                                                                                                  push edi
                                                                                                                                                                  xor ecx, ecx
                                                                                                                                                                  lea edi, dword ptr [ebp-24h]
                                                                                                                                                                  push ebx
                                                                                                                                                                  cpuid
                                                                                                                                                                  mov esi, ebx
                                                                                                                                                                  pop ebx
                                                                                                                                                                  nop
                                                                                                                                                                  mov dword ptr [edi], eax
                                                                                                                                                                  mov dword ptr [edi+04h], esi
                                                                                                                                                                  mov dword ptr [edi+08h], ecx
                                                                                                                                                                  xor ecx, ecx
                                                                                                                                                                  mov dword ptr [edi+0Ch], edx
                                                                                                                                                                  mov eax, dword ptr [ebp-24h]
                                                                                                                                                                  mov edi, dword ptr [ebp-20h]
                                                                                                                                                                  mov dword ptr [ebp-0Ch], eax
                                                                                                                                                                  xor edi, 756E6547h
                                                                                                                                                                  mov eax, dword ptr [ebp-18h]
                                                                                                                                                                  xor eax, 49656E69h
                                                                                                                                                                  mov dword ptr [ebp-04h], eax
                                                                                                                                                                  mov eax, dword ptr [ebp-1Ch]
                                                                                                                                                                  xor eax, 6C65746Eh
                                                                                                                                                                  mov dword ptr [ebp-08h], eax
                                                                                                                                                                  xor eax, eax
                                                                                                                                                                  inc eax
                                                                                                                                                                  push ebx
                                                                                                                                                                  cpuid
                                                                                                                                                                  mov esi, ebx
                                                                                                                                                                  pop ebx
                                                                                                                                                                  nop
                                                                                                                                                                  lea ebx, dword ptr [ebp-24h]
                                                                                                                                                                  mov dword ptr [ebx], eax
                                                                                                                                                                  mov eax, dword ptr [ebp-04h]
                                                                                                                                                                  or eax, dword ptr [ebp-08h]
                                                                                                                                                                  or eax, edi
                                                                                                                                                                  mov dword ptr [ebx+04h], esi
                                                                                                                                                                  mov dword ptr [ebx+08h], ecx
                                                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x55aa80x64.rdata
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x590000x2554.reloc
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x540780x38.rdata
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x53fb80x40.rdata
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x460000x168.rdata
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                  .text0x10000x4496a0x44a006b6f1993190b3eaf82f607fed3374fc8False0.5182327242714025data6.601561733279373IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                  .rdata0x460000x102ee0x104001e6dbecf754d7dd193b7e04220f82d31False0.5084735576923077data5.746131858736808IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                  .data0x570000x1cc40x100024b02a7a00e869dc523bbcf409d4920bFalse0.18701171875data3.063889339206937IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                  .reloc0x590000x25540x2600a0a7de2fc21f5b1845c1b665768ca164False0.7729235197368421data6.576489949652338IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                                                                                  DLLImport
                                                                                                                                                                  KERNEL32.dllMultiByteToWideChar, HeapFree, OutputDebugStringA, lstrlenA, Sleep, GetTempPathA, HeapAlloc, GetProcessHeap, GetModuleHandleW, FreeLibrary, GetNativeSystemInfo, ExitProcess, TerminateProcess, OpenProcess, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, CloseHandle, WideCharToMultiByte, HeapSize, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetOEMCP, GetACP, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, GetStringTypeW, InitializeCriticalSectionEx, GetProcAddress, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, EncodePointer, DecodePointer, LCMapStringEx, GetCPInfo, RaiseException, RtlUnwind, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, SetEndOfFile, CreateFileW, GetFileType, GetModuleHandleExW, GetModuleFileNameW, GetStdHandle, WriteFile, GetCommandLineA, GetCommandLineW, SetStdHandle, GetConsoleOutputCP, GetConsoleMode, SetFilePointerEx, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetTimeZoneInformation, FlushFileBuffers, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, WriteConsoleW
                                                                                                                                                                  SHELL32.dllSHGetFolderPathA
                                                                                                                                                                  WININET.dllInternetWriteFile
                                                                                                                                                                  SHLWAPI.dllPathMatchSpecA
                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                  May 6, 2024 15:19:55.149740934 CEST49699443192.168.2.623.61.62.148
                                                                                                                                                                  May 6, 2024 15:19:55.149780989 CEST4434969923.61.62.148192.168.2.6
                                                                                                                                                                  May 6, 2024 15:19:55.149878979 CEST49699443192.168.2.623.61.62.148
                                                                                                                                                                  May 6, 2024 15:19:55.161875963 CEST49699443192.168.2.623.61.62.148
                                                                                                                                                                  May 6, 2024 15:19:55.161890984 CEST4434969923.61.62.148192.168.2.6
                                                                                                                                                                  May 6, 2024 15:19:55.391609907 CEST4434969923.61.62.148192.168.2.6
                                                                                                                                                                  May 6, 2024 15:19:55.391819954 CEST49699443192.168.2.623.61.62.148
                                                                                                                                                                  May 6, 2024 15:19:55.444205999 CEST49699443192.168.2.623.61.62.148
                                                                                                                                                                  May 6, 2024 15:19:55.444225073 CEST4434969923.61.62.148192.168.2.6
                                                                                                                                                                  May 6, 2024 15:19:55.444700956 CEST4434969923.61.62.148192.168.2.6
                                                                                                                                                                  May 6, 2024 15:19:55.444834948 CEST49699443192.168.2.623.61.62.148
                                                                                                                                                                  May 6, 2024 15:19:55.449176073 CEST49699443192.168.2.623.61.62.148
                                                                                                                                                                  May 6, 2024 15:19:55.496125937 CEST4434969923.61.62.148192.168.2.6
                                                                                                                                                                  May 6, 2024 15:19:55.838845015 CEST4434969923.61.62.148192.168.2.6
                                                                                                                                                                  May 6, 2024 15:19:55.838876009 CEST4434969923.61.62.148192.168.2.6
                                                                                                                                                                  May 6, 2024 15:19:55.838912010 CEST4434969923.61.62.148192.168.2.6
                                                                                                                                                                  May 6, 2024 15:19:55.839104891 CEST49699443192.168.2.623.61.62.148
                                                                                                                                                                  May 6, 2024 15:19:55.839135885 CEST4434969923.61.62.148192.168.2.6
                                                                                                                                                                  May 6, 2024 15:19:55.839184046 CEST49699443192.168.2.623.61.62.148
                                                                                                                                                                  May 6, 2024 15:19:55.962378979 CEST4434969923.61.62.148192.168.2.6
                                                                                                                                                                  May 6, 2024 15:19:55.962412119 CEST4434969923.61.62.148192.168.2.6
                                                                                                                                                                  May 6, 2024 15:19:55.962541103 CEST49699443192.168.2.623.61.62.148
                                                                                                                                                                  May 6, 2024 15:19:55.962568045 CEST4434969923.61.62.148192.168.2.6
                                                                                                                                                                  May 6, 2024 15:19:55.962582111 CEST49699443192.168.2.623.61.62.148
                                                                                                                                                                  May 6, 2024 15:19:55.962610960 CEST49699443192.168.2.623.61.62.148
                                                                                                                                                                  May 6, 2024 15:19:55.967142105 CEST4434969923.61.62.148192.168.2.6
                                                                                                                                                                  May 6, 2024 15:19:55.967272043 CEST49699443192.168.2.623.61.62.148
                                                                                                                                                                  May 6, 2024 15:19:55.967281103 CEST4434969923.61.62.148192.168.2.6
                                                                                                                                                                  May 6, 2024 15:19:55.967377901 CEST49699443192.168.2.623.61.62.148
                                                                                                                                                                  May 6, 2024 15:19:55.972943068 CEST49699443192.168.2.623.61.62.148
                                                                                                                                                                  May 6, 2024 15:19:55.972974062 CEST4434969923.61.62.148192.168.2.6
                                                                                                                                                                  May 6, 2024 15:19:56.155708075 CEST49700443192.168.2.6104.21.13.203
                                                                                                                                                                  May 6, 2024 15:19:56.155756950 CEST44349700104.21.13.203192.168.2.6
                                                                                                                                                                  May 6, 2024 15:19:56.155839920 CEST49700443192.168.2.6104.21.13.203
                                                                                                                                                                  May 6, 2024 15:19:56.156408072 CEST49700443192.168.2.6104.21.13.203
                                                                                                                                                                  May 6, 2024 15:19:56.156419992 CEST44349700104.21.13.203192.168.2.6
                                                                                                                                                                  May 6, 2024 15:19:56.393218040 CEST44349700104.21.13.203192.168.2.6
                                                                                                                                                                  May 6, 2024 15:19:56.393338919 CEST49700443192.168.2.6104.21.13.203
                                                                                                                                                                  May 6, 2024 15:19:56.398700953 CEST49700443192.168.2.6104.21.13.203
                                                                                                                                                                  May 6, 2024 15:19:56.398711920 CEST44349700104.21.13.203192.168.2.6
                                                                                                                                                                  May 6, 2024 15:19:56.399003029 CEST44349700104.21.13.203192.168.2.6
                                                                                                                                                                  May 6, 2024 15:19:56.399066925 CEST49700443192.168.2.6104.21.13.203
                                                                                                                                                                  May 6, 2024 15:19:56.405627012 CEST49700443192.168.2.6104.21.13.203
                                                                                                                                                                  May 6, 2024 15:19:56.448128939 CEST44349700104.21.13.203192.168.2.6
                                                                                                                                                                  May 6, 2024 15:19:56.896373987 CEST44349700104.21.13.203192.168.2.6
                                                                                                                                                                  May 6, 2024 15:19:56.896470070 CEST44349700104.21.13.203192.168.2.6
                                                                                                                                                                  May 6, 2024 15:19:56.896505117 CEST49700443192.168.2.6104.21.13.203
                                                                                                                                                                  May 6, 2024 15:19:56.896516085 CEST44349700104.21.13.203192.168.2.6
                                                                                                                                                                  May 6, 2024 15:19:56.896526098 CEST49700443192.168.2.6104.21.13.203
                                                                                                                                                                  May 6, 2024 15:19:56.896562099 CEST49700443192.168.2.6104.21.13.203
                                                                                                                                                                  May 6, 2024 15:19:56.896565914 CEST44349700104.21.13.203192.168.2.6
                                                                                                                                                                  May 6, 2024 15:19:56.896601915 CEST49700443192.168.2.6104.21.13.203
                                                                                                                                                                  May 6, 2024 15:19:56.896605015 CEST44349700104.21.13.203192.168.2.6
                                                                                                                                                                  May 6, 2024 15:19:56.896637917 CEST49700443192.168.2.6104.21.13.203
                                                                                                                                                                  May 6, 2024 15:19:56.896641016 CEST44349700104.21.13.203192.168.2.6
                                                                                                                                                                  May 6, 2024 15:19:56.896672964 CEST49700443192.168.2.6104.21.13.203
                                                                                                                                                                  May 6, 2024 15:19:56.896675110 CEST44349700104.21.13.203192.168.2.6
                                                                                                                                                                  May 6, 2024 15:19:56.896708012 CEST49700443192.168.2.6104.21.13.203
                                                                                                                                                                  May 6, 2024 15:19:56.896709919 CEST44349700104.21.13.203192.168.2.6
                                                                                                                                                                  May 6, 2024 15:19:56.896742105 CEST44349700104.21.13.203192.168.2.6
                                                                                                                                                                  May 6, 2024 15:19:56.896752119 CEST49700443192.168.2.6104.21.13.203
                                                                                                                                                                  May 6, 2024 15:19:56.896754980 CEST44349700104.21.13.203192.168.2.6
                                                                                                                                                                  May 6, 2024 15:19:56.896773100 CEST49700443192.168.2.6104.21.13.203
                                                                                                                                                                  May 6, 2024 15:19:56.896800995 CEST49700443192.168.2.6104.21.13.203
                                                                                                                                                                  May 6, 2024 15:19:56.896804094 CEST44349700104.21.13.203192.168.2.6
                                                                                                                                                                  May 6, 2024 15:19:56.896837950 CEST49700443192.168.2.6104.21.13.203
                                                                                                                                                                  May 6, 2024 15:19:56.896841049 CEST44349700104.21.13.203192.168.2.6
                                                                                                                                                                  May 6, 2024 15:19:56.896872997 CEST49700443192.168.2.6104.21.13.203
                                                                                                                                                                  May 6, 2024 15:19:57.005980968 CEST44349700104.21.13.203192.168.2.6
                                                                                                                                                                  May 6, 2024 15:19:57.006058931 CEST44349700104.21.13.203192.168.2.6
                                                                                                                                                                  May 6, 2024 15:19:57.006098032 CEST49700443192.168.2.6104.21.13.203
                                                                                                                                                                  May 6, 2024 15:19:57.006108046 CEST44349700104.21.13.203192.168.2.6
                                                                                                                                                                  May 6, 2024 15:19:57.006123066 CEST49700443192.168.2.6104.21.13.203
                                                                                                                                                                  May 6, 2024 15:19:57.006171942 CEST49700443192.168.2.6104.21.13.203
                                                                                                                                                                  May 6, 2024 15:19:57.006258965 CEST44349700104.21.13.203192.168.2.6
                                                                                                                                                                  May 6, 2024 15:19:57.006299973 CEST49700443192.168.2.6104.21.13.203
                                                                                                                                                                  May 6, 2024 15:19:57.006303072 CEST44349700104.21.13.203192.168.2.6
                                                                                                                                                                  May 6, 2024 15:19:57.006347895 CEST49700443192.168.2.6104.21.13.203
                                                                                                                                                                  May 6, 2024 15:19:57.006350994 CEST44349700104.21.13.203192.168.2.6
                                                                                                                                                                  May 6, 2024 15:19:57.006392956 CEST49700443192.168.2.6104.21.13.203
                                                                                                                                                                  May 6, 2024 15:19:57.006820917 CEST44349700104.21.13.203192.168.2.6
                                                                                                                                                                  May 6, 2024 15:19:57.006869078 CEST49700443192.168.2.6104.21.13.203
                                                                                                                                                                  May 6, 2024 15:19:57.006872892 CEST44349700104.21.13.203192.168.2.6
                                                                                                                                                                  May 6, 2024 15:19:57.006906033 CEST49700443192.168.2.6104.21.13.203
                                                                                                                                                                  May 6, 2024 15:19:57.006917953 CEST44349700104.21.13.203192.168.2.6
                                                                                                                                                                  May 6, 2024 15:19:57.006956100 CEST49700443192.168.2.6104.21.13.203
                                                                                                                                                                  May 6, 2024 15:19:57.006958961 CEST44349700104.21.13.203192.168.2.6
                                                                                                                                                                  May 6, 2024 15:19:57.006994963 CEST49700443192.168.2.6104.21.13.203
                                                                                                                                                                  May 6, 2024 15:19:57.007008076 CEST44349700104.21.13.203192.168.2.6
                                                                                                                                                                  May 6, 2024 15:19:57.007049084 CEST49700443192.168.2.6104.21.13.203
                                                                                                                                                                  May 6, 2024 15:19:57.007666111 CEST44349700104.21.13.203192.168.2.6
                                                                                                                                                                  May 6, 2024 15:19:57.007711887 CEST49700443192.168.2.6104.21.13.203
                                                                                                                                                                  May 6, 2024 15:19:57.007720947 CEST44349700104.21.13.203192.168.2.6
                                                                                                                                                                  May 6, 2024 15:19:57.007752895 CEST49700443192.168.2.6104.21.13.203
                                                                                                                                                                  May 6, 2024 15:19:57.007771969 CEST44349700104.21.13.203192.168.2.6
                                                                                                                                                                  May 6, 2024 15:19:57.007808924 CEST49700443192.168.2.6104.21.13.203
                                                                                                                                                                  May 6, 2024 15:19:57.007812023 CEST44349700104.21.13.203192.168.2.6
                                                                                                                                                                  May 6, 2024 15:19:57.007847071 CEST49700443192.168.2.6104.21.13.203
                                                                                                                                                                  May 6, 2024 15:19:57.007858038 CEST44349700104.21.13.203192.168.2.6
                                                                                                                                                                  May 6, 2024 15:19:57.007891893 CEST49700443192.168.2.6104.21.13.203
                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                  May 6, 2024 15:19:55.033732891 CEST6254653192.168.2.61.1.1.1
                                                                                                                                                                  May 6, 2024 15:19:55.143752098 CEST53625461.1.1.1192.168.2.6
                                                                                                                                                                  May 6, 2024 15:19:55.987637043 CEST5398653192.168.2.61.1.1.1
                                                                                                                                                                  May 6, 2024 15:19:56.107733011 CEST53539861.1.1.1192.168.2.6
                                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                  May 6, 2024 15:19:55.033732891 CEST192.168.2.61.1.1.10xa300Standard query (0)steamcommunity.comA (IP address)IN (0x0001)false
                                                                                                                                                                  May 6, 2024 15:19:55.987637043 CEST192.168.2.61.1.1.10x52cStandard query (0)dervinko.bizA (IP address)IN (0x0001)false
                                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                  May 6, 2024 15:19:55.143752098 CEST1.1.1.1192.168.2.60xa300No error (0)steamcommunity.com23.61.62.148A (IP address)IN (0x0001)false
                                                                                                                                                                  May 6, 2024 15:19:56.107733011 CEST1.1.1.1192.168.2.60x52cNo error (0)dervinko.biz104.21.13.203A (IP address)IN (0x0001)false
                                                                                                                                                                  May 6, 2024 15:19:56.107733011 CEST1.1.1.1192.168.2.60x52cNo error (0)dervinko.biz172.67.133.22A (IP address)IN (0x0001)false
                                                                                                                                                                  • steamcommunity.com
                                                                                                                                                                  • dervinko.biz
                                                                                                                                                                  No statistics
                                                                                                                                                                  Target ID:0
                                                                                                                                                                  Start time:15:19:53
                                                                                                                                                                  Start date:06/05/2024
                                                                                                                                                                  Path:C:\Users\user\Desktop\Gj8P0mbklo.exe
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:"C:\Users\user\Desktop\Gj8P0mbklo.exe"
                                                                                                                                                                  Imagebase:0x350000
                                                                                                                                                                  File size:362'496 bytes
                                                                                                                                                                  MD5 hash:BAD3FA5127EFCC9C678C5D71FCE0D0B2
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Yara matches:
                                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2152455570.00000000027B1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                  Reputation:low
                                                                                                                                                                  Has exited:true

                                                                                                                                                                  No disassembly