Windows Analysis Report
gVKsiQIHqe.exe

Overview

General Information

Sample name: gVKsiQIHqe.exe
renamed because original name is a hash value
Original sample name: 2e45d5934db7da8ff7b560a80ceb96ab.exe
Analysis ID: 1579643
MD5: 2e45d5934db7da8ff7b560a80ceb96ab
SHA1: e1d653b1a6acbacd6eb592041d21786ca3a633c8
SHA256: f2c2df5d625c6983881695ab53416c52aa574821e01074f607b6039e5d79e76f
Tags: exeuser-abuse_ch
Infos:

Detection

Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Attempt to bypass Chrome Application-Bound Encryption
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Vidar stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Monitors registry run keys for changes
PE file has a writeable .text section
Searches for specific processes (likely to inject)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Browser Started with Remote Debugging
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection
barindex
Found malware configuration
Source: gVKsiQIHqe.exe Malware Configuration Extractor: Vidar {"C2 url": "https://steamcommunity.com/profiles/76561199809363512", "Botnet": "m0nk3"}
Multi AV Scanner detection for submitted file
Source: gVKsiQIHqe.exe ReversingLabs: Detection: 71%
Source: gVKsiQIHqe.exe Virustotal: Detection: 66% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for sample
Source: gVKsiQIHqe.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_004078F0 StrStrA,lstrlenA,LocalAlloc,CryptUnprotectData,LocalAlloc,LocalFree,lstrlenA, 0_2_004078F0
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_004116B0 CryptBinaryToStringA,HeapAlloc,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,GetLastError,HeapFree,GetProcessHeap,HeapFree, 0_2_004116B0
Uses 32bit PE files
Source: gVKsiQIHqe.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49916 version: TLS 1.0
Source: unknown HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.130.188.57:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.130.188.57:443 -> 192.168.2.5:49762 version: TLS 1.2
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_00409460 FindFirstFileA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,strlen,memcmp,??3@YAXPAX@Z,??3@YAXPAX@Z,StrCmpCA,FindClose, 0_2_00409460
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_00407060 FindFirstFileA,strlen,strlen,memcpy,OpenDesktopA,CreateDesktopA,lstrcpyA,lstrcpyA,strlen,Sleep,??3@YAXPAX@Z,??3@YAXPAX@Z,CreateProcessA,Sleep,strlen,Sleep,strlen,strlen,??3@YAXPAX@Z,CloseDesktop,_invalid_parameter_noinfo_noreturn, 0_2_00407060
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_00401730 FindFirstFileA,FindFirstFileA,FindClose,FindNextFileA,strlen,memcmp,strlen,memcmp,??3@YAXPAX@Z,??3@YAXPAX@Z,FindFirstFileA,FindFirstFileA,DeleteFileA,DeleteFileA,FindNextFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,DeleteFileA,DeleteFileA,FindClose,_invalid_parameter_noinfo_noreturn, 0_2_00401730
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_0040A5D0 FindFirstFileA,FindFirstFileA,FindNextFileA,strlen,memcmp,??3@YAXPAX@Z,??3@YAXPAX@Z,StrCmpCA,StrCmpCA, 0_2_0040A5D0
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_00406FE0 FindFirstFileA,FindFirstFileA,??3@YAXPAX@Z,_invalid_parameter_noinfo_noreturn, 0_2_00406FE0
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_00413FF0 wsprintfA,FindFirstFileA,memset,memset,FindNextFileA,strlen,memcmp,strlen,memcmp,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfA,StrCmpCA,wsprintfA,memset,lstrcatA,strtok_s,memset,lstrcatA,DeleteFileA,DeleteFileA,strtok_s,PathMatchSpecA,DeleteFileA,DeleteFileA,CopyFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindClose,_invalid_parameter_noinfo_noreturn,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrlenA, 0_2_00413FF0
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_0040C790 FindFirstFileA,FindFirstFileA,FindNextFileA,strlen,memcmp,strlen,memcmp,??3@YAXPAX@Z,??3@YAXPAX@Z,StrCmpCA,CopyFileA,CopyFileA,CopyFileA,DeleteFileA,DeleteFileA,FindClose,_invalid_parameter_noinfo_noreturn, 0_2_0040C790
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_004081B0 ExpandEnvironmentStringsA,FindFirstFileA,FindFirstFileA,FindNextFileA,strlen,memcmp,strlen,memcmp,??3@YAXPAX@Z,??3@YAXPAX@Z,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,DeleteFileA,StrCmpCA,StrCmpCA,CopyFileA,CopyFileA,CopyFileA,StrCmpCA,StrCmpCA,CopyFileA,CopyFileA,Sleep,StrCmpCA,StrCmpCA,CopyFileA,CopyFileA,DeleteFileA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,CopyFileA,DeleteFileA,DeleteFileA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindClose,_invalid_parameter_noinfo_noreturn, 0_2_004081B0
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_0040BC30 wsprintfA,wsprintfA,FindFirstFileA,FindNextFileA,strlen,memcmp,strlen,memcmp,??3@YAXPAX@Z,??3@YAXPAX@Z,lstrlenA,lstrlenA,DeleteFileA,DeleteFileA,CopyFileA,CopyFileA,FindClose,_invalid_parameter_noinfo_noreturn, 0_2_0040BC30
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_004170D0 SHGetFolderPathA,wsprintfA,FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,strcpy,_splitpath,strcpy,strlen,isupper,wsprintfA,strcpy,strlen,SHFileOperationA,FindClose, 0_2_004170D0
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_00415700 HeapAlloc,GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,FindNextFileA,strlen,memcmp,strlen,memcmp,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfA,CopyFileA,CopyFileA,DeleteFileA,DeleteFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,_invalid_parameter_noinfo_noreturn,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA, 0_2_00415700
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_00414BD0 wsprintfA,FindFirstFileA,FindNextFileA,strlen,memcmp,strlen,memcmp,??3@YAXPAX@Z,??3@YAXPAX@Z,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindClose,_invalid_parameter_noinfo_noreturn,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,lstrcatA,lstrcatA, 0_2_00414BD0
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_00413FF0 wsprintfA,FindFirstFileA,memset,memset,FindNextFileA,strlen,memcmp,strlen,memcmp,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfA,StrCmpCA,wsprintfA,memset,lstrcatA,strtok_s,memset,lstrcatA,DeleteFileA,DeleteFileA,strtok_s,PathMatchSpecA,DeleteFileA,DeleteFileA,CopyFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindClose,_invalid_parameter_noinfo_noreturn,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrlenA, 0_2_00413FF0
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: chrome.exe Memory has grown: Private usage: 1MB later: 38MB

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 94.130.188.57:443 -> 192.168.2.5:49709
Source: Network traffic Suricata IDS: 2859378 - Severity 1 - ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2 : 192.168.2.5:49706 -> 94.130.188.57:443
Source: Network traffic Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1 : 192.168.2.5:49708 -> 94.130.188.57:443
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 94.130.188.57:443 -> 192.168.2.5:49708
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://steamcommunity.com/profiles/76561199809363512
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /k04ael HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View IP Address: 18.164.116.39 18.164.116.39
Source: Joe Sandbox View IP Address: 162.159.61.3 162.159.61.3
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49916 version: TLS 1.0
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.209.72.7
Source: unknown TCP traffic detected without corresponding DNS query: 23.209.72.7
Source: unknown TCP traffic detected without corresponding DNS query: 23.209.72.7
Source: unknown TCP traffic detected without corresponding DNS query: 23.209.72.7
Source: unknown TCP traffic detected without corresponding DNS query: 23.209.72.7
Source: unknown TCP traffic detected without corresponding DNS query: 23.209.72.7
Source: unknown TCP traffic detected without corresponding DNS query: 23.209.72.7
Source: unknown TCP traffic detected without corresponding DNS query: 23.209.72.7
Source: unknown TCP traffic detected without corresponding DNS query: 23.209.72.7
Source: unknown TCP traffic detected without corresponding DNS query: 23.209.72.7
Source: unknown TCP traffic detected without corresponding DNS query: 23.209.72.7
Source: unknown TCP traffic detected without corresponding DNS query: 23.209.72.7
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown TCP traffic detected without corresponding DNS query: 18.164.116.39
Source: unknown TCP traffic detected without corresponding DNS query: 18.164.116.39
Source: unknown TCP traffic detected without corresponding DNS query: 18.164.116.39
Source: unknown TCP traffic detected without corresponding DNS query: 23.44.201.28
Source: unknown TCP traffic detected without corresponding DNS query: 23.44.201.28
Source: unknown TCP traffic detected without corresponding DNS query: 23.44.201.28
Source: unknown TCP traffic detected without corresponding DNS query: 23.44.201.28
Source: unknown TCP traffic detected without corresponding DNS query: 23.44.201.28
Source: unknown TCP traffic detected without corresponding DNS query: 23.44.201.28
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.219
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.219
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.219
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.219
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.219
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.219
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown TCP traffic detected without corresponding DNS query: 18.164.116.39
Source: unknown TCP traffic detected without corresponding DNS query: 18.164.116.39
Source: unknown TCP traffic detected without corresponding DNS query: 18.164.116.39
Source: unknown TCP traffic detected without corresponding DNS query: 18.164.116.39
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_00404280 InternetOpenA,InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle, 0_2_00404280
Source: global traffic HTTP traffic detected: GET /k04ael HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0Host: toptek.sbsConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCJDKzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw==Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIk6HLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCJDKzQEIucrNAQi/0c0BCIrTzQEI0NbNAQio2M0BCPnA1BUYj87NARi60s0BGMLYzQEY642lFw==Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /crx/blobs/AW50ZFvmkG4OHGgRTAu7ED1s4Osp5h4hBv39bA-6HcwOhSY7CGpTiD4wJ46Ud6Bo6P7yWyrRWCx-L37vtqrnUs3U44hGlerneoOywl1xhFHZUyPx_GIMNYxNDzQk9TJs4K4AxlKa5fjk7yW6cw-fwnpof9qnkobSLXrM/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_85_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /b?rn=1734933482036&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=1527A764E6A86BDB2DE6B23AE7AF6A4B&cs_fpit=o&cs_fpdm=*null&cs_fpdt=*null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /b2?rn=1734933482036&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=1527A764E6A86BDB2DE6B23AE7AF6A4B&cs_fpit=o&cs_fpdm=*null&cs_fpdt=*null HTTP/1.1Host: sb.scorecardresearch.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: UID=1B5aaed1ef292e4cd07b08d1734933482; XID=1B5aaed1ef292e4cd07b08d1734933482
Source: global traffic HTTP traffic detected: GET /c.gif?rnd=1734933482036&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=0e7012095d61412c88f16ab8ae837c65&activityId=0e7012095d61412c88f16ab8ae837c65&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=63FAA190F2474AB080F91B05DE1E2DE2&MUID=1527A764E6A86BDB2DE6B23AE7AF6A4B HTTP/1.1Host: c.msn.comConnection: keep-alivesec-ch-ua: "Microsoft Edge";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ntp.msn.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8Cookie: USRLOC=; MUID=1527A764E6A86BDB2DE6B23AE7AF6A4B; _EDGE_S=F=1&SID=274477A862C669B72E1F62F6631E6834; _EDGE_V=1; SM=T
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: "url": "https://www.youtube.com" equals www.youtube.com (Youtube)
Source: 000003.log8.8.dr String found in binary or memory: "www.facebook.com": "{\"Tier1\": [1103, 6061], \"Tier2\": [5445, 1780, 8220]}", equals www.facebook.com (Facebook)
Source: 000003.log8.8.dr String found in binary or memory: "www.linkedin.com": "{\"Tier1\": [1103, 214, 6061], \"Tier2\": [2771, 9515, 1780, 1303, 1099, 6081, 5581, 9396]}", equals www.linkedin.com (Linkedin)
Source: 000003.log8.8.dr String found in binary or memory: "www.youtube.com": "{\"Tier1\": [983, 6061, 1103], \"Tier2\": [2413, 8118, 1720, 5007]}", equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: t.me
Source: global traffic DNS traffic detected: DNS query: toptek.sbs
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: ntp.msn.com
Source: global traffic DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic DNS traffic detected: DNS query: clients2.googleusercontent.com
Source: global traffic DNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: global traffic DNS traffic detected: DNS query: sb.scorecardresearch.com
Source: global traffic DNS traffic detected: DNS query: assets.msn.com
Source: global traffic DNS traffic detected: DNS query: c.msn.com
Source: global traffic DNS traffic detected: DNS query: api.msn.com
Source: unknown HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----PHLFC2NGVAAIEUSR9RI5User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36 OPR/116.0.0.0Host: toptek.sbsContent-Length: 256Connection: Keep-AliveCache-Control: no-cache
Source: gVKsiQIHqe.exe, 00000000.00000003.2182794313.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, gVKsiQIHqe.exe, 00000000.00000003.2086247436.00000000008AF000.00000004.00000020.00020000.00000000.sdmp, gVKsiQIHqe.exe, 00000000.00000003.2159778858.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, gVKsiQIHqe.exe, 00000000.00000003.2087328305.00000000008B3000.00000004.00000020.00020000.00000000.sdmp, gVKsiQIHqe.exe, 00000000.00000003.2136596428.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, gVKsiQIHqe.exe, 00000000.00000003.2113133100.00000000008B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.xZ
Source: gVKsiQIHqe.exe, 00000000.00000002.3279528745.000000000389E000.00000004.00000020.00020000.00000000.sdmp, 4W4EKN.0.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 2cc80dabc69f58b6_1.8.dr String found in binary or memory: https://assets.msn.cn/resolver/
Source: 2cc80dabc69f58b6_1.8.dr String found in binary or memory: https://assets.msn.com/resolver/
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://bard.google.com/
Source: 2cc80dabc69f58b6_1.8.dr String found in binary or memory: https://bit.ly/wb-precache
Source: gVKsiQIHqe.exe, 00000000.00000002.3279528745.0000000003861000.00000004.00000020.00020000.00000000.sdmp, gVKsiQIHqe.exe, 00000000.00000002.3282727339.0000000003D2B000.00000004.00000020.00020000.00000000.sdmp, P8QIEK.0.dr String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: gVKsiQIHqe.exe, 00000000.00000002.3279528745.0000000003861000.00000004.00000020.00020000.00000000.sdmp, gVKsiQIHqe.exe, 00000000.00000002.3282727339.0000000003D2B000.00000004.00000020.00020000.00000000.sdmp, P8QIEK.0.dr String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: 2cc80dabc69f58b6_1.8.dr String found in binary or memory: https://browser.events.data.msn.cn/
Source: 2cc80dabc69f58b6_1.8.dr String found in binary or memory: https://browser.events.data.msn.com/
Source: Reporting and NEL.9.dr String found in binary or memory: https://bzib.nelreports.net/api/report?cat=bingbusiness
Source: 2cc80dabc69f58b6_1.8.dr String found in binary or memory: https://c.msn.com/
Source: gVKsiQIHqe.exe, 00000000.00000002.3279528745.000000000389E000.00000004.00000020.00020000.00000000.sdmp, 4W4EKN.0.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: offscreendocument_main.js.8.dr, service_worker_bin_prod.js.8.dr String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/mathjax/
Source: gVKsiQIHqe.exe, 00000000.00000002.3280611239.0000000003B2E000.00000004.00000020.00020000.00000000.sdmp, gVKsiQIHqe.exe, 00000000.00000002.3279528745.000000000389E000.00000004.00000020.00020000.00000000.sdmp, GV3W4E.0.dr, 4W4EKN.0.dr, Web Data.8.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: gVKsiQIHqe.exe, 00000000.00000002.3280611239.0000000003B2E000.00000004.00000020.00020000.00000000.sdmp, gVKsiQIHqe.exe, 00000000.00000002.3279528745.000000000389E000.00000004.00000020.00020000.00000000.sdmp, GV3W4E.0.dr, 4W4EKN.0.dr, Web Data.8.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: manifest.json.8.dr String found in binary or memory: https://chrome.google.com/webstore/
Source: manifest.json.8.dr String found in binary or memory: https://chromewebstore.google.com/
Source: 2a74f5d3-95f0-423b-aeaa-f8df50f732fd.tmp.9.dr, 413b2a2f-49f5-4142-a62a-87fab7a0a900.tmp.9.dr String found in binary or memory: https://clients2.google.com
Source: manifest.json0.8.dr String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: 2a74f5d3-95f0-423b-aeaa-f8df50f732fd.tmp.9.dr, 413b2a2f-49f5-4142-a62a-87fab7a0a900.tmp.9.dr String found in binary or memory: https://clients2.googleusercontent.com
Source: gVKsiQIHqe.exe, 00000000.00000002.3279528745.0000000003861000.00000004.00000020.00020000.00000000.sdmp, gVKsiQIHqe.exe, 00000000.00000002.3282727339.0000000003D2B000.00000004.00000020.00020000.00000000.sdmp, P8QIEK.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: gVKsiQIHqe.exe, 00000000.00000002.3279528745.0000000003861000.00000004.00000020.00020000.00000000.sdmp, gVKsiQIHqe.exe, 00000000.00000002.3282727339.0000000003D2B000.00000004.00000020.00020000.00000000.sdmp, P8QIEK.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: Reporting and NEL.9.dr String found in binary or memory: https://deff.nelreports.net/api/report
Source: 2cc80dabc69f58b6_0.8.dr String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: Reporting and NEL.9.dr String found in binary or memory: https://deff.nelreports.net/api/report?cat=msnw
Source: manifest.json0.8.dr String found in binary or memory: https://docs.google.com/
Source: manifest.json0.8.dr String found in binary or memory: https://drive-autopush.corp.google.com/
Source: manifest.json0.8.dr String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: manifest.json0.8.dr String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: manifest.json0.8.dr String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: manifest.json0.8.dr String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: manifest.json0.8.dr String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: manifest.json0.8.dr String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: manifest.json0.8.dr String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: manifest.json0.8.dr String found in binary or memory: https://drive-preprod.corp.google.com/
Source: manifest.json0.8.dr String found in binary or memory: https://drive-staging.corp.google.com/
Source: manifest.json0.8.dr String found in binary or memory: https://drive.google.com/
Source: gVKsiQIHqe.exe, 00000000.00000002.3280611239.0000000003B2E000.00000004.00000020.00020000.00000000.sdmp, gVKsiQIHqe.exe, 00000000.00000002.3279528745.000000000389E000.00000004.00000020.00020000.00000000.sdmp, GV3W4E.0.dr, 4W4EKN.0.dr, Web Data.8.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: gVKsiQIHqe.exe, 00000000.00000002.3280611239.0000000003B2E000.00000004.00000020.00020000.00000000.sdmp, gVKsiQIHqe.exe, 00000000.00000002.3279528745.000000000389E000.00000004.00000020.00020000.00000000.sdmp, GV3W4E.0.dr, 4W4EKN.0.dr, Web Data.8.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: gVKsiQIHqe.exe, 00000000.00000002.3280611239.0000000003B2E000.00000004.00000020.00020000.00000000.sdmp, gVKsiQIHqe.exe, 00000000.00000002.3279528745.000000000389E000.00000004.00000020.00020000.00000000.sdmp, GV3W4E.0.dr, 4W4EKN.0.dr, Web Data.8.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 000003.log8.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/addressbar_uu_files.en-gb/1.0.2/asset?sv=2017-07-29&sr
Source: 000003.log8.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?assetgroup=Arbit
Source: 000003.log8.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/arbitration_priority_list/4.0.5/asset?sv=2017-07-29&sr
Source: 000003.log6.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtrac
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_163_music.png/1.0.3/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_dark.png/1.7.32/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_hc.png/1.7.32/asset
Source: HubApps Icons.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_M365_light.png/1.7.32/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_hc.png/1.2.1/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_maximal_dark.png/1.2.1/ass
Source: HubApps Icons.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_action_center_maximal_light.png/1.2.1/as
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_amazon_music_light.png/1.4.13/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_apple_music.png/1.4.12/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_bard_light.png/1.0.1/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_dark.png/1.1.17/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_dark.png/1.6.8/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_light.png/1.1.17/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_active_light.png/1.6.8/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_hc.png/1.1.17/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_chatB_hc.png/1.6.8/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_collections_hc.png/1.0.3/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_collections_maximal_dark.png/1.0.3/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_collections_maximal_light.png/1.0.3/asse
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_deezer.png/1.4.12/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_demo_dark.png/1.0.6/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_demo_light.png/1.0.6/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_designer_color.png/1.0.14/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_designer_hc.png/1.0.14/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_hc.png/1.1.12/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_maximal_dark.png/1.1.12/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr, HubApps Icons.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_edrop_maximal_light.png/1.1.12/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_etree_hc.png/1.2.0/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_etree_maximal_dark.png/1.2.0/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_etree_maximal_light.png/1.2.0/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_excel.png/1.7.32/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_facebook_messenger.png/1.5.14/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_gaana.png/1.0.3/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_hc.png/1.7.1/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_hc_controller.png/1.7.1/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_hc_joystick.png/1.7.1/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_dark.png/1.7.1/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_dark_controller.png/1.7.1/
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_dark_joystick.png/1.7.1/as
Source: HubApps Icons.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light.png/1.7.1/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light_controller.png/1.7.1
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_games_maximal_light_joystick.png/1.7.1/a
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_gmail.png/1.5.4/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_help.png/1.0.0/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_hc.png/0.1.3/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_maximal_dark.png/0.1.3/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_history_maximal_light.png/0.1.3/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_iHeart.png/1.0.3/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_image_creator_hc.png/1.0.14/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_image_creator_maximal_dark.png/1.0.14/as
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_image_creator_maximal_light.png/1.0.14/a
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_instagram.png/1.4.13/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_ku_gou.png/1.0.3/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_last.png/1.0.3/asset
Source: 000003.log8.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_manifest_gz/4.7.107/asset?assetgroup=Sho
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_maximal_follow_dark.png/1.1.0/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_maximal_follow_hc.png/1.1.0/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_maximal_follow_light.png/1.1.0/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_naver_vibe.png/1.0.3/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_onenote_dark.png/1.4.9/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_onenote_hc.png/1.4.9/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_onenote_light.png/1.4.9/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_dark.png/1.9.10/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_hc.png/1.9.10/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr, HubApps Icons.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_outlook_light.png/1.9.10/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_performance_hc.png/1.1.0/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_performance_maximal_dark.png/1.1.0/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_performance_maximal_light.png/1.1.0/asse
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_power_point.png/1.7.32/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_qq.png/1.0.3/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_refresh_dark.png/1.1.12/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_refresh_hc.png/1.1.12/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_refresh_light.png/1.1.12/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_rewards_hc.png/1.1.3/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_rewards_maximal_dark.png/1.1.3/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_rewards_maximal_light.png/1.1.3/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_hc.png/1.3.6/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_maximal_dark.png/1.3.6/asset
Source: HubApps Icons.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_search_maximal_light.png/1.3.6/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.1.12/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.4.0/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_dark.png/1.5.13/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.1.12/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.4.0/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_hc.png/1.5.13/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.1.12/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.4.0/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_settings_light.png/1.5.13/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_hc.png/1.4.0/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_maximal_dark.png/1.4.0/asset
Source: HubApps Icons.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_shopping_maximal_light.png/1.4.0/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_skype_dark.png/1.3.20/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_skype_hc.png/1.3.20/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_skype_light.png/1.3.20/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_sound_cloud.png/1.0.3/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_spotify.png/1.4.12/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_teams_dark.png/1.2.19/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_teams_hc.png/1.2.19/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_teams_light.png/1.2.19/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_telegram.png/1.0.4/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_theater_hc.png/1.0.5/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_theater_maximal_dark.png/1.0.5/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_theater_maximal_light.png/1.0.5/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_tidal.png/1.0.3/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_tik_tok_light.png/1.0.5/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_hc.png/1.5.13/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_maximal_dark.png/1.5.13/asset
Source: HubApps Icons.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_toolbox_maximal_light.png/1.5.13/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_twitter_light.png/1.0.9/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_vk.png/1.0.3/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_whats_new.png/1.0.0/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_whatsapp_light.png/1.4.11/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_word.png/1.7.32/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_yandex_music.png/1.0.10/asset
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/edge_hub_apps_youtube.png/1.4.14/asset
Source: 000003.log8.8.dr String found in binary or memory: https://edgeassetservice.azureedge.net/assets/signal_triggers/1.13.3/asset?sv=2017-07-29&sr=c&sig=Nt
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://excel.new?from=EdgeM365Shoreline
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://gaana.com/
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://i.y.qq.com/n2/m/index.html
Source: 2cc80dabc69f58b6_1.8.dr String found in binary or memory: https://img-s-msn-com.akamaized.net/
Source: 2cc80dabc69f58b6_1.8.dr String found in binary or memory: https://img-s.msn.cn/tenant/amp/entityid/
Source: P8QIEK.0.dr String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://latest.web.skype.com/?browsername=edge_canary_shoreline
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://m.kugou.com/
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://m.soundcloud.com/
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://m.vk.com/
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://mail.google.com/mail/mu/mp/266/#tl/Inbox
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://manifestdeliveryservice.edgebrowser.microsoft-staging-falcon.io/app/page-context-demo
Source: Cookies.9.dr String found in binary or memory: https://msn.comXID/
Source: Cookies.9.dr String found in binary or memory: https://msn.comXIDv10
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://music.amazon.com
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://music.apple.com
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://music.yandex.com
Source: 2cc80dabc69f58b6_1.8.dr String found in binary or memory: https://ntp.msn.cn/edge/ntp
Source: 000003.log7.8.dr, 2cc80dabc69f58b6_0.8.dr String found in binary or memory: https://ntp.msn.com
Source: 000003.log0.8.dr, 000003.log3.8.dr String found in binary or memory: https://ntp.msn.com/
Source: 000003.log0.8.dr String found in binary or memory: https://ntp.msn.com/0
Source: QuotaManager.8.dr String found in binary or memory: https://ntp.msn.com/_default
Source: 2cc80dabc69f58b6_1.8.dr, 000003.log0.8.dr String found in binary or memory: https://ntp.msn.com/edge/ntp
Source: 000003.log0.8.dr String found in binary or memory: https://ntp.msn.com/edge/ntp/service-worker.js?bundles=latest&riverAgeMinutes=2880&navAgeMinutes=288
Source: Session_13379407070125135.8.dr String found in binary or memory: https://ntp.msn.com/edge/ntp?locale=en-GB&title=New%20tab&dsp=1&sp=Bing&isFREModalBackground=1&start
Source: QuotaManager.8.dr String found in binary or memory: https://ntp.msn.com/ntp.msn.com_default
Source: 2cc80dabc69f58b6_0.8.dr String found in binary or memory: https://ntp.msn.comService-Worker-Allowed:
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://open.spotify.com
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://outlook.live.com/calendar/view/agenda/quickcapture/moreDetails?isExtension=true
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://outlook.live.com/mail/0/
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://outlook.live.com/mail/compose?isExtension=true
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://outlook.live.com/mail/inbox?isExtension=true&sharedHeader=1&nlp=1&client_flight=outlookedge
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://outlook.office.com/calendar/view/agenda/quickcapture/moreDetails?isExtension=true
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://outlook.office.com/mail/0/
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://outlook.office.com/mail/compose?isExtension=true
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://outlook.office.com/mail/inbox?isExtension=true&sharedHeader=1&client_flight=outlookedge
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://powerpoint.new?from=EdgeM365Shoreline
Source: 2cc80dabc69f58b6_1.8.dr String found in binary or memory: https://sb.scorecardresearch.com/
Source: 2cc80dabc69f58b6_1.8.dr String found in binary or memory: https://srtb.msn.cn/
Source: 2cc80dabc69f58b6_1.8.dr String found in binary or memory: https://srtb.msn.com/
Source: gVKsiQIHqe.exe String found in binary or memory: https://steamcommunity.com/profiles/76561199809363512
Source: gVKsiQIHqe.exe String found in binary or memory: https://steamcommunity.com/profiles/76561199809363512m0nk3Mozilla/5.0
Source: gVKsiQIHqe.exe, 00000000.00000002.3283527517.0000000003FDF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: gVKsiQIHqe.exe, 00000000.00000002.3283527517.0000000003FDF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: gVKsiQIHqe.exe, 00000000.00000002.3277818216.000000000083E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/
Source: gVKsiQIHqe.exe String found in binary or memory: https://t.me/k04ael
Source: gVKsiQIHqe.exe String found in binary or memory: https://t.me/k04aelm0nk3Mozilla/5.0
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://tidal.com/
Source: gVKsiQIHqe.exe, 00000000.00000002.3277818216.0000000000881000.00000004.00000020.00020000.00000000.sdmp, gVKsiQIHqe.exe, 00000000.00000003.2159778858.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, gVKsiQIHqe.exe, 00000000.00000002.3276190906.000000000047C000.00000004.00000001.01000000.00000003.sdmp, gVKsiQIHqe.exe, 00000000.00000003.2136596428.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, gVKsiQIHqe.exe, 00000000.00000003.2113133100.00000000008B4000.00000004.00000020.00020000.00000000.sdmp, gVKsiQIHqe.exe, 00000000.00000002.3276190906.00000000004DD000.00000004.00000001.01000000.00000003.sdmp, gVKsiQIHqe.exe, 00000000.00000002.3276190906.00000000005AC000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: https://toptek.sbs
Source: gVKsiQIHqe.exe, 00000000.00000002.3277818216.000000000089D000.00000004.00000020.00020000.00000000.sdmp, gVKsiQIHqe.exe, 00000000.00000002.3277818216.0000000000900000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://toptek.sbs/
Source: gVKsiQIHqe.exe, 00000000.00000003.2159778858.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, gVKsiQIHqe.exe, 00000000.00000003.2136596428.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, gVKsiQIHqe.exe, 00000000.00000003.2113133100.00000000008B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://toptek.sbs/$G
Source: gVKsiQIHqe.exe, 00000000.00000003.2159778858.00000000008AD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://toptek.sbs/(
Source: gVKsiQIHqe.exe, 00000000.00000003.2182794313.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, gVKsiQIHqe.exe, 00000000.00000003.2159778858.00000000008AD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://toptek.sbs/.G
Source: gVKsiQIHqe.exe, 00000000.00000003.2182794313.00000000008AD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://toptek.sbs/0
Source: gVKsiQIHqe.exe, 00000000.00000003.2159778858.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, gVKsiQIHqe.exe, 00000000.00000003.2113133100.00000000008B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://toptek.sbs/2G
Source: gVKsiQIHqe.exe, 00000000.00000003.2182794313.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, gVKsiQIHqe.exe, 00000000.00000003.2086247436.00000000008AF000.00000004.00000020.00020000.00000000.sdmp, gVKsiQIHqe.exe, 00000000.00000003.2159778858.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, gVKsiQIHqe.exe, 00000000.00000003.2087328305.00000000008B3000.00000004.00000020.00020000.00000000.sdmp, gVKsiQIHqe.exe, 00000000.00000003.2136596428.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, gVKsiQIHqe.exe, 00000000.00000003.2113133100.00000000008B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://toptek.sbs/4
Source: gVKsiQIHqe.exe, 00000000.00000003.2182794313.00000000008AD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://toptek.sbs/D
Source: gVKsiQIHqe.exe, 00000000.00000003.2136596428.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, gVKsiQIHqe.exe, 00000000.00000003.2113133100.00000000008B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://toptek.sbs/H
Source: gVKsiQIHqe.exe, 00000000.00000003.2182794313.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, gVKsiQIHqe.exe, 00000000.00000003.2086247436.00000000008AF000.00000004.00000020.00020000.00000000.sdmp, gVKsiQIHqe.exe, 00000000.00000003.2087328305.00000000008B3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://toptek.sbs/L
Source: gVKsiQIHqe.exe, 00000000.00000003.2086247436.00000000008AF000.00000004.00000020.00020000.00000000.sdmp, gVKsiQIHqe.exe, 00000000.00000003.2087328305.00000000008B3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://toptek.sbs/LG
Source: gVKsiQIHqe.exe, 00000000.00000002.3277818216.000000000089D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://toptek.sbs/O
Source: gVKsiQIHqe.exe, 00000000.00000003.2182794313.00000000008AD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://toptek.sbs/PG
Source: gVKsiQIHqe.exe, 00000000.00000003.2113133100.00000000008B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://toptek.sbs/PV
Source: gVKsiQIHqe.exe, 00000000.00000003.2136596428.00000000008AD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://toptek.sbs/d8
Source: gVKsiQIHqe.exe, 00000000.00000002.3277818216.0000000000900000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://toptek.sbs/rs
Source: gVKsiQIHqe.exe, 00000000.00000003.2207333842.000000000090E000.00000004.00000020.00020000.00000000.sdmp, gVKsiQIHqe.exe, 00000000.00000003.2221553316.000000000090C000.00000004.00000020.00020000.00000000.sdmp, gVKsiQIHqe.exe, 00000000.00000002.3277818216.0000000000900000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://toptek.sbs/w
Source: gVKsiQIHqe.exe, 00000000.00000002.3276190906.00000000004DD000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: https://toptek.sbs7QQIMGV
Source: gVKsiQIHqe.exe, 00000000.00000002.3276190906.00000000005AC000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: https://toptek.sbsData
Source: gVKsiQIHqe.exe, 00000000.00000003.2182794313.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, gVKsiQIHqe.exe, 00000000.00000003.2159778858.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, gVKsiQIHqe.exe, 00000000.00000003.2136596428.00000000008AD000.00000004.00000020.00020000.00000000.sdmp, gVKsiQIHqe.exe, 00000000.00000003.2113133100.00000000008B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://toptek.sbsL
Source: gVKsiQIHqe.exe, 00000000.00000002.3276190906.0000000000429000.00000004.00000001.01000000.00000003.sdmp, gVKsiQIHqe.exe, 00000000.00000002.3276190906.00000000005AC000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: https://toptek.sbsMGDJMOZ
Source: gVKsiQIHqe.exe, 00000000.00000002.3276190906.00000000005AC000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: https://toptek.sbsMGDJMOZGIGIYTFFYT.pdfition:
Source: gVKsiQIHqe.exe, 00000000.00000002.3276190906.00000000004DD000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: https://toptek.sbsQQ16FUSJ
Source: gVKsiQIHqe.exe, 00000000.00000002.3276190906.000000000047C000.00000004.00000001.01000000.00000003.sdmp, gVKsiQIHqe.exe, 00000000.00000002.3276190906.00000000005AC000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: https://toptek.sbsosh;
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://twitter.com/
Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.8.dr String found in binary or memory: https://unitedstates1.ss.wd.microsoft.us/
Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.8.dr String found in binary or memory: https://unitedstates2.ss.wd.microsoft.us/
Source: edgeSettings_2.0-48b11410dc937a1723bf4c5ad33ecdb286d8ec69544241bc373f753e64b396c1.8.dr String found in binary or memory: https://unitedstates4.ss.wd.microsoft.us/
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://vibe.naver.com/today
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://web.skype.com/?browsername=edge_canary_shoreline
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://web.skype.com/?browsername=edge_stable_shoreline
Source: gVKsiQIHqe.exe, 00000000.00000002.3276190906.000000000044D000.00000004.00000001.01000000.00000003.sdmp, gVKsiQIHqe.exe, 00000000.00000002.3277818216.0000000000881000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://web.telegram.org
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://web.telegram.org/
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://web.whatsapp.com
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://word.new?from=EdgeM365Shoreline
Source: gVKsiQIHqe.exe, 00000000.00000002.3279528745.0000000003861000.00000004.00000020.00020000.00000000.sdmp, gVKsiQIHqe.exe, 00000000.00000002.3282727339.0000000003D2B000.00000004.00000020.00020000.00000000.sdmp, P8QIEK.0.dr String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: gVKsiQIHqe.exe, 00000000.00000002.3279528745.0000000003861000.00000004.00000020.00020000.00000000.sdmp, gVKsiQIHqe.exe, 00000000.00000002.3282727339.0000000003D2B000.00000004.00000020.00020000.00000000.sdmp, P8QIEK.0.dr String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://www.deezer.com/
Source: gVKsiQIHqe.exe, 00000000.00000002.3279528745.000000000389E000.00000004.00000020.00020000.00000000.sdmp, 4W4EKN.0.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: content_new.js.8.dr, content.js.8.dr String found in binary or memory: https://www.google.com/chrome
Source: gVKsiQIHqe.exe, 00000000.00000002.3280611239.0000000003B2E000.00000004.00000020.00020000.00000000.sdmp, gVKsiQIHqe.exe, 00000000.00000002.3279528745.000000000389E000.00000004.00000020.00020000.00000000.sdmp, GV3W4E.0.dr, 4W4EKN.0.dr, Web Data.8.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 2a74f5d3-95f0-423b-aeaa-f8df50f732fd.tmp.9.dr String found in binary or memory: https://www.googleapis.com
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://www.iheart.com/podcast/
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://www.instagram.com
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://www.last.fm/
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://www.messenger.com
Source: gVKsiQIHqe.exe, 00000000.00000002.3283527517.0000000003FDF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: gVKsiQIHqe.exe, 00000000.00000002.3283527517.0000000003FDF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: gVKsiQIHqe.exe, 00000000.00000002.3283527517.0000000003FDF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: gVKsiQIHqe.exe, 00000000.00000002.3283527517.0000000003FDF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: gVKsiQIHqe.exe, 00000000.00000002.3283527517.0000000003FDF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: gVKsiQIHqe.exe, 00000000.00000002.3283527517.0000000003FDF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: 2cc80dabc69f58b6_1.8.dr String found in binary or memory: https://www.msn.com/web-notification-icon-light.png
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://www.msn.com/widgets/fullpage/cgSideBar/widget?experiences=CasualGamesHub&sharedHeader=1
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://www.msn.com/widgets/fullpage/cgSideBar/widget?experiences=CasualGamesHub&sharedHeader=1&game
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://www.msn.com/widgets/fullpage/cgSideBar/widget?experiences=CasualGamesHub&sharedHeader=1&item
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://www.msn.com/widgets/fullpage/gaming/widget?experiences=CasualGamesHub&sharedHeader=1
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://www.msn.com/widgets/fullpage/gaming/widget?experiences=CasualGamesHub&sharedHeader=1&item=fl
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://www.msn.com/widgets/fullpage/gaming/widget?experiences=CasualGamesHub&sharedHeader=1&playInS
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://www.office.com
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://www.officeplus.cn/?sid=shoreline&endpoint=OPPC&source=OPCNshoreline
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://www.onenote.com/stickynotes?isEdgeHub=true
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://www.onenote.com/stickynotes?isEdgeHub=true&auth=1
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://www.onenote.com/stickynotes?isEdgeHub=true&auth=2
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://www.onenote.com/stickynotesstaging?isEdgeHub=true
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://www.onenote.com/stickynotesstaging?isEdgeHub=true&auth=1
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://www.onenote.com/stickynotesstaging?isEdgeHub=true&auth=2
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://www.tiktok.com/
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://www.youtube.com
Source: 22db65d9-25fa-42c2-9880-193c2562df6d.tmp.8.dr String found in binary or memory: https://y.music.163.com/m/
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49983
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50056
Source: unknown Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50022 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50061
Source: unknown Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50068 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49974
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49967 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50056 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50069
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50068
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49967
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49962
Source: unknown Network traffic detected: HTTP traffic on port 50034 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50015 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50075
Source: unknown Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50081
Source: unknown Network traffic detected: HTTP traffic on port 49933 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50028 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50084
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49953
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50142 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50089
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50088
Source: unknown Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50051 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50136 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49983 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49938 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50095
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49948
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown Network traffic detected: HTTP traffic on port 50061 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49974 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49916 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50011
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50135
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50015
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50136
Source: unknown Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49939 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49868 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49897
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50028
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50021
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50142
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown Network traffic detected: HTTP traffic on port 50095 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50145
Source: unknown Network traffic detected: HTTP traffic on port 49897 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50021 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50151
Source: unknown Network traffic detected: HTTP traffic on port 50155 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49905 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50084 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown Network traffic detected: HTTP traffic on port 50011 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50034
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50155
Source: unknown Network traffic detected: HTTP traffic on port 50110 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50041
Source: unknown Network traffic detected: HTTP traffic on port 50089 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49878
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50042
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50048
Source: unknown Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49962 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50051
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown Network traffic detected: HTTP traffic on port 50145 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50042 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50151 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50116 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49878 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49906 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50105
Source: unknown Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50088 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50116
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50118
Source: unknown Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49918 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50110
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50129
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50003
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50123
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50048 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49907 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50105 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50098
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50075 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50129 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50003 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50135 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49939
Source: unknown Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49938
Source: unknown Network traffic detected: HTTP traffic on port 50081 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49933
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49931
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49930
Source: unknown Network traffic detected: HTTP traffic on port 50123 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50098 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49928
Source: unknown Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50118 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49953 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49908 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49918
Source: unknown Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49916
Source: unknown Network traffic detected: HTTP traffic on port 49948 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50041 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49931 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49909
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49908
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49907
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49906
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49905
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49903
Source: unknown Network traffic detected: HTTP traffic on port 49903 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50069 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49888 -> 443
Source: unknown HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.130.188.57:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 94.130.188.57:443 -> 192.168.2.5:49762 version: TLS 1.2
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_00407060 FindFirstFileA,strlen,strlen,memcpy,OpenDesktopA,CreateDesktopA,lstrcpyA,lstrcpyA,strlen,Sleep,??3@YAXPAX@Z,??3@YAXPAX@Z,CreateProcessA,Sleep,strlen,Sleep,strlen,strlen,??3@YAXPAX@Z,CloseDesktop,_invalid_parameter_noinfo_noreturn, 0_2_00407060

System Summary
barindex
PE file has a writeable .text section
Source: gVKsiQIHqe.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Detected potential crypto function
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_004054A0 0_2_004054A0
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_0041C450 0_2_0041C450
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_0041B0B0 0_2_0041B0B0
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_0041A340 0_2_0041A340
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_0041DD60 0_2_0041DD60
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_0041CF70 0_2_0041CF70
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_0041D3F0 0_2_0041D3F0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: String function: 00410340 appears 127 times
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: String function: 00404DF0 appears 77 times
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: String function: 004119B0 appears 43 times
Uses 32bit PE files
Source: gVKsiQIHqe.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@63/316@26/17
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_00412050 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,Process32Next,OpenProcess,TerminateProcess,CloseHandle, 0_2_00412050
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\KSK31933.htm Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe File created: C:\Users\user\AppData\Local\Temp\e58e90fe-b7c4-4330-af47-4a24cd416b8b.tmp Jump to behavior
Source: gVKsiQIHqe.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: WLN79ZCTR.0.dr, P8Q1VAS26.0.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: gVKsiQIHqe.exe ReversingLabs: Detection: 71%
Source: gVKsiQIHqe.exe Virustotal: Detection: 66%
Source: unknown Process created: C:\Users\user\Desktop\gVKsiQIHqe.exe "C:\Users\user\Desktop\gVKsiQIHqe.exe"
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2868 --field-trial-handle=2812,i,12872953387069903488,11110384550952122137,262144 /prefetch:8
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2576 --field-trial-handle=2224,i,4927073609183200829,12100842426449448139,262144 /prefetch:3
Source: unknown Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory=Default --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2244 --field-trial-handle=1996,i,16664765215465156230,11047928681594744707,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6384 --field-trial-handle=1996,i,16664765215465156230,11047928681594744707,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6444 --field-trial-handle=1996,i,16664765215465156230,11047928681594744707,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=6504 --field-trial-handle=1996,i,16664765215465156230,11047928681594744707,262144 /prefetch:8
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default" Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default" Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2868 --field-trial-handle=2812,i,12872953387069903488,11110384550952122137,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2576 --field-trial-handle=2224,i,4927073609183200829,12100842426449448139,262144 /prefetch:3 Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2244 --field-trial-handle=1996,i,16664765215465156230,11047928681594744707,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6384 --field-trial-handle=1996,i,16664765215465156230,11047928681594744707,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6444 --field-trial-handle=1996,i,16664765215465156230,11047928681594744707,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=6504 --field-trial-handle=1996,i,16664765215465156230,11047928681594744707,262144 /prefetch:8
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: Google Drive.lnk.2.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.2.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.2.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.2.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.2.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.2.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_004188E0 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_004188E0
PE file contains sections with non-standard names
Source: gVKsiQIHqe.exe Static PE information: section name: .00cfg

Boot Survival
barindex
Monitors registry run keys for changes
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_004188E0 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_004188E0
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: gVKsiQIHqe.exe Binary or memory string: DIR_WATCH.DLL
Source: gVKsiQIHqe.exe Binary or memory string: SBIEDLL.DLL
Source: gVKsiQIHqe.exe Binary or memory string: %HSWPESPY.DLLAVGHOOKX.DLLSBIEDLL.DLLSNXHK.DLLVMCHECK.DLLDIR_WATCH.DLLAPI_LOG.DLLPSTOREC.DLLAVGHOOKA.DLLCMDVRT64.DLLCMDVRT32.DLLIMAGE/JPEGCHAININGMODEAESCHAININGMODEGCMABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=UNKNOWN EXCEPTIONBAD ALLOCATION
Source: gVKsiQIHqe.exe Binary or memory string: API_LOG.DLL
Found evaded block containing many API calls
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Evaded block: after key decision
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Evasive API call chain: GetSystemTime,DecisionNodes
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_00409460 FindFirstFileA,FindFirstFileA,CopyFileA,CopyFileA,FindNextFileA,strlen,memcmp,??3@YAXPAX@Z,??3@YAXPAX@Z,StrCmpCA,FindClose, 0_2_00409460
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_00407060 FindFirstFileA,strlen,strlen,memcpy,OpenDesktopA,CreateDesktopA,lstrcpyA,lstrcpyA,strlen,Sleep,??3@YAXPAX@Z,??3@YAXPAX@Z,CreateProcessA,Sleep,strlen,Sleep,strlen,strlen,??3@YAXPAX@Z,CloseDesktop,_invalid_parameter_noinfo_noreturn, 0_2_00407060
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_00401730 FindFirstFileA,FindFirstFileA,FindClose,FindNextFileA,strlen,memcmp,strlen,memcmp,??3@YAXPAX@Z,??3@YAXPAX@Z,FindFirstFileA,FindFirstFileA,DeleteFileA,DeleteFileA,FindNextFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,DeleteFileA,DeleteFileA,FindClose,_invalid_parameter_noinfo_noreturn, 0_2_00401730
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_0040A5D0 FindFirstFileA,FindFirstFileA,FindNextFileA,strlen,memcmp,??3@YAXPAX@Z,??3@YAXPAX@Z,StrCmpCA,StrCmpCA, 0_2_0040A5D0
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_00406FE0 FindFirstFileA,FindFirstFileA,??3@YAXPAX@Z,_invalid_parameter_noinfo_noreturn, 0_2_00406FE0
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_00413FF0 wsprintfA,FindFirstFileA,memset,memset,FindNextFileA,strlen,memcmp,strlen,memcmp,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfA,StrCmpCA,wsprintfA,memset,lstrcatA,strtok_s,memset,lstrcatA,DeleteFileA,DeleteFileA,strtok_s,PathMatchSpecA,DeleteFileA,DeleteFileA,CopyFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindClose,_invalid_parameter_noinfo_noreturn,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrlenA, 0_2_00413FF0
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_0040C790 FindFirstFileA,FindFirstFileA,FindNextFileA,strlen,memcmp,strlen,memcmp,??3@YAXPAX@Z,??3@YAXPAX@Z,StrCmpCA,CopyFileA,CopyFileA,CopyFileA,DeleteFileA,DeleteFileA,FindClose,_invalid_parameter_noinfo_noreturn, 0_2_0040C790
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_004081B0 ExpandEnvironmentStringsA,FindFirstFileA,FindFirstFileA,FindNextFileA,strlen,memcmp,strlen,memcmp,??3@YAXPAX@Z,??3@YAXPAX@Z,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,DeleteFileA,StrCmpCA,StrCmpCA,CopyFileA,CopyFileA,CopyFileA,StrCmpCA,StrCmpCA,CopyFileA,CopyFileA,Sleep,StrCmpCA,StrCmpCA,CopyFileA,CopyFileA,DeleteFileA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,CopyFileA,DeleteFileA,DeleteFileA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindClose,_invalid_parameter_noinfo_noreturn, 0_2_004081B0
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_0040BC30 wsprintfA,wsprintfA,FindFirstFileA,FindNextFileA,strlen,memcmp,strlen,memcmp,??3@YAXPAX@Z,??3@YAXPAX@Z,lstrlenA,lstrlenA,DeleteFileA,DeleteFileA,CopyFileA,CopyFileA,FindClose,_invalid_parameter_noinfo_noreturn, 0_2_0040BC30
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_004170D0 SHGetFolderPathA,wsprintfA,FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,strcpy,_splitpath,strcpy,strlen,isupper,wsprintfA,strcpy,strlen,SHFileOperationA,FindClose, 0_2_004170D0
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_00415700 HeapAlloc,GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,FindNextFileA,strlen,memcmp,strlen,memcmp,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfA,CopyFileA,CopyFileA,DeleteFileA,DeleteFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,_invalid_parameter_noinfo_noreturn,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA, 0_2_00415700
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_00414BD0 wsprintfA,FindFirstFileA,FindNextFileA,strlen,memcmp,strlen,memcmp,??3@YAXPAX@Z,??3@YAXPAX@Z,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindClose,_invalid_parameter_noinfo_noreturn,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,lstrcatA,lstrcatA, 0_2_00414BD0
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_00413FF0 wsprintfA,FindFirstFileA,memset,memset,FindNextFileA,strlen,memcmp,strlen,memcmp,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfA,StrCmpCA,wsprintfA,memset,lstrcatA,strtok_s,memset,lstrcatA,DeleteFileA,DeleteFileA,strtok_s,PathMatchSpecA,DeleteFileA,DeleteFileA,CopyFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindClose,_invalid_parameter_noinfo_noreturn,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrlenA, 0_2_00413FF0
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_00410BA0 GetSystemInfo,wsprintfA, 0_2_00410BA0
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: gVKsiQIHqe.exe, 00000000.00000002.3277818216.000000000083E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW``
Source: Web Data.8.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Web Data.8.dr Binary or memory string: discord.comVMware20,11696428655f
Source: Web Data.8.dr Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: Web Data.8.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: Web Data.8.dr Binary or memory string: global block list test formVMware20,11696428655
Source: Web Data.8.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: gVKsiQIHqe.exe, 00000000.00000002.3277818216.000000000089D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Web Data.8.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: Web Data.8.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: Web Data.8.dr Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Web Data.8.dr Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: Web Data.8.dr Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Web Data.8.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Web Data.8.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: Web Data.8.dr Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Web Data.8.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Web Data.8.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: Web Data.8.dr Binary or memory string: outlook.office.comVMware20,11696428655s
Source: Web Data.8.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: Web Data.8.dr Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Web Data.8.dr Binary or memory string: AMC password management pageVMware20,11696428655
Source: Web Data.8.dr Binary or memory string: tasks.office.comVMware20,11696428655o
Source: Web Data.8.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Web Data.8.dr Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: Web Data.8.dr Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: Web Data.8.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Web Data.8.dr Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Web Data.8.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Web Data.8.dr Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Web Data.8.dr Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: Web Data.8.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: Web Data.8.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_004188E0 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_004188E0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_004011F0 mov eax, dword ptr fs:[00000030h] 0_2_004011F0
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_004011F0 mov eax, dword ptr fs:[00000030h] 0_2_004011F0
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_004011F0 mov eax, dword ptr fs:[00000030h] 0_2_004011F0
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_004011F0 mov eax, dword ptr fs:[00000030h] 0_2_004011F0
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_004011F0 mov eax, dword ptr fs:[00000030h] 0_2_004011F0
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_004011F0 mov eax, dword ptr fs:[00000030h] 0_2_004011F0
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_00401170 mov eax, dword ptr fs:[00000030h] 0_2_00401170
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_00401190 test dword ptr fs:[00000030h], 00000068h 0_2_00401190
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_004011B0 mov eax, dword ptr fs:[00000030h] 0_2_004011B0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_004108E0 GetProcessHeap,HeapAlloc,GetComputerNameA, 0_2_004108E0

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: gVKsiQIHqe.exe PID: 5564, type: MEMORYSTR
Searches for specific processes (likely to inject)
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_00411FA0 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle, 0_2_00411FA0
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_00411ED0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle, 0_2_00411ED0
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,GetLocaleInfoA,LocalFree, 0_2_004109F0
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_0041D850 GetLocalTime,SystemTimeToFileTime,FileTimeToSystemTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, 0_2_0041D850
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_004108B0 GetProcessHeap,HeapAlloc,GetUserNameA, 0_2_004108B0
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Code function: 0_2_00410990 HeapAlloc,GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA, 0_2_00410990
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Vidar stealer
Source: Yara match File source: gVKsiQIHqe.exe, type: SAMPLE
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: 0.2.gVKsiQIHqe.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.gVKsiQIHqe.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: Process Memory Space: gVKsiQIHqe.exe PID: 5564, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: gVKsiQIHqe.exe, 00000000.00000002.3275591454.0000000000189000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: *electrum*.*
Source: gVKsiQIHqe.exe, 00000000.00000002.3276190906.00000000004DD000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: \ElectronCash\wallets\
Source: gVKsiQIHqe.exe, 00000000.00000002.3276190906.000000000059F000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: \Electrum\wallets\
Source: gVKsiQIHqe.exe, 00000000.00000002.3276190906.00000000004DD000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: window-state.json
Source: gVKsiQIHqe.exe, 00000000.00000002.3276190906.00000000004DD000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: exodus.conf.json
Source: gVKsiQIHqe.exe, 00000000.00000002.3276190906.00000000004DD000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: \Exodus\
Source: gVKsiQIHqe.exe, 00000000.00000002.3276190906.00000000004DD000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: info.seco
Source: gVKsiQIHqe.exe, 00000000.00000002.3276190906.000000000059F000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: ElectrumLTC
Source: gVKsiQIHqe.exe, 00000000.00000002.3276190906.00000000004DD000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: passphrase.json
Source: gVKsiQIHqe.exe, 00000000.00000002.3276190906.000000000059F000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: \Ethereum\
Source: gVKsiQIHqe.exe, 00000000.00000002.3275591454.0000000000189000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: *exodus*.*
Source: gVKsiQIHqe.exe, 00000000.00000002.3275591454.0000000000189000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: *ethereum*.*
Source: gVKsiQIHqe.exe, 00000000.00000002.3276190906.00000000004DD000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: nomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: gVKsiQIHqe.exe, 00000000.00000002.3276190906.00000000004DD000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: \Exodus\exodus.wallet\
Source: gVKsiQIHqe.exe, 00000000.00000002.3276190906.00000000004DD000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: MultiDoge
Source: gVKsiQIHqe.exe, 00000000.00000002.3276190906.00000000004DD000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: seed.seco
Source: gVKsiQIHqe.exe, 00000000.00000002.3276190906.000000000059F000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: keystore
Source: gVKsiQIHqe.exe, 00000000.00000002.3276190906.000000000059F000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: \Electrum-LTC\wallets\
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\key4.db Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\key4.db Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\key4.db Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\temporary\key4.db Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\key4.db Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups\key4.db Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\key4.db Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\bookmarkbackups\key4.db Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10\key4.db Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\to-be-removed\key4.db Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\db\key4.db Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\events\key4.db Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\security_state\key4.db Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\key4.db Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\key4.db Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\key4.db Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\key4.db Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\key4.db Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\key4.db Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\pending_pings\key4.db Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\key4.db Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\key4.db Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings\key4.db Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\minidumps\key4.db Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\events\key4.db Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\default\key4.db Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\tmp\key4.db Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\key4.db Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\key4.db Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\key4.db Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Roaming\Exodus\backups\ Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000000.00000002.3276190906.00000000004DD000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: gVKsiQIHqe.exe PID: 5564, type: MEMORYSTR

Remote Access Functionality
barindex
Attempt to bypass Chrome Application-Bound Encryption
Source: C:\Users\user\Desktop\gVKsiQIHqe.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Yara detected Vidar stealer
Source: Yara match File source: gVKsiQIHqe.exe, type: SAMPLE
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: 0.2.gVKsiQIHqe.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.gVKsiQIHqe.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: Process Memory Space: gVKsiQIHqe.exe PID: 5564, type: MEMORYSTR
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1579643 Sample: gVKsiQIHqe.exe Startdate: 23/12/2024 Architecture: WINDOWS Score: 100 43 toptek.sbs 2->43 45 t.me 2->45 47 chrome.cloudflare-dns.com 2->47 57 Suricata IDS alerts for network traffic 2->57 59 Found malware configuration 2->59 61 Multi AV Scanner detection for submitted file 2->61 63 7 other signatures 2->63 8 gVKsiQIHqe.exe 71 2->8         started        12 msedge.exe 641 2->12         started        signatures3 process4 dnsIp5 49 t.me 149.154.167.99, 443, 49704 TELEGRAMRU United Kingdom 8->49 51 toptek.sbs 94.130.188.57, 443, 49705, 49706 HETZNER-ASDE Germany 8->51 53 127.0.0.1 unknown unknown 8->53 65 Attempt to bypass Chrome Application-Bound Encryption 8->65 67 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 8->67 69 Found many strings related to Crypto-Wallets (likely being stolen) 8->69 71 5 other signatures 8->71 14 msedge.exe 2 10 8->14         started        17 chrome.exe 8 8->17         started        20 msedge.exe 12->20         started        22 msedge.exe 12->22         started        24 msedge.exe 12->24         started        26 msedge.exe 12->26         started        signatures6 process7 dnsIp8 73 Monitors registry run keys for changes 14->73 28 msedge.exe 14->28         started        33 192.168.2.5, 443, 49703, 49704 unknown unknown 17->33 35 239.255.255.250 unknown Reserved 17->35 30 chrome.exe 17->30         started        37 18.164.116.39, 443, 49897 MIT-GATEWAYSUS United States 20->37 39 sb.scorecardresearch.com 18.165.220.110, 443, 49841 MIT-GATEWAYSUS United States 20->39 41 17 other IPs or domains 20->41 signatures9 process10 dnsIp11 55 www.google.com 142.250.181.132, 443, 49713, 49714 GOOGLEUS United States 30->55
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.99
 t.me United Kingdom
62041 TELEGRAMRU false
142.250.181.132
 www.google.com United States
15169 GOOGLEUS false
18.164.116.39
 unknown United States
3 MIT-GATEWAYSUS false
162.159.61.3
 unknown United States
13335 CLOUDFLARENETUS false
20.189.173.14
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
20.110.205.119
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
204.79.197.219
 unknown United States
8068 MICROSOFT-CORP-MSN-AS-BLOCKUS false
142.250.181.65
 googlehosted.l.googleusercontent.com United States
15169 GOOGLEUS false
23.44.201.40
 unknown United States
20940 AKAMAI-ASN1EU false
172.64.41.3
 chrome.cloudflare-dns.com United States
13335 CLOUDFLARENETUS false
23.209.72.7
 unknown United States
20940 AKAMAI-ASN1EU false
23.44.201.28
 unknown United States
20940 AKAMAI-ASN1EU false
239.255.255.250
 unknown Reserved
unknown unknown false
94.130.188.57
 toptek.sbs Germany
24940 HETZNER-ASDE false
18.165.220.110
 sb.scorecardresearch.com United States
3 MIT-GATEWAYSUS false

Private

IP
192.168.2.5
127.0.0.1

Contacted Domains

Name IP Active
chrome.cloudflare-dns.com 172.64.41.3 true
toptek.sbs 94.130.188.57 true
t.me 149.154.167.99 true
ssl.bingadsedgeextension-prod-europe.azurewebsites.net 94.245.104.56 true
sb.scorecardresearch.com 18.165.220.110 true
www.google.com 142.250.181.132 true
googlehosted.l.googleusercontent.com 142.250.181.65 true
clients2.googleusercontent.com unknown unknown
bzib.nelreports.net unknown unknown
assets.msn.com unknown unknown
c.msn.com unknown unknown
ntp.msn.com unknown unknown
api.msn.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://steamcommunity.com/profiles/76561199809363512 false
    		high
    https://toptek.sbs/ true
      		unknown
      https://t.me/k04ael false
        		high
        https://browser.events.data.msn.com/OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1734933482034&time-delta-to-apply-millis=use-collector-delta&w=0&anoncknm=app_anon&NoResponseBody=true false
          		high
          https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0 false
            		high
            https://browser.events.data.msn.com/OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1734933488576&w=0&anoncknm=app_anon&NoResponseBody=true false
              		high
              https://browser.events.data.msn.com/OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1734933487734&w=0&anoncknm=app_anon&NoResponseBody=true false
                		high
                https://c.msn.com/c.gif?rnd=1734933482036&udc=true&pg.n=default&pg.t=dhp&pg.c=547&pg.p=anaheim&rf=&tp=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2520tab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp&cvs=Browser&di=340&st.dpt=&st.sdpt=antp&subcvs=homepage&lng=en-us&rid=0e7012095d61412c88f16ab8ae837c65&activityId=0e7012095d61412c88f16ab8ae837c65&d.imd=false&scr=1280x1024&anoncknm=app_anon&issso=&aadState=0&ctsa=mr&CtsSyncId=63FAA190F2474AB080F91B05DE1E2DE2&MUID=1527A764E6A86BDB2DE6B23AE7AF6A4B false
                  		high
                  https://sb.scorecardresearch.com/b?rn=1734933482036&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=1527A764E6A86BDB2DE6B23AE7AF6A4B&cs_fpit=o&cs_fpdm=*null&cs_fpdt=*null false
                    		high
                    https://browser.events.data.msn.com/OneCollector/1.0?cors=true&content-type=application/x-json-stream&client-id=NO_AUTH&client-version=1DS-Web-JS-3.2.8&apikey=0ded60c75e44443aa3484c42c1c43fe8-9fc57d3f-fdac-4bcf-b927-75eafe60192e-7279&upload-time=1734933487728&w=0&anoncknm=app_anon&NoResponseBody=true false
                      		high
                      https://clients2.googleusercontent.com/crx/blobs/AW50ZFvmkG4OHGgRTAu7ED1s4Osp5h4hBv39bA-6HcwOhSY7CGpTiD4wJ46Ud6Bo6P7yWyrRWCx-L37vtqrnUs3U44hGlerneoOywl1xhFHZUyPx_GIMNYxNDzQk9TJs4K4AxlKa5fjk7yW6cw-fwnpof9qnkobSLXrM/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_85_1_0.crx false
                        		high
                        https://sb.scorecardresearch.com/b2?rn=1734933482036&c1=2&c2=3000001&cs_ucfr=1&c7=https%3A%2F%2Fntp.msn.com%2Fedge%2Fntp%3Flocale%3Den-GB%26title%3DNew%2Btab%26dsp%3D1%26sp%3DBing%26isFREModalBackground%3D1%26startpage%3D1%26PC%3DU531%26ocid%3Dmsedgdhp%26mkt%3Den-us&c8=New+tab&c9=&cs_fpid=1527A764E6A86BDB2DE6B23AE7AF6A4B&cs_fpit=o&cs_fpdm=*null&cs_fpdt=*null false
                          		high