Windows Analysis Report
SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe
Analysis ID:	1632195
MD5:	da8846245fb9ec49a3223f7731236c7f
SHA1:	73189b12b69dc840ab373861748ba7fa0f4859c9
SHA256:	a54c3a619f8fc2f69b09098a45f880c352de39c568235de9f988fce9bf8c6f48
Tags:	exeuser-SecuriteInfoCom
Infos:

Detection

Vidar

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Attempt to bypass Chrome Application-Bound Encryption

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Vidar stealer

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Joe Sandbox ML detected suspicious sample

Searches for specific processes (likely to inject)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found decision node followed by non-executed suspicious APIs

Found evasive API chain (date check)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Browser Started with Remote Debugging

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://go.f.goldenloafuae.com/	Avira URL Cloud: Label: malware
Source: https://go.f.goldenloafuae.com/ozilla	Avira URL Cloud: Label: malware
Source: https://go.f.goldenloafuae.com/z	Avira URL Cloud: Label: malware
Source: https://go.f.goldenloafuae.com/5	Avira URL Cloud: Label: malware
Source: https://go.f.goldenloafuae.com/t	Avira URL Cloud: Label: malware
Source: https://go.f.goldenloafuae.com/N	Avira URL Cloud: Label: malware
Source: https://go.f.goldenloafuae.com	Avira URL Cloud: Label: malware
Source: https://go.f.goldenloafuae.com/%	Avira URL Cloud: Label: malware
Source: https://go.f.goldenloafuae.com/g	Avira URL Cloud: Label: malware
Source: https://go.f.goldenloafuae.com/d	Avira URL Cloud: Label: malware

Found malware configuration

Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Malware Configuration Extractor: Vidar {"C2 url": "https://steamcommunity.com/profiles/76561199829660832", "Botnet": "ir7am"}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Virustotal: Detection: 65%			Perma Link
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	ReversingLabs: Detection: 57%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_00406A10 StrStrA,lstrlenA,LocalAlloc,CryptUnprotectData,LocalAlloc,LocalFree,lstrlenA,	1_2_00406A10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_00410830 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,GetLastError,GetProcessHeap,HeapFree,	1_2_00410830
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_0040A150 BCryptCloseAlgorithmProvider,BCryptDestroyKey,BCryptCloseAlgorithmProvider,	1_2_0040A150
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_00406CF0 LocalAlloc,BCryptDecrypt,	1_2_00406CF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_00406940 BCryptCloseAlgorithmProvider,BCryptDestroyKey,	1_2_00406940
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_0040A560 StrCmpCA,BCryptCloseAlgorithmProvider,BCryptDestroyKey,BCryptCloseAlgorithmProvider,BCryptDestroyKey,	1_2_0040A560
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_00406980 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,BCryptCloseAlgorithmProvider,BCryptDestroyKey,	1_2_00406980

Uses 32bit PE files

Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.222:443 -> 192.168.2.4:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49764 version: TLS 1.2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_00414E70 wsprintfA,FindFirstFileA,DeleteFileA,FindNextFileA,strlen,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,FindClose,	1_2_00414E70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_00407210 ExpandEnvironmentStringsA,FindFirstFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,CopyFileA,StrCmpCA,CopyFileA,Sleep,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,CopyFileA,DeleteFileA,StrCmpCA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindClose,	1_2_00407210
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_0040B6B0 FindFirstFileA,FindNextFileA,strlen,StrCmpCA,CopyFileA,Sleep,DeleteFileA,FindClose,	1_2_0040B6B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_00415EB0 SHGetFolderPathA,wsprintfA,FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,strcpy,_splitpath,strcpy,strlen,isupper,wsprintfA,strcpy,strlen,SHFileOperationA,FindClose,	1_2_00415EB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_00408360 FindFirstFileA,CopyFileA,FindNextFileA,FindNextFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,FindClose,	1_2_00408360
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_00413FD0 wsprintfA,FindFirstFileA,FindNextFileA,strlen,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindClose,	1_2_00413FD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_004013F0 FindFirstFileA,FindClose,FindNextFileA,strlen,FindFirstFileA,DeleteFileA,FindNextFileA,CopyFileA,CopyFileA,DeleteFileA,FindClose,	1_2_004013F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_00413580 wsprintfA,FindFirstFileA,memset,memset,FindNextFileA,strlen,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,SymMatchString,strtok_s,memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindClose,	1_2_00413580
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_004097B0 FindFirstFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,	1_2_004097B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_0040ACD0 wsprintfA,FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,strlen,lstrlenA,DeleteFileA,CopyFileA,FindClose,	1_2_0040ACD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_00408C90 lstrcpyA,lstrcatA,FindFirstFileA,FindNextFileA,strlen,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,FindFirstFileA,FindNextFileA,strlen,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,FindClose,FindClose,DeleteFileA,_invalid_parameter_noinfo_noreturn,	1_2_00408C90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_00414950 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,strlen,FindClose,lstrcatA,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	1_2_00414950
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_00409560 ??2@YAPAXI@Z,??2@YAPAXI@Z,_invalid_parameter_noinfo_noreturn,FindFirstFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,	1_2_00409560

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Code function: 1_2_00413AF0 SymMatchString,SymMatchString,SymMatchString,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

1_2_00413AF0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49752 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1 : 192.168.2.4:49718 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49751 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49725 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49758 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49758 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2859378 - Severity 1 - ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2 : 192.168.2.4:49717 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49728 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49728 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49755 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49755 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49729 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49729 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49754 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49754 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49757 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49757 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 95.217.27.252:443 -> 192.168.2.4:49722
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49727 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49727 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49726 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 95.217.27.252:443 -> 192.168.2.4:49724
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49756 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49756 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49753 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49753 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49761 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49762 -> 95.217.27.252:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://steamcommunity.com/profiles/76561199829660832

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /l793oy HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: HETZNER-ASDE HETZNER-ASDE

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.131
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.131
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.131
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.131
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.131
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.131
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.131
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.196.254
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Code function: 1_2_00403850 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

1_2_00403850

Source: global traffic	HTTP traffic detected: GET /l793oy HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0Host: go.f.goldenloafuae.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEI0qDKAQig4coBCJKhywEInP7MAQiFoM0BCL7VzgEIgNbOAQjB2M4BCMjczgEIiuDOAQiu5M4BCIvlzgE=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEI0qDKAQig4coBCJKhywEInP7MAQiFoM0BCL7VzgEIgNbOAQjB2M4BCMjczgEIiuDOAQiu5M4BCIvlzgE=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /r/gsr1.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: /If-Modified-Since: Tue, 07 Jan 2025 07:28:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
Source: global traffic	HTTP traffic detected: GET /r/r4.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: /If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog

Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: go.f.goldenloafuae.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----n790h479zmglf3ecjectUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0Host: go.f.goldenloafuae.comContent-Length: 256Connection: Keep-AliveCache-Control: no-cache

Source: kfuaiw.1.dr	String found in binary or memory: https://ac.ecosia.org?q=
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1989565252.0000000003303000.00000004.00000020.00020000.00000000.sdmp, m7ymoh.1.dr	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1989565252.0000000003303000.00000004.00000020.00020000.00000000.sdmp, m7ymoh.1.dr	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: kfuaiw.1.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1989813367.000000000356B000.00000004.00000020.00020000.00000000.sdmp, kfuaiw.1.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1989813367.000000000356B000.00000004.00000020.00020000.00000000.sdmp, kfuaiw.1.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1989565252.0000000003303000.00000004.00000020.00020000.00000000.sdmp, m7ymoh.1.dr	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1989565252.0000000003303000.00000004.00000020.00020000.00000000.sdmp, m7ymoh.1.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: kfuaiw.1.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1989813367.000000000356B000.00000004.00000020.00020000.00000000.sdmp, kfuaiw.1.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: kfuaiw.1.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: kfuaiw.1.dr	String found in binary or memory: https://gemini.google.com/app?q=
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.00000000004EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.f.goldenloafuae.com
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.00000000004C0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000003.1415731105.000000000051F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1989565252.000000000332B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000003.1320074974.00000000004FE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000003.1385868320.000000000051F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000003.1415703142.00000000004FE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000003.1349855443.00000000004FE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000003.1385816045.00000000004FE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000003.1440465464.000000000051F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.00000000004EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.f.goldenloafuae.com/
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000003.1320074974.00000000004FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.f.goldenloafuae.com/%
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000003.1320074974.00000000004FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.f.goldenloafuae.com/5
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000003.1415731105.000000000051F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000003.1415703142.00000000004FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.f.goldenloafuae.com/N
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000003.1440465464.000000000051F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.f.goldenloafuae.com/T
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000003.1415731105.000000000051F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000003.1385868320.000000000051F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000003.1415703142.00000000004FE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000003.1385816045.00000000004FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.f.goldenloafuae.com/d
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000003.1440465464.000000000051F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.f.goldenloafuae.com/g
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.00000000004EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.f.goldenloafuae.com/ozilla
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000003.1320074974.00000000004FE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000003.1349855443.00000000004FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.f.goldenloafuae.com/t
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000003.1415731105.000000000051F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000003.1415703142.00000000004FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.f.goldenloafuae.com/z
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000003.1349855443.00000000004FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.f.goldenloafuae.com5
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000003.1320074974.00000000004FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.f.goldenloafuae.comV
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000003.1320074974.00000000004FE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000003.1349855443.00000000004FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.f.goldenloafuae.comX
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000003.1440465464.000000000051F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.f.goldenloafuae.comi
Source: m7ymoh.1.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	String found in binary or memory: https://steamcommunity.com/profiles/76561199829660832
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	String found in binary or memory: https://steamcommunity.com/profiles/76561199829660832ir7amMozilla/5.0
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1990989469.0000000003BC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1990989469.0000000003BC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.00000000004A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	String found in binary or memory: https://t.me/l793oy
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.000000000047E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/l793oyE
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.000000000047E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/l793oy_
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	String found in binary or memory: https://t.me/l793oyir7amMozilla/5.0
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000003.1252648727.0000000000502000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1989565252.0000000003303000.00000004.00000020.00020000.00000000.sdmp, m7ymoh.1.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1989813367.000000000356B000.00000004.00000020.00020000.00000000.sdmp, kfuaiw.1.dr	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1989565252.0000000003303000.00000004.00000020.00020000.00000000.sdmp, m7ymoh.1.dr	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1989813367.000000000356B000.00000004.00000020.00020000.00000000.sdmp, kfuaiw.1.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1990989469.0000000003BC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1990989469.0000000003BC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1990989469.0000000003BC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1990989469.0000000003BC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1990989469.0000000003BC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49680 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.222:443 -> 192.168.2.4:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49764 version: TLS 1.2

Contains functionality to record screenshots

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Code function: 1_2_00410A90 CreateStreamOnHGlobal,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,malloc,StrCmpCW,GetHGlobalFromStream,GlobalLock,GlobalSize,SelectObject,DeleteObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

1_2_00410A90

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Code function: 1_2_00406480 memcpy,OpenDesktopA,CreateDesktopA,lstrcpyA,CreateProcessA,Sleep,CloseDesktop,

1_2_00406480

System Summary

Malicious sample detected (through community Yara rule)

Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, type: SAMPLE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 1.2.SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 1.0.SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_00404A20	1_2_00404A20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_00418630	1_2_00418630
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_0041B770	1_2_0041B770
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_0041B300	1_2_0041B300
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_0041C100	1_2_0041C100
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_004193D0	1_2_004193D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_0041A7D0	1_2_0041A7D0

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: String function: 00410D00 appears 42 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: String function: 0040F5B0 appears 135 times

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.00000000004EB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameCmd.Exe.MUIj% vs SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Uses 32bit PE files

Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, type: SAMPLE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 1.2.SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 1.0.SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@22/16@4/5

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Code function: 1_2_00411250 CreateToolhelp32Snapshot,Process32First,StrCmpCA,Process32Next,StrCmpCA,CloseHandle,

1_2_00411250

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\6P7UCZ98.htm

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4936:120:WilError_03

Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

File read: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ozcb1d2no.1.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Virustotal: Detection: 65%
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	ReversingLabs: Detection: 57%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2220,i,9774722909908192130,17750005277753749404,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2160 /prefetch:3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\9h4wb" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 11
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\9h4wb" & exit	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2220,i,9774722909908192130,17750005277753749404,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2160 /prefetch:3	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 11	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Code function: 1_2_004108E0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_004108E0

PE file contains sections with non-standard names

Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Static PE information: section name: .00cfg

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

1_2_004108E0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Found decision node followed by non-executed suspicious APIs

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Found evasive API chain (date check)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Evasive API call chain: GetSystemTime,DecisionNodes

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\timeout.exe TID: 4704

Thread sleep count: 100 > 30

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_00414E70 wsprintfA,FindFirstFileA,DeleteFileA,FindNextFileA,strlen,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,FindClose,	1_2_00414E70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_00407210 ExpandEnvironmentStringsA,FindFirstFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,CopyFileA,StrCmpCA,CopyFileA,Sleep,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,CopyFileA,DeleteFileA,StrCmpCA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindClose,	1_2_00407210
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_0040B6B0 FindFirstFileA,FindNextFileA,strlen,StrCmpCA,CopyFileA,Sleep,DeleteFileA,FindClose,	1_2_0040B6B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_00415EB0 SHGetFolderPathA,wsprintfA,FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,strcpy,_splitpath,strcpy,strlen,isupper,wsprintfA,strcpy,strlen,SHFileOperationA,FindClose,	1_2_00415EB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_00408360 FindFirstFileA,CopyFileA,FindNextFileA,FindNextFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,FindClose,	1_2_00408360
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_00413FD0 wsprintfA,FindFirstFileA,FindNextFileA,strlen,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindClose,	1_2_00413FD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_004013F0 FindFirstFileA,FindClose,FindNextFileA,strlen,FindFirstFileA,DeleteFileA,FindNextFileA,CopyFileA,CopyFileA,DeleteFileA,FindClose,	1_2_004013F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_00413580 wsprintfA,FindFirstFileA,memset,memset,FindNextFileA,strlen,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,SymMatchString,strtok_s,memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindClose,	1_2_00413580
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_004097B0 FindFirstFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,	1_2_004097B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_0040ACD0 wsprintfA,FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,strlen,lstrlenA,DeleteFileA,CopyFileA,FindClose,	1_2_0040ACD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_00408C90 lstrcpyA,lstrcatA,FindFirstFileA,FindNextFileA,strlen,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,FindFirstFileA,FindNextFileA,strlen,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,FindClose,FindClose,DeleteFileA,_invalid_parameter_noinfo_noreturn,	1_2_00408C90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_00414950 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,strlen,FindClose,lstrcatA,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	1_2_00414950
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_00409560 ??2@YAPAXI@Z,??2@YAPAXI@Z,_invalid_parameter_noinfo_noreturn,FindFirstFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,	1_2_00409560

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Code function: 1_2_00413AF0 SymMatchString,SymMatchString,SymMatchString,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

1_2_00413AF0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Code function: 1_2_0040FDD0 GetSystemInfo,wsprintfA,

1_2_0040FDD0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.00000000004EB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWS
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.00000000004A9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.00000000004EB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.00000000004EB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&00000

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

1_2_004108E0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Code function: 1_2_0040FA70 GetProcessHeap,HeapAlloc,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,

1_2_0040FA70

HIPS / PFW / Operating System Protection Evasion

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_00411250 CreateToolhelp32Snapshot,Process32First,StrCmpCA,Process32Next,StrCmpCA,CloseHandle,		1_2_00411250
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_00411310 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,		1_2_00411310

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\9h4wb" & exit			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 11			Jump to behavior

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Code function: GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,GetLocaleInfoA,LocalFree,

1_2_0040FC20

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Code function: 1_2_0041BAA0 GetLocalTime,SystemTimeToFileTime,FileTimeToSystemTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

1_2_0041BAA0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Code function: 1_2_00417210 EntryPoint,lstrlenW,GetWindowsDirectoryW,GetComputerNameW,GetFullPathNameA,GetUserNameW,GetFileType,GetModuleFileNameA,GetTempPathW,

1_2_00417210

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Code function: 1_2_0040FBC0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

1_2_0040FBC0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe PID: 7696, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.000000000047E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.00000000004EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \ElectronCash\wallets\
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.00000000004EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Electrum\wallets\
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.00000000004EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.00000000004EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: exodus.conf.json
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.00000000004EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.00000000004EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: info.seco
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.00000000004EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ElectrumLTC
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.00000000004EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: passphrase.json
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.00000000004EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.000000000047E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.000000000047E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.00000000004EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.00000000004EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: multidoge.wallet
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.00000000004EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.00000000004EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: seed.seco
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.00000000004EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.00000000004EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Electrum-LTC\wallets\

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\tmp\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\db\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\events\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\minidumps\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\bookmarkbackups\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\temporary\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\security_state\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\to-be-removed\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\events\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\default\key4.db	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000001.00000002.1988758260.00000000004EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe PID: 7696, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe PID: 7696, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.186.68	www.google.com	United States	15169	GOOGLEUS	false
95.217.27.252	go.f.goldenloafuae.com	Germany	24940	HETZNER-ASDE	true
149.154.167.99	t.me	United Kingdom	62041	TELEGRAMRU	false

Private

IP
192.168.2.4
127.0.0.1

Contacted Domains

Name	IP	Active
go.f.goldenloafuae.com	95.217.27.252	true
t.me	149.154.167.99	true
www.google.com	142.250.186.68	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://go.f.goldenloafuae.com/	true	Avira URL Cloud: malware	unknown
https://www.google.com/async/newtab_promos	false		high
https://www.google.com/async/ddljson?async=ntp:2	false		high
https://t.me/l793oy	false		high
https://steamcommunity.com/profiles/76561199829660832	false		high
https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0	false		high
https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE	false		high

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://go.f.goldenloafuae.com/	Avira URL Cloud: Label: malware
Source: https://go.f.goldenloafuae.com/ozilla	Avira URL Cloud: Label: malware
Source: https://go.f.goldenloafuae.com/z	Avira URL Cloud: Label: malware
Source: https://go.f.goldenloafuae.com/5	Avira URL Cloud: Label: malware
Source: https://go.f.goldenloafuae.com/t	Avira URL Cloud: Label: malware
Source: https://go.f.goldenloafuae.com/N	Avira URL Cloud: Label: malware
Source: https://go.f.goldenloafuae.com	Avira URL Cloud: Label: malware
Source: https://go.f.goldenloafuae.com/%	Avira URL Cloud: Label: malware
Source: https://go.f.goldenloafuae.com/g	Avira URL Cloud: Label: malware
Source: https://go.f.goldenloafuae.com/d	Avira URL Cloud: Label: malware

Found malware configuration

Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Malware Configuration Extractor: Vidar {"C2 url": "https://steamcommunity.com/profiles/76561199829660832", "Botnet": "ir7am"}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Virustotal: Detection: 65%			Perma Link
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	ReversingLabs: Detection: 57%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_00406A10 StrStrA,lstrlenA,LocalAlloc,CryptUnprotectData,LocalAlloc,LocalFree,lstrlenA,	1_2_00406A10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_00410830 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,GetLastError,GetProcessHeap,HeapFree,	1_2_00410830
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_0040A150 BCryptCloseAlgorithmProvider,BCryptDestroyKey,BCryptCloseAlgorithmProvider,	1_2_0040A150
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_00406CF0 LocalAlloc,BCryptDecrypt,	1_2_00406CF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_00406940 BCryptCloseAlgorithmProvider,BCryptDestroyKey,	1_2_00406940
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_0040A560 StrCmpCA,BCryptCloseAlgorithmProvider,BCryptDestroyKey,BCryptCloseAlgorithmProvider,BCryptDestroyKey,	1_2_0040A560
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_00406980 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,BCryptCloseAlgorithmProvider,BCryptDestroyKey,	1_2_00406980

Uses 32bit PE files

Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.222:443 -> 192.168.2.4:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49764 version: TLS 1.2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_00414E70 wsprintfA,FindFirstFileA,DeleteFileA,FindNextFileA,strlen,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,FindClose,	1_2_00414E70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_00407210 ExpandEnvironmentStringsA,FindFirstFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,CopyFileA,StrCmpCA,CopyFileA,Sleep,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,CopyFileA,DeleteFileA,StrCmpCA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindClose,	1_2_00407210
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_0040B6B0 FindFirstFileA,FindNextFileA,strlen,StrCmpCA,CopyFileA,Sleep,DeleteFileA,FindClose,	1_2_0040B6B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_00415EB0 SHGetFolderPathA,wsprintfA,FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,strcpy,_splitpath,strcpy,strlen,isupper,wsprintfA,strcpy,strlen,SHFileOperationA,FindClose,	1_2_00415EB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_00408360 FindFirstFileA,CopyFileA,FindNextFileA,FindNextFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,FindClose,	1_2_00408360
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_00413FD0 wsprintfA,FindFirstFileA,FindNextFileA,strlen,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindClose,	1_2_00413FD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_004013F0 FindFirstFileA,FindClose,FindNextFileA,strlen,FindFirstFileA,DeleteFileA,FindNextFileA,CopyFileA,CopyFileA,DeleteFileA,FindClose,	1_2_004013F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_00413580 wsprintfA,FindFirstFileA,memset,memset,FindNextFileA,strlen,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,SymMatchString,strtok_s,memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindClose,	1_2_00413580
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_004097B0 FindFirstFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,	1_2_004097B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_0040ACD0 wsprintfA,FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,strlen,lstrlenA,DeleteFileA,CopyFileA,FindClose,	1_2_0040ACD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_00408C90 lstrcpyA,lstrcatA,FindFirstFileA,FindNextFileA,strlen,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,FindFirstFileA,FindNextFileA,strlen,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,FindClose,FindClose,DeleteFileA,_invalid_parameter_noinfo_noreturn,	1_2_00408C90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_00414950 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,strlen,FindClose,lstrcatA,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	1_2_00414950
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_00409560 ??2@YAPAXI@Z,??2@YAPAXI@Z,_invalid_parameter_noinfo_noreturn,FindFirstFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,	1_2_00409560

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Code function: 1_2_00413AF0 SymMatchString,SymMatchString,SymMatchString,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

1_2_00413AF0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49752 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1 : 192.168.2.4:49718 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49751 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49725 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49758 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49758 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2859378 - Severity 1 - ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2 : 192.168.2.4:49717 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49728 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49728 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49755 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49755 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49729 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49729 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49754 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49754 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49757 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49757 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 95.217.27.252:443 -> 192.168.2.4:49722
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49727 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49727 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49726 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 95.217.27.252:443 -> 192.168.2.4:49724
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49756 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49756 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49753 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49753 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49761 -> 95.217.27.252:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49762 -> 95.217.27.252:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://steamcommunity.com/profiles/76561199829660832

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /l793oy HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: HETZNER-ASDE HETZNER-ASDE

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.131
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.131
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.131
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.131
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.131
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.131
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.186.131
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.196.254
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Code function: 1_2_00403850 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

1_2_00403850

Source: global traffic	HTTP traffic detected: GET /l793oy HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) Chrome/131.0.0.0 Safari/537.36 OPR/116.0.0.0Host: go.f.goldenloafuae.comConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEI0qDKAQig4coBCJKhywEInP7MAQiFoM0BCL7VzgEIgNbOAQjB2M4BCMjczgEIiuDOAQiu5M4BCIvlzgE=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEI0qDKAQig4coBCJKhywEInP7MAQiFoM0BCL7VzgEIgNbOAQjB2M4BCMjczgEIiuDOAQiu5M4BCIvlzgE=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /r/gsr1.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: /If-Modified-Since: Tue, 07 Jan 2025 07:28:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
Source: global traffic	HTTP traffic detected: GET /r/r4.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: /If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog

Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: go.f.goldenloafuae.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: unknown

Source: kfuaiw.1.dr	String found in binary or memory: https://ac.ecosia.org?q=
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1989565252.0000000003303000.00000004.00000020.00020000.00000000.sdmp, m7ymoh.1.dr	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1989565252.0000000003303000.00000004.00000020.00020000.00000000.sdmp, m7ymoh.1.dr	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: kfuaiw.1.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1989813367.000000000356B000.00000004.00000020.00020000.00000000.sdmp, kfuaiw.1.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1989813367.000000000356B000.00000004.00000020.00020000.00000000.sdmp, kfuaiw.1.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1989565252.0000000003303000.00000004.00000020.00020000.00000000.sdmp, m7ymoh.1.dr	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1989565252.0000000003303000.00000004.00000020.00020000.00000000.sdmp, m7ymoh.1.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: kfuaiw.1.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1989813367.000000000356B000.00000004.00000020.00020000.00000000.sdmp, kfuaiw.1.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: kfuaiw.1.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: kfuaiw.1.dr	String found in binary or memory: https://gemini.google.com/app?q=
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.00000000004EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.f.goldenloafuae.com
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.00000000004C0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000003.1415731105.000000000051F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1989565252.000000000332B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000003.1320074974.00000000004FE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000003.1385868320.000000000051F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000003.1415703142.00000000004FE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000003.1349855443.00000000004FE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000003.1385816045.00000000004FE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000003.1440465464.000000000051F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.00000000004EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.f.goldenloafuae.com/
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000003.1320074974.00000000004FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.f.goldenloafuae.com/%
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000003.1320074974.00000000004FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.f.goldenloafuae.com/5
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000003.1415731105.000000000051F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000003.1415703142.00000000004FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.f.goldenloafuae.com/N
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000003.1440465464.000000000051F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.f.goldenloafuae.com/T
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000003.1415731105.000000000051F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000003.1385868320.000000000051F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000003.1415703142.00000000004FE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000003.1385816045.00000000004FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.f.goldenloafuae.com/d
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000003.1440465464.000000000051F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.f.goldenloafuae.com/g
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.00000000004EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.f.goldenloafuae.com/ozilla
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000003.1320074974.00000000004FE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000003.1349855443.00000000004FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.f.goldenloafuae.com/t
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000003.1415731105.000000000051F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000003.1415703142.00000000004FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.f.goldenloafuae.com/z
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000003.1349855443.00000000004FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.f.goldenloafuae.com5
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000003.1320074974.00000000004FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.f.goldenloafuae.comV
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000003.1320074974.00000000004FE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000003.1349855443.00000000004FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.f.goldenloafuae.comX
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000003.1440465464.000000000051F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.f.goldenloafuae.comi
Source: m7ymoh.1.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	String found in binary or memory: https://steamcommunity.com/profiles/76561199829660832
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	String found in binary or memory: https://steamcommunity.com/profiles/76561199829660832ir7amMozilla/5.0
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1990989469.0000000003BC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1990989469.0000000003BC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.00000000004A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	String found in binary or memory: https://t.me/l793oy
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.000000000047E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/l793oyE
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.000000000047E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/l793oy_
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	String found in binary or memory: https://t.me/l793oyir7amMozilla/5.0
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000003.1252648727.0000000000502000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1989565252.0000000003303000.00000004.00000020.00020000.00000000.sdmp, m7ymoh.1.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1989813367.000000000356B000.00000004.00000020.00020000.00000000.sdmp, kfuaiw.1.dr	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1989565252.0000000003303000.00000004.00000020.00020000.00000000.sdmp, m7ymoh.1.dr	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1989813367.000000000356B000.00000004.00000020.00020000.00000000.sdmp, kfuaiw.1.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1990989469.0000000003BC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1990989469.0000000003BC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1990989469.0000000003BC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1990989469.0000000003BC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1990989469.0000000003BC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49680 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.222:443 -> 192.168.2.4:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 95.217.27.252:443 -> 192.168.2.4:49764 version: TLS 1.2

Contains functionality to record screenshots

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

1_2_00410A90

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Code function: 1_2_00406480 memcpy,OpenDesktopA,CreateDesktopA,lstrcpyA,CreateProcessA,Sleep,CloseDesktop,

1_2_00406480

System Summary

Malicious sample detected (through community Yara rule)

Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, type: SAMPLE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 1.2.SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 1.0.SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_00404A20	1_2_00404A20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_00418630	1_2_00418630
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_0041B770	1_2_0041B770
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_0041B300	1_2_0041B300
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_0041C100	1_2_0041C100
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_004193D0	1_2_004193D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_0041A7D0	1_2_0041A7D0

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: String function: 00410D00 appears 42 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: String function: 0040F5B0 appears 135 times

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.00000000004EB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameCmd.Exe.MUIj% vs SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Uses 32bit PE files

Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, type: SAMPLE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 1.2.SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 1.0.SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@22/16@4/5

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Code function: 1_2_00411250 CreateToolhelp32Snapshot,Process32First,StrCmpCA,Process32Next,StrCmpCA,CloseHandle,

1_2_00411250

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\6P7UCZ98.htm

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4936:120:WilError_03

Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

File read: C:\$Recycle.Bin\S-1-5-21-2246122658-3693405117-2476756634-1002\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ozcb1d2no.1.dr

Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Virustotal: Detection: 65%
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	ReversingLabs: Detection: 57%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2220,i,9774722909908192130,17750005277753749404,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2160 /prefetch:3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\9h4wb" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 11
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\9h4wb" & exit	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2220,i,9774722909908192130,17750005277753749404,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2160 /prefetch:3	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 11	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

1_2_004108E0

PE file contains sections with non-standard names

Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Static PE information: section name: .00cfg

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

1_2_004108E0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Found decision node followed by non-executed suspicious APIs

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Found evasive API chain (date check)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Evasive API call chain: GetSystemTime,DecisionNodes

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\timeout.exe TID: 4704

Thread sleep count: 100 > 30

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_00414E70 wsprintfA,FindFirstFileA,DeleteFileA,FindNextFileA,strlen,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,FindClose,	1_2_00414E70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_00407210 ExpandEnvironmentStringsA,FindFirstFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,CopyFileA,StrCmpCA,CopyFileA,Sleep,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,CopyFileA,DeleteFileA,StrCmpCA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindClose,	1_2_00407210
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_0040B6B0 FindFirstFileA,FindNextFileA,strlen,StrCmpCA,CopyFileA,Sleep,DeleteFileA,FindClose,	1_2_0040B6B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_00415EB0 SHGetFolderPathA,wsprintfA,FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,strcpy,_splitpath,strcpy,strlen,isupper,wsprintfA,strcpy,strlen,SHFileOperationA,FindClose,	1_2_00415EB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_00408360 FindFirstFileA,CopyFileA,FindNextFileA,FindNextFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,FindClose,	1_2_00408360
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_00413FD0 wsprintfA,FindFirstFileA,FindNextFileA,strlen,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindClose,	1_2_00413FD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_004013F0 FindFirstFileA,FindClose,FindNextFileA,strlen,FindFirstFileA,DeleteFileA,FindNextFileA,CopyFileA,CopyFileA,DeleteFileA,FindClose,	1_2_004013F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_00413580 wsprintfA,FindFirstFileA,memset,memset,FindNextFileA,strlen,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,SymMatchString,strtok_s,memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindClose,	1_2_00413580
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_004097B0 FindFirstFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,	1_2_004097B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_0040ACD0 wsprintfA,FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,strlen,lstrlenA,DeleteFileA,CopyFileA,FindClose,	1_2_0040ACD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_00408C90 lstrcpyA,lstrcatA,FindFirstFileA,FindNextFileA,strlen,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,FindFirstFileA,FindNextFileA,strlen,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,FindClose,FindClose,DeleteFileA,_invalid_parameter_noinfo_noreturn,	1_2_00408C90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_00414950 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,strlen,FindClose,lstrcatA,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	1_2_00414950
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_00409560 ??2@YAPAXI@Z,??2@YAPAXI@Z,_invalid_parameter_noinfo_noreturn,FindFirstFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,	1_2_00409560

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Code function: 1_2_00413AF0 SymMatchString,SymMatchString,SymMatchString,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

1_2_00413AF0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Code function: 1_2_0040FDD0 GetSystemInfo,wsprintfA,

1_2_0040FDD0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.00000000004EB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWS
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.00000000004A9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.00000000004EB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.00000000004EB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&00000

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

1_2_004108E0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Code function: 1_2_0040FA70 GetProcessHeap,HeapAlloc,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,

1_2_0040FA70

HIPS / PFW / Operating System Protection Evasion

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_00411250 CreateToolhelp32Snapshot,Process32First,StrCmpCA,Process32Next,StrCmpCA,CloseHandle,		1_2_00411250
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Code function: 1_2_00411310 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,		1_2_00411310

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\9h4wb" & exit			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 11			Jump to behavior

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Code function: GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,GetLocaleInfoA,LocalFree,

1_2_0040FC20

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Code function: 1_2_0041BAA0 GetLocalTime,SystemTimeToFileTime,FileTimeToSystemTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

1_2_0041BAA0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Code function: 1_2_00417210 EntryPoint,lstrlenW,GetWindowsDirectoryW,GetComputerNameW,GetFullPathNameA,GetUserNameW,GetFileType,GetModuleFileNameA,GetTempPathW,

1_2_00417210

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Code function: 1_2_0040FBC0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

1_2_0040FBC0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe PID: 7696, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.000000000047E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.00000000004EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \ElectronCash\wallets\
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.00000000004EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Electrum\wallets\
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.00000000004EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.00000000004EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: exodus.conf.json
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.00000000004EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.00000000004EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: info.seco
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.00000000004EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ElectrumLTC
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.00000000004EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: passphrase.json
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.00000000004EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.000000000047E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.000000000047E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.00000000004EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.00000000004EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: multidoge.wallet
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.00000000004EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.00000000004EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: seed.seco
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.00000000004EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe, 00000001.00000002.1988758260.00000000004EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Electrum-LTC\wallets\

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\tmp\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2918063365piupsah.files\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\db\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\events\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\minidumps\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\saved-telemetry-pings\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\pending_pings\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\bookmarkbackups\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\temporary\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\security_state\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\2023-10\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\to-be-removed\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\glean\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\events\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\datareporting\archived\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionstore-backups\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\storage\default\key4.db	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000001.00000002.1988758260.00000000004EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe PID: 7696, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"

Yara detected Vidar stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe PID: 7696, type: MEMORYSTR

ID:	1632195
Product:	CloudBasic
Start time:	20:44:07
Start date:	07.03.2025
Sample:	SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	da8846245fb9ec49a3223f7731236c7f
SHA1:	73189b12b69dc840ab373861748ba7fa0f4859c9
SHA256:	a54c3a619f8fc2f69b09098a45f880c352de39c568235de9f988fce9bf8c6f48
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\9h4wb\37gd2d	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3	369B6DD66F1CAD49D0952C40FEB9AD41	D05B2DE29433FB113EC4C558FF33087ED7481DD4	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
C:\ProgramData\9h4wb\gdtrqi	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2	A2D1F4CF66465F9F0CAC61C4A95C7EDE	BA6A845E247B221AAEC96C4213E1FD3744B10A27	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
C:\ProgramData\9h4wb\kfuaiw	SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 6, database pages 68, cookie 0x4a, schema 4, UTF-8, version-valid-for 6	C5CFBCA422AD1353E7116A02424C59FD	38F032839FC5E1F890FAA636390A3CC9556AD350	F0BFA28378F9311F7EED68314B9476296522994570F3C7B4567AB71857CAC546
C:\ProgramData\9h4wb\m7ymoh	ASCII text, with very long lines (1809), with CRLF line terminators	5D8E5D85E880FB2D153275FCBE9DA6E5	72332A8A92B77A8B1E3AA00893D73FC2704B0D13	50490DC0D0A953FA7D5E06105FE9676CDB9B49C399688068541B19DD911B90F9
C:\ProgramData\9h4wb\ozcb1d2no	SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 2, database pages 20, cookie 0xc, schema 4, UTF-8, version-valid-for 2	BDDE4AD11E732420E7ABCCA946B11611	278C3386A37BAFCA507CF4C128600B01B312DDA0	099AB6B902097361832FC2485E96C71C827E722FA74C09C7D08DCE9091094C1D
C:\ProgramData\9h4wb\s2n7gd268	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1	349E6EB110E34A08924D92F6B334801D	BDFB289DAFF51890CC71697B6322AA4B35EC9169	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
C:\ProgramData\9h4wb\u3ecje	SQLite 3.x database, last written using SQLite version 3042000, page size 32768, file counter 2, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 2	2CD2840E30F477F23438B7C9D031FC08	03D5410A814B298B068D62ACDF493B2A49370518	49F56AAA16086F2A9DB340CC9A6E8139E076765C1BFED18B1725CC3B395DC28D
C:\ProgramData\9h4wb\v3wbai	SQLite 3.x database, last written using SQLite version 3046000, file counter 6, database pages 41, 1st free page 29, free pages 1, cookie 0x25, schema 4, UTF-8, version-valid-for 6	33642526D21BAF34FB5D5AAF11B3FB91	A64B4A7605D8B449C085474A3484921975EF6C14	3ED06184837C7FF625C54589CA2037F127E0525E3541DE8960A9D5503625862B
C:\ProgramData\9h4wb\xlng4w	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2	780853CDDEAEE8DE70F28A4B255A600B	AD7A5DA33F7AD12946153C497E990720B09005ED	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\json[1].json	JSON data	D5673180329FF182CA6D212D342CE61A	CA17CEEBC847998B1550D070795F103D19A74D26	A1CA2FA3C90B4E501D2FF5F1C74C45796D59B4304F3ED1E1109D09073885814D
Chrome Cache Entry: 60	ASCII text	6FED308183D5DFC421602548615204AF	0A3F484AAA41A60970BA92A9AC13523A1D79B4D5	4B8288C468BCFFF9B23B2A5FF38B58087CD8A6263315899DD3E249A3F7D4AB2D
Chrome Cache Entry: 61	ASCII text, with very long lines (65531)	6AC6EF0E3E7096D305D09F43300EEA07	D433F6B8C086C1364C5D61381B6E56B4D36AC19F	2D4A9A41C51CA7FD3F0686821CE5021D376C2F77A47589F17440E8BF36E0EA15
Chrome Cache Entry: 62	ASCII text, with very long lines (922)	4A9EC26091ACF0C6D975BDCAE353FA9B	C7F773C452207D8CBA328549B0822335105C41B6	037B86BE70774A7F2791E0559B70CF06B1DBFCE6D79C88318C98449620E56F88

Windows Analysis Report
SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Protection of GUI

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Protection of GUI

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
SecuriteInfo.com.Win32.AdwareX-gen.20631.18363.exe

Malware Threat Intel
Provided by