Windows Analysis Report
ngbtiladkrthgad.exe

Overview

General Information

Sample name:	ngbtiladkrthgad.exe
Analysis ID:	1637340
MD5:	20beeeadd1cfac0bb5bda17172f1359f
SHA1:	fa2ca39b5e4f273d6017cb731086ce0e81af221c
SHA256:	c008a013fe6de93e4e83f0ce98098130fc16cecbf15c5e15438a8ccc47ceec69
Tags:	exeuser-TornadoAV_dev
Infos:

Detection

Vidar

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Attempt to bypass Chrome Application-Bound Encryption

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Vidar stealer

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Joe Sandbox ML detected suspicious sample

Searches for specific processes (likely to inject)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found decision node followed by non-executed suspicious APIs

Found evasive API chain (date check)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Browser Started with Remote Debugging

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: ngbtiladkrthgad.exe

Avira: detected

Found malware configuration

Source: ngbtiladkrthgad.exe

Malware Configuration Extractor: Vidar {"C2 url": "https://steamcommunity.com/profiles/76561199832267488", "Botnet": "dqu220"}

Multi AV Scanner detection for submitted file

Source: ngbtiladkrthgad.exe	Virustotal: Detection: 75%			Perma Link
Source: ngbtiladkrthgad.exe	ReversingLabs: Detection: 71%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Code function: 0_2_00406A10 StrStrA,lstrlenA,LocalAlloc,CryptUnprotectData,LocalAlloc,LocalFree,lstrlenA,	0_2_00406A10
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Code function: 0_2_00410830 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,GetLastError,GetProcessHeap,HeapFree,	0_2_00410830
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Code function: 0_2_0040A150 BCryptCloseAlgorithmProvider,BCryptDestroyKey,BCryptCloseAlgorithmProvider,	0_2_0040A150
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Code function: 0_2_00406CF0 LocalAlloc,BCryptDecrypt,	0_2_00406CF0
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Code function: 0_2_00406940 BCryptCloseAlgorithmProvider,BCryptDestroyKey,	0_2_00406940
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Code function: 0_2_0040A560 StrCmpCA,BCryptCloseAlgorithmProvider,BCryptDestroyKey,BCryptCloseAlgorithmProvider,BCryptDestroyKey,	0_2_0040A560
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Code function: 0_2_00406980 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,BCryptCloseAlgorithmProvider,BCryptDestroyKey,	0_2_00406980

Uses 32bit PE files

Source: ngbtiladkrthgad.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.4:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.4:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.4:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 131.253.33.254:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.4:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.4:49776 version: TLS 1.2

Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Code function: 0_2_00414E70 wsprintfA,FindFirstFileA,DeleteFileA,FindNextFileA,strlen,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,FindClose,	0_2_00414E70
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Code function: 0_2_00407210 ExpandEnvironmentStringsA,FindFirstFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,CopyFileA,StrCmpCA,CopyFileA,Sleep,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,CopyFileA,DeleteFileA,StrCmpCA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindClose,	0_2_00407210
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Code function: 0_2_0040B6B0 FindFirstFileA,FindNextFileA,strlen,StrCmpCA,CopyFileA,Sleep,DeleteFileA,FindClose,	0_2_0040B6B0
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Code function: 0_2_00415EB0 SHGetFolderPathA,wsprintfA,FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,strcpy,_splitpath,strcpy,strlen,isupper,wsprintfA,strcpy,strlen,SHFileOperationA,FindClose,	0_2_00415EB0
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Code function: 0_2_00408360 FindFirstFileA,CopyFileA,FindNextFileA,FindNextFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,FindClose,	0_2_00408360
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Code function: 0_2_00413FD0 wsprintfA,FindFirstFileA,FindNextFileA,strlen,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindClose,	0_2_00413FD0
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Code function: 0_2_004013F0 FindFirstFileA,FindClose,FindNextFileA,strlen,FindFirstFileA,DeleteFileA,FindNextFileA,CopyFileA,CopyFileA,DeleteFileA,FindClose,	0_2_004013F0
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Code function: 0_2_00413580 wsprintfA,FindFirstFileA,memset,memset,FindNextFileA,strlen,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,SymMatchString,strtok_s,memset,lstrcatA,strtok_s,PathMatchSpecA,DeleteFileA,DeleteFileA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindClose,	0_2_00413580
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Code function: 0_2_004097B0 FindFirstFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,	0_2_004097B0
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Code function: 0_2_0040ACD0 wsprintfA,FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,strlen,lstrlenA,DeleteFileA,CopyFileA,FindClose,	0_2_0040ACD0
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Code function: 0_2_00408C90 lstrcpyA,lstrcatA,FindFirstFileA,FindNextFileA,strlen,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,memset,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,CopyFileA,FindFirstFileA,FindNextFileA,strlen,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,FindClose,FindClose,DeleteFileA,_invalid_parameter_noinfo_noreturn,	0_2_00408C90
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Code function: 0_2_00414950 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,strlen,FindClose,lstrcatA,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	0_2_00414950
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Code function: 0_2_00409560 ??2@YAPAXI@Z,??2@YAPAXI@Z,_invalid_parameter_noinfo_noreturn,FindFirstFileA,FindNextFileA,strlen,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,	0_2_00409560

Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe

Code function: 0_2_00413AF0 SymMatchString,SymMatchString,SymMatchString,GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrlenA,

0_2_00413AF0

Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: chrome.exe

Memory has grown: Private usage: 0MB later: 39MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049087 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1 : 192.168.2.4:49728 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49732 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2859378 - Severity 1 - ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2 : 192.168.2.4:49723 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49733 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49734 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49734 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49763 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49735 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49735 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2051831 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 : 78.47.63.132:443 -> 192.168.2.4:49729
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49765 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49765 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 78.47.63.132:443 -> 192.168.2.4:49728
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49766 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49766 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49736 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49736 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49764 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49764 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49767 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49767 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49768 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49768 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49769 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2859636 - Severity 1 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) : 192.168.2.4:49769 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49760 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49772 -> 78.47.63.132:443
Source: Network traffic	Suricata IDS: 2059331 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 : 192.168.2.4:49774 -> 78.47.63.132:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://steamcommunity.com/profiles/76561199832267488

Detected non-DNS traffic on DNS port

Source: global traffic

TCP traffic: 192.168.2.4:49737 -> 1.1.1.1:53

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /g_etcontent HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: HETZNER-ASDE HETZNER-ASDE

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.196.254
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.196.254
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.196.254
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.196.254
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.196.254
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.196.254
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.196.254
Source: unknown	TCP traffic detected without corresponding DNS query: 52.113.196.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 131.253.33.254
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.27
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.74.195
Source: unknown	TCP traffic detected without corresponding DNS query: 2.16.100.168
Source: unknown	TCP traffic detected without corresponding DNS query: 2.16.100.168
Source: unknown	TCP traffic detected without corresponding DNS query: 142.250.74.195
Source: unknown	TCP traffic detected without corresponding DNS query: 2.16.100.168
Source: unknown	TCP traffic detected without corresponding DNS query: 2.16.100.168
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.96.32
Source: unknown	TCP traffic detected without corresponding DNS query: 2.16.100.168
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.77.188
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.77.188
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.71
Source: unknown	TCP traffic detected without corresponding DNS query: 2.16.100.168
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.77.188
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.31.71
Source: unknown	TCP traffic detected without corresponding DNS query: 2.16.100.168
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe

Code function: 0_2_00403850 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

0_2_00403850

Source: global traffic	HTTP traffic detected: GET /g_etcontent HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:135.0) Firefox/135.0Host: s.p.formaxprime.co.ukConnection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEI0qDKAQig4coBCJahywEInP7MAQiFoM0BCMnRzgEIvtXOAQiB1s4BCMjczgEIiuDOAQiu5M4BCIvlzgE=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEI0qDKAQig4coBCJahywEInP7MAQiFoM0BCMnRzgEIvtXOAQiB1s4BCMjczgEIiuDOAQiu5M4BCIvlzgE=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9

Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: s.p.formaxprime.co.uk
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: apis.google.com

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----jwl6xbi589zcbasrq9hlUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:135.0) Firefox/135.0Host: s.p.formaxprime.co.ukContent-Length: 255Connection: Keep-AliveCache-Control: no-cache

Source: ngbtiladkrthgad.exe, 00000000.00000002.1823139867.000000000065B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://e5.c.lencr.org/101.crl0
Source: ngbtiladkrthgad.exe, 00000000.00000002.1823139867.000000000065B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://e5.i.lencr.org/0
Source: ngbtiladkrthgad.exe, 00000000.00000002.1823139867.000000000065B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://e5.o.lencr.org0
Source: chromecache_69.9.dr	String found in binary or memory: http://www.broofa.com
Source: ngbtiladkrthgad.exe, 00000000.00000003.1194026711.000000000066C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.cd
Source: ngbtiladkrthgad.exe, 00000000.00000002.1825197872.000000000364C000.00000004.00000020.00020000.00000000.sdmp, ngbtiladkrthgad.exe, 00000000.00000002.1823139867.000000000065B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: ngbtiladkrthgad.exe, 00000000.00000002.1825197872.000000000364C000.00000004.00000020.00020000.00000000.sdmp, ngbtiladkrthgad.exe, 00000000.00000002.1823139867.000000000065B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: jmym7q.0.dr	String found in binary or memory: https://ac.ecosia.org?q=
Source: chromecache_69.9.dr	String found in binary or memory: https://apis.google.com
Source: ngbtiladkrthgad.exe, 00000000.00000002.1823139867.000000000065B000.00000004.00000020.00020000.00000000.sdmp, ngbtiladkrthgad.exe, 00000000.00000003.1346023423.00000000006BC000.00000004.00000020.00020000.00000000.sdmp, gdtrim.0.dr	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: ngbtiladkrthgad.exe, 00000000.00000002.1823139867.000000000065B000.00000004.00000020.00020000.00000000.sdmp, ngbtiladkrthgad.exe, 00000000.00000003.1346023423.00000000006BC000.00000004.00000020.00020000.00000000.sdmp, gdtrim.0.dr	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: jmym7q.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: ngbtiladkrthgad.exe, 00000000.00000002.1824410005.00000000033FB000.00000004.00000020.00020000.00000000.sdmp, jmym7q.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: ngbtiladkrthgad.exe, 00000000.00000002.1824410005.00000000033FB000.00000004.00000020.00020000.00000000.sdmp, jmym7q.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: ngbtiladkrthgad.exe, 00000000.00000002.1823139867.000000000065B000.00000004.00000020.00020000.00000000.sdmp, ngbtiladkrthgad.exe, 00000000.00000003.1346023423.00000000006BC000.00000004.00000020.00020000.00000000.sdmp, gdtrim.0.dr	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: ngbtiladkrthgad.exe, 00000000.00000002.1823139867.000000000065B000.00000004.00000020.00020000.00000000.sdmp, ngbtiladkrthgad.exe, 00000000.00000003.1346023423.00000000006BC000.00000004.00000020.00020000.00000000.sdmp, gdtrim.0.dr	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: jmym7q.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: ngbtiladkrthgad.exe, 00000000.00000002.1824410005.00000000033FB000.00000004.00000020.00020000.00000000.sdmp, jmym7q.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: jmym7q.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: chromecache_69.9.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey200-36dp/2x/gm_alert_gm_grey200_3
Source: chromecache_69.9.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey600-36dp/2x/gm_alert_gm_grey600_3
Source: chromecache_69.9.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey200-24dp/1x/gm_close_gm_grey200_2
Source: chromecache_69.9.dr	String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey600-24dp/1x/gm_close_gm_grey600_2
Source: jmym7q.0.dr	String found in binary or memory: https://gemini.google.com/app?q=
Source: gdtrim.0.dr	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: chromecache_69.9.dr	String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: ngbtiladkrthgad.exe, 00000000.00000003.1224317282.000000000066C000.00000004.00000020.00020000.00000000.sdmp, ngbtiladkrthgad.exe, 00000000.00000003.1321478371.000000000066C000.00000004.00000020.00020000.00000000.sdmp, ngbtiladkrthgad.exe, 00000000.00000003.1273724875.000000000066C000.00000004.00000020.00020000.00000000.sdmp, ngbtiladkrthgad.exe, 00000000.00000003.1193910704.00000000006AF000.00000004.00000020.00020000.00000000.sdmp, ngbtiladkrthgad.exe, 00000000.00000002.1823139867.000000000065B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.p.formaxprime.co.uk
Source: ngbtiladkrthgad.exe, 00000000.00000003.1273724875.000000000066C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.p.formaxprime.co.uk/
Source: ngbtiladkrthgad.exe, 00000000.00000003.1248848959.0000000000674000.00000004.00000020.00020000.00000000.sdmp, ngbtiladkrthgad.exe, 00000000.00000003.1297921627.000000000066C000.00000004.00000020.00020000.00000000.sdmp, ngbtiladkrthgad.exe, 00000000.00000003.1248778986.0000000000673000.00000004.00000020.00020000.00000000.sdmp, ngbtiladkrthgad.exe, 00000000.00000003.1321478371.000000000066C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.p.formaxprime.co.uk/3
Source: ngbtiladkrthgad.exe, 00000000.00000003.1346023423.00000000006BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.p.formaxprime.co.uk/4p
Source: ngbtiladkrthgad.exe, 00000000.00000003.1274025459.0000000000673000.00000004.00000020.00020000.00000000.sdmp, ngbtiladkrthgad.exe, 00000000.00000003.1224357665.0000000000672000.00000004.00000020.00020000.00000000.sdmp, ngbtiladkrthgad.exe, 00000000.00000003.1248848959.0000000000674000.00000004.00000020.00020000.00000000.sdmp, ngbtiladkrthgad.exe, 00000000.00000003.1297921627.000000000066C000.00000004.00000020.00020000.00000000.sdmp, ngbtiladkrthgad.exe, 00000000.00000003.1248778986.0000000000673000.00000004.00000020.00020000.00000000.sdmp, ngbtiladkrthgad.exe, 00000000.00000003.1224317282.000000000066C000.00000004.00000020.00020000.00000000.sdmp, ngbtiladkrthgad.exe, 00000000.00000003.1321478371.000000000066C000.00000004.00000020.00020000.00000000.sdmp, ngbtiladkrthgad.exe, 00000000.00000003.1273724875.000000000066C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.p.formaxprime.co.uk/e
Source: ngbtiladkrthgad.exe, 00000000.00000003.1224357665.0000000000672000.00000004.00000020.00020000.00000000.sdmp, ngbtiladkrthgad.exe, 00000000.00000003.1248848959.0000000000674000.00000004.00000020.00020000.00000000.sdmp, ngbtiladkrthgad.exe, 00000000.00000003.1248778986.0000000000673000.00000004.00000020.00020000.00000000.sdmp, ngbtiladkrthgad.exe, 00000000.00000003.1224317282.000000000066C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.p.formaxprime.co.uk/tm
Source: ngbtiladkrthgad.exe, 00000000.00000003.1224357665.0000000000672000.00000004.00000020.00020000.00000000.sdmp, ngbtiladkrthgad.exe, 00000000.00000003.1224317282.000000000066C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.p.formaxprime.co.uk3
Source: ngbtiladkrthgad.exe	String found in binary or memory: https://steamcommunity.com/profiles/76561199832267488
Source: ngbtiladkrthgad.exe	String found in binary or memory: https://steamcommunity.com/profiles/76561199832267488dqu220Mozilla/5.0
Source: ngbtiladkrthgad.exe, 00000000.00000002.1825944490.0000000003A50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: ngbtiladkrthgad.exe, 00000000.00000002.1825944490.0000000003A50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: ngbtiladkrthgad.exe, 00000000.00000002.1823139867.00000000005FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: ngbtiladkrthgad.exe	String found in binary or memory: https://t.me/g_etcontent
Source: ngbtiladkrthgad.exe	String found in binary or memory: https://t.me/g_etcontentdqu220Mozilla/5.0
Source: ngbtiladkrthgad.exe, 00000000.00000003.1194026711.000000000066C000.00000004.00000020.00020000.00000000.sdmp, ngbtiladkrthgad.exe, 00000000.00000002.1823139867.0000000000640000.00000004.00000020.00020000.00000000.sdmp, ngbtiladkrthgad.exe, 00000000.00000003.1196269467.00000000006AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: ngbtiladkrthgad.exe, 00000000.00000002.1823139867.000000000065B000.00000004.00000020.00020000.00000000.sdmp, ngbtiladkrthgad.exe, 00000000.00000003.1346023423.00000000006BC000.00000004.00000020.00020000.00000000.sdmp, gdtrim.0.dr	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: ngbtiladkrthgad.exe, 00000000.00000002.1824410005.00000000033FB000.00000004.00000020.00020000.00000000.sdmp, jmym7q.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: ngbtiladkrthgad.exe, 00000000.00000002.1823139867.000000000065B000.00000004.00000020.00020000.00000000.sdmp, ngbtiladkrthgad.exe, 00000000.00000003.1346023423.00000000006BC000.00000004.00000020.00020000.00000000.sdmp, gdtrim.0.dr	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: ngbtiladkrthgad.exe, 00000000.00000002.1824410005.00000000033FB000.00000004.00000020.00020000.00000000.sdmp, jmym7q.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: chromecache_69.9.dr	String found in binary or memory: https://www.gstatic.com/gb/html/afbp.html
Source: chromecache_69.9.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_medium.css
Source: chromecache_69.9.dr	String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_small.css
Source: ngbtiladkrthgad.exe, 00000000.00000002.1825944490.0000000003A50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: ngbtiladkrthgad.exe, 00000000.00000002.1825944490.0000000003A50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: ngbtiladkrthgad.exe, 00000000.00000002.1825944490.0000000003A50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: ngbtiladkrthgad.exe, 00000000.00000002.1825944490.0000000003A50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: ngbtiladkrthgad.exe, 00000000.00000002.1825944490.0000000003A50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.4:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.4:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.4:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.4:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 131.253.33.254:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.4:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 78.47.63.132:443 -> 192.168.2.4:49776 version: TLS 1.2

Contains functionality to record screenshots

Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe

Code function: 0_2_00410A90 CreateStreamOnHGlobal,GetDesktopWindow,GetWindowRect,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,malloc,StrCmpCW,GetHGlobalFromStream,GlobalLock,GlobalSize,SelectObject,DeleteObject,DeleteObject,DeleteObject,ReleaseDC,CloseWindow,

0_2_00410A90

Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe

Code function: 0_2_00406480 memcpy,OpenDesktopA,CreateDesktopA,lstrcpyA,CreateProcessA,Sleep,CloseDesktop,

0_2_00406480

System Summary

Malicious sample detected (through community Yara rule)

Source: ngbtiladkrthgad.exe, type: SAMPLE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 0.0.ngbtiladkrthgad.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io
Source: 0.2.ngbtiladkrthgad.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Finds Vidar samples based on the specific strings Author: Sekoia.io

Detected potential crypto function

Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Code function: 0_2_00404A20	0_2_00404A20
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Code function: 0_2_00418630	0_2_00418630
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Code function: 0_2_0041B770	0_2_0041B770
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Code function: 0_2_0041B300	0_2_0041B300
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Code function: 0_2_0041C100	0_2_0041C100
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Code function: 0_2_004193D0	0_2_004193D0
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Code function: 0_2_0041A7D0	0_2_0041A7D0

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Code function: String function: 00410D00 appears 42 times
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Code function: String function: 0040F5B0 appears 135 times

Sample file is different than original file name gathered from version info

Source: ngbtiladkrthgad.exe, 00000000.00000002.1825197872.000000000386E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameCmd.Exe.MUIj% vs ngbtiladkrthgad.exe

Uses 32bit PE files

Source: ngbtiladkrthgad.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: ngbtiladkrthgad.exe, type: SAMPLE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 0.0.ngbtiladkrthgad.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76
Source: 0.2.ngbtiladkrthgad.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_vidar_strings_nov23 author = Sekoia.io, description = Finds Vidar samples based on the specific strings, creation_date = 2023-11-10, classification = TLP:CLEAR, version = 1.0, reference = https://twitter.com/crep1x/status/1722652451319202242, id = b2c17627-f9b8-4401-b657-1cce560edc76

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@22/22@6/6

Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe

Code function: 0_2_00411250 CreateToolhelp32Snapshot,Process32First,StrCmpCA,Process32Next,StrCmpCA,CloseHandle,

0_2_00411250

Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\MHHKCJV8.htm

Source: unknown	Process created: C:\Users\user\Desktop\ngbtiladkrthgad.exe "C:\Users\user\Desktop\ngbtiladkrthgad.exe"
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1892,i,7460351053640162327,6554442286005526848,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2444 /prefetch:3
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\o89zu" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 11
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\o89zu" & exit	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1892,i,7460351053640162327,6554442286005526848,262144 --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2444 /prefetch:3	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 11	Jump to behavior

Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior

Source: ngbtiladkrthgad.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: ngbtiladkrthgad.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: ngbtiladkrthgad.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: ngbtiladkrthgad.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: ngbtiladkrthgad.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: ngbtiladkrthgad.exe, 00000000.00000002.1823139867.000000000065B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW<=
Source: ngbtiladkrthgad.exe, 00000000.00000002.1823139867.00000000005FE000.00000004.00000020.00020000.00000000.sdmp, ngbtiladkrthgad.exe, 00000000.00000002.1823139867.000000000065B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: ngbtiladkrthgad.exe PID: 7304, type: MEMORYSTR

Source: ngbtiladkrthgad.exe, 00000000.00000002.1824047541.00000000031D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.
Source: ngbtiladkrthgad.exe, 00000000.00000002.1823139867.000000000065B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \ElectronCash\wallets\
Source: ngbtiladkrthgad.exe, 00000000.00000002.1823139867.000000000065B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Electrum\wallets\
Source: ngbtiladkrthgad.exe, 00000000.00000002.1823139867.000000000065B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: ngbtiladkrthgad.exe, 00000000.00000002.1823139867.000000000065B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: exodus.conf.json
Source: ngbtiladkrthgad.exe, 00000000.00000002.1823139867.000000000065B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Exodus\
Source: ngbtiladkrthgad.exe, 00000000.00000002.1823139867.000000000065B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: info.seco
Source: ngbtiladkrthgad.exe, 00000000.00000002.1823139867.000000000065B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ElectrumLTC
Source: ngbtiladkrthgad.exe, 00000000.00000002.1823139867.000000000065B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: passphrase.json
Source: ngbtiladkrthgad.exe, 00000000.00000002.1823139867.000000000065B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\
Source: ngbtiladkrthgad.exe, 00000000.00000003.1321478371.0000000000665000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: lgcnhelpchnceeipipijaljkblbcobl\|1\|1\|1\|Tronium\|1\|pnndplcbkakcplkjnolgbkdgjikjednm\|1\|0\|0\|Trust Wallet\|1\|egjidjbpglichdcondbcbdnbeeppgdph\|1\|0\|0\|Exodus Web3 Wallet\|1\|aholpfdialjgjfhomihkjbmgjidlcdno\|1\|0\|0\|Braavos\|1\|jnlgamecbpmbajjfhmmmlhejkemejdma\|1\|0\|0\|Enkrypt\|1\|kkpllkodjeloidieedojogacfhpaihoh\|1\|0\|0\|OKX Web3 Wallet\|1\|mcohilncbfahbmgdjkbpemcciiolgcge\|1\|0\|0\|Sender\|1\|epapihdplajcdnnkdeiahlgigofloibg\|1\|0\|0\|Hashpack\|1\|gjagmgiddbbciopjhllkdnddhcglnemk\|1\|0\|0\|GeroWallet\|1\|bgpipimickeadkjlklgciifhnalhdjhe\|1\|0\|0\|Pontem Wallet\|1\|phkbamefinggmakgklpkljjmgibohnba\|1\|0\|0\|Finnie\|1\|cjmkndjhnagcfbpiemnkdpomccnjblmj\|1\|0\|0\|Leap Terra\|1\|aijcbedoijmgnlmjeegjaglmepbmpkpi\|1\|0\|0\|Microsoft AutoFill\|0\|fiedbfgcleddlbcmgdigjgdfcggjcion\|1\|0\|0\|Bitwarden\|0\|nngceckbapebfimnlniiiahkandclblb\|1\|0\|0\|KeePass Tusk\|0\|fmhmiaejopepamlcjkncpgpdjichnecm\|1\|0\|0\|KeePassXC-Browser\|0\|oboonakemofpalcgghocfoadofidjkkk\|1\|0\|0\|Rise - Aptos Wallet\|1\|hbbgbephgojikajhfbomhlmmollphcad\|1\|0\|0\|Rainbow Wallet\|1\|opfgelmcmbiajamepnmloijbpoleiama\|1\|0\|0\|Nightly\|1\|fiikommddbeccaoicoejoniammnalkfa\|1\|0\|0\|Ecto Wallet\|1\|bgjogpoidejdemgoochpnkmdjpocgkha\|1\|0\|0\|Coinhub\|1\|jgaaimajipbpdogpdglhaphldakikgef\|1\|0\|0\|Leap Cosmos Wallet\|1\|fcfcfllfndlomdhbehjjcoimbgofdncg\|1\|0\|0\|MultiversX DeFi Wallet\|1\|dngmlblcodfobpdpecaadgfbcggfjfnm\|1\|0\|0\|Frontier Wallet\|1\|kppfdiipphfccemcignhifpjkapfbihd\|1\|0\|0\|SafePal\|1\|lgmpcpglpngdoalbgeoldeajfclnhafa\|1\|0\|0\|SubWallet - Polkadot Wallet\|1\|onhogfjeacnfoofkfgppdlbmlmnplgbn\|1\|0\|0\|Fluvi Wallet\|1\|mmmjbcfofconkannjonfmjjajpllddbg\|1\|0\|0\|Glass Wallet - Sui Wallet\|1\|loinekcabhlmhjjbocijdoimmejangoa\|1\|0\|0\|Morphis Wallet\|1\|heefohaffomkkkphnlpohglngmbcclhi\|1\|0\|0\|Xverse Wallet\|1\|idnnbdplmphpflfnlkomgpfbpcgelopg\|1\|0\|0\|Compass Wallet for Sei\|1\|anokgmphncpekkhclmingpimjmcooifb\|1\|0\|0\|HAVAH Wallet\|1\|cnncmdhjacpkmjmkcafchppbnpnhdmon\|1\|0\|0\|Elli - Sui Wallet\|1\|ocjdpmoallmgmjbbogfiiaofphbjgchh\|1\|0\|0\|Venom Wallet\|1\|ojggmchlghnjlapmfbnjholfjkiidbch\|1\|0\|0\|Pulse Wallet Chromium\|1\|ciojocpkclfflombbcfigcijjcbkmhaf\|1\|0\|0\|Magic Eden Wallet\|1\|mkpegjkblkkefacfnmkajcjmabijhclg\|1\|0\|0\|Backpack Wallet\|1\|aflkmfhebedbjioipglgcbcmnbpgliof\|1\|0\|0\|Tonkeeper Wallet\|1\|omaabbefbmiijedngplfjmnooppbclkk\|1\|0\|0\|OpenMask Wallet\|1\|penjlddjkjgpnkllboccdgccekpkcbin\|1\|0\|0\|SafePal Wallet\|1\|apenkfbbpmhihehmihndmmcdanacolnh\|1\|0\|0\|Bitget Wallet\|1\|jiidiaalihmmhddjgbnbgdfflelocpak\|1\|0\|0\|TON Wallet\|1\|nphplpgoakhhjchkkhmiggakijnkhfnd\|1\|0\|0\|MyTonWallet\|1\|fldfpgipfncgnd
Source: ngbtiladkrthgad.exe, 00000000.00000002.1824047541.00000000031D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: wallet.,seed.,btc.,key.,2fa.,crypto.,coin.,private.,2fa.,auth.,ledger.,trezor.,pass.,wal.,upbit.,bcex.,bithimb.,hitbtc.,bitflyer.,kucoin.,huobi.,poloniex.,kraken.,okex.,binance.,bitfinex.,gdax.,ethereum.,exodus.,metamask.,myetherwallet.,electrum.,bitcoin.,blockchain.,coinomi.,words.,meta.,mask.,eth.,recovery.
Source: ngbtiladkrthgad.exe, 00000000.00000002.1823139867.000000000065B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: ngbtiladkrthgad.exe, 00000000.00000002.1823139867.000000000065B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: MultiDoge
Source: ngbtiladkrthgad.exe, 00000000.00000002.1823139867.000000000065B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: ngbtiladkrthgad.exe, 00000000.00000002.1823139867.000000000065B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: seed.seco
Source: ngbtiladkrthgad.exe, 00000000.00000002.1823139867.000000000065B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: ngbtiladkrthgad.exe, 00000000.00000002.1823139867.000000000065B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \Electrum-LTC\wallets\

Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\backups\	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\ngbtiladkrthgad.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Source: Yara match	File source: 00000000.00000002.1823139867.000000000065B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ngbtiladkrthgad.exe PID: 7304, type: MEMORYSTR

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.99	t.me	United Kingdom	62041	TELEGRAMRU	false
78.47.63.132	s.p.formaxprime.co.uk	Germany	24940	HETZNER-ASDE	true
216.58.206.36	www.google.com	United States	15169	GOOGLEUS	false
142.250.185.174	plus.l.google.com	United States	15169	GOOGLEUS	false

Name	Malicious	Reputation
https://t.me/g_etcontent	false	high
https://www.google.com/async/newtab_promos	false	high
https://www.google.com/async/ddljson?async=ntp:2	false	high
https://steamcommunity.com/profiles/76561199832267488	false	high
https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0	false	high
https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE	false	high

ID:	1637340
Product:	CloudBasic
Start time:	14:48:47
Start date:	13.03.2025
Sample:	ngbtiladkrthgad.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	20beeeadd1cfac0bb5bda17172f1359f
SHA1:	fa2ca39b5e4f273d6017cb731086ce0e81af221c
SHA256:	c008a013fe6de93e4e83f0ce98098130fc16cecbf15c5e15438a8ccc47ceec69
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\o89zu\dbs0r9	SQLite 3.x database, last written using SQLite version 3042000, page size 32768, file counter 2, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 2	2CD2840E30F477F23438B7C9D031FC08	03D5410A814B298B068D62ACDF493B2A49370518	49F56AAA16086F2A9DB340CC9A6E8139E076765C1BFED18B1725CC3B395DC28D
C:\ProgramData\o89zu\gdtrim	ASCII text, with very long lines (1809), with CRLF line terminators	5D8E5D85E880FB2D153275FCBE9DA6E5	72332A8A92B77A8B1E3AA00893D73FC2704B0D13	50490DC0D0A953FA7D5E06105FE9676CDB9B49C399688068541B19DD911B90F9
C:\ProgramData\o89zu\hdjw4o	SQLite 3.x database, last written using SQLite version 3046000, file counter 6, database pages 41, 1st free page 29, free pages 1, cookie 0x25, schema 4, UTF-8, version-valid-for 6	33642526D21BAF34FB5D5AAF11B3FB91	A64B4A7605D8B449C085474A3484921975EF6C14	3ED06184837C7FF625C54589CA2037F127E0525E3541DE8960A9D5503625862B
C:\ProgramData\o89zu\hvsri5	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3	369B6DD66F1CAD49D0952C40FEB9AD41	D05B2DE29433FB113EC4C558FF33087ED7481DD4	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
C:\ProgramData\o89zu\jmym7q	SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 6, database pages 68, cookie 0x4a, schema 4, UTF-8, version-valid-for 6	C5CFBCA422AD1353E7116A02424C59FD	38F032839FC5E1F890FAA636390A3CC9556AD350	F0BFA28378F9311F7EED68314B9476296522994570F3C7B4567AB71857CAC546
C:\ProgramData\o89zu\sjwt0hlfu	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1	349E6EB110E34A08924D92F6B334801D	BDFB289DAFF51890CC71697B6322AA4B35EC9169	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
C:\ProgramData\o89zu\sr90rq	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2	A2D1F4CF66465F9F0CAC61C4A95C7EDE	BA6A845E247B221AAEC96C4213E1FD3744B10A27	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
C:\ProgramData\o89zu\uaiwlfus2	SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 2, database pages 20, cookie 0xc, schema 4, UTF-8, version-valid-for 2	BDDE4AD11E732420E7ABCCA946B11611	278C3386A37BAFCA507CF4C128600B01B312DDA0	099AB6B902097361832FC2485E96C71C827E722FA74C09C7D08DCE9091094C1D
C:\ProgramData\o89zu\xb1vk6	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2	780853CDDEAEE8DE70F28A4B255A600B	AD7A5DA33F7AD12946153C497E990720B09005ED	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\json[1].json	JSON data	EA735DC09F120FF67C707040194F2C77	095F01C459E52B196652BFF59E62301BAB74E6C2	779F5F856BDACD6AA1914C790DBE9BD0B41FDC607DB24B7448FF6A5987F41098
Chrome Cache Entry: 66	ASCII text, with very long lines (5162), with no line terminators	70A8F21806E7F1B739937970EBE49A0C	6BE9EEBCE438DE91FEB20E6A5458774B327AA9B4	C8B531CFD6E9BE13762E289820F67406331303CD5111A885DE959BF83DD0F5AC
Chrome Cache Entry: 67	ASCII text	6FED308183D5DFC421602548615204AF	0A3F484AAA41A60970BA92A9AC13523A1D79B4D5	4B8288C468BCFFF9B23B2A5FF38B58087CD8A6263315899DD3E249A3F7D4AB2D
Chrome Cache Entry: 68	ASCII text, with very long lines (65531)	9B11C71BC7E86A80D349E46487E13FA1	4C537181125445977397EE51432853B3EB6427CC	CC5B207B7951AB84EA99C6E8E4E310CED84DB3A19F0F75555E3DC0C14156F77B
Chrome Cache Entry: 69	ASCII text, with very long lines (2412)	4B41432CA29BA7B366890C3211D319DD	C60F89E8ACCE6E93A14BE7E09C8A719BAC3AAF46	9E09A8F1471D9E076C80D0E6D9D4A888E34D63EA93EF10740811E82FA9E1BD94
Chrome Cache Entry: 70	SVG Scalable Vector Graphics image	554640F465EB3ED903B543DAE0A1BCAC	E0E6E2C8939008217EB76A3B3282CA75F3DC401A	99BF4AA403643A6D41C028E5DB29C79C17CBC815B3E10CD5C6B8F90567A03E52
Chrome Cache Entry: 71	ASCII text, with very long lines (859)	FD745B8085BD9371573EEC460FA7240F	B6B92C836004FF798F1F57B602AE3E54F4180829	059647799F1B2203D868D8ADB8CCB1342775C81032ECD00DED7E40A3F17E799C

Windows Analysis Report ngbtiladkrthgad.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Protection of GUI

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
ngbtiladkrthgad.exe

Malware Threat Intel
Provided by