Windows Analysis Report
BCb8yQ0fg8.exe

Overview

General Information

Sample name: BCb8yQ0fg8.exe
renamed because original name is a hash value
Original sample name: 807675A50EE7545E02DAEAC9822842B7.exe
Analysis ID: 1434650
MD5: 807675a50ee7545e02daeac9822842b7
SHA1: 967094e1ef9155a031687396ba99855e54870612
SHA256: 2895f26ebeb8334731591ac868e9ab554a3568632e3c62e802739e5d0fc38d88
Tags: exeStealc
Infos:

Detection

Mars Stealer, Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Mars stealer
Yara detected Stealc
Yara detected Vidar stealer
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Found hidden mapped module (file has been removed from disk)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
PE file has a writeable .text section
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://193.163.7.88/a69d09b357e06b52.php Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\cgfmw Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Found malware configuration
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack Malware Configuration Extractor: Vidar {"C2 url": "http://193.163.7.88/a69d09b357e06b52.php"}
Multi AV Scanner detection for submitted file
Source: BCb8yQ0fg8.exe Virustotal: Detection: 19% Perma Link
Source: BCb8yQ0fg8.exe ReversingLabs: Detection: 15%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\cgfmw Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: INSERT_KEY_HERE
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: GetProcAddress
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: LoadLibraryA
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: lstrcatA
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: OpenEventA
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: CreateEventA
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: CloseHandle
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: Sleep
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: GetUserDefaultLangID
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: VirtualAllocExNuma
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: VirtualFree
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: GetSystemInfo
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: VirtualAlloc
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: HeapAlloc
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: GetComputerNameA
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: lstrcpyA
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: GetProcessHeap
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: GetCurrentProcess
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: lstrlenA
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: ExitProcess
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: GlobalMemoryStatusEx
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: GetSystemTime
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: SystemTimeToFileTime
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: advapi32.dll
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: gdi32.dll
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: user32.dll
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: crypt32.dll
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: ntdll.dll
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: GetUserNameA
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: CreateDCA
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: GetDeviceCaps
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: ReleaseDC
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: CryptStringToBinaryA
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: sscanf
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: VMwareVMware
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: HAL9TH
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: JohnDoe
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: DISPLAY
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: %hu/%hu/%hu
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: http://193.163.7.88
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: /a69d09b357e06b52.php
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: /f77a9ad318e8e915/
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: cozy15
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: GetEnvironmentVariableA
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: GetFileAttributesA
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: GlobalLock
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: HeapFree
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: GetFileSize
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: GlobalSize
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: CreateToolhelp32Snapshot
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: IsWow64Process
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: Process32Next
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: GetLocalTime
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: FreeLibrary
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: GetTimeZoneInformation
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: GetSystemPowerStatus
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: GetVolumeInformationA
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: GetWindowsDirectoryA
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: Process32First
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: GetLocaleInfoA
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: GetUserDefaultLocaleName
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: GetModuleFileNameA
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: DeleteFileA
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: FindNextFileA
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: LocalFree
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: FindClose
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: SetEnvironmentVariableA
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: LocalAlloc
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: GetFileSizeEx
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: ReadFile
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: SetFilePointer
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: WriteFile
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: CreateFileA
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: FindFirstFileA
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: CopyFileA
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: VirtualProtect
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: GetLogicalProcessorInformationEx
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: GetLastError
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: lstrcpynA
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: MultiByteToWideChar
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: GlobalFree
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: WideCharToMultiByte
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: GlobalAlloc
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: OpenProcess
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: TerminateProcess
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: GetCurrentProcessId
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: gdiplus.dll
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: ole32.dll
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: bcrypt.dll
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: wininet.dll
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: shlwapi.dll
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: shell32.dll
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: psapi.dll
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: rstrtmgr.dll
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: CreateCompatibleBitmap
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: SelectObject
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: BitBlt
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: DeleteObject
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: CreateCompatibleDC
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: GdipGetImageEncodersSize
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: GdipGetImageEncoders
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: GdipCreateBitmapFromHBITMAP
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: GdiplusStartup
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: GdiplusShutdown
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: GdipSaveImageToStream
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: GdipDisposeImage
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: GdipFree
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: GetHGlobalFromStream
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: CreateStreamOnHGlobal
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: CoUninitialize
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: CoInitialize
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: CoCreateInstance
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: BCryptGenerateSymmetricKey
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: BCryptCloseAlgorithmProvider
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: BCryptDecrypt
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: BCryptSetProperty
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: BCryptDestroyKey
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: BCryptOpenAlgorithmProvider
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: GetWindowRect
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: GetDesktopWindow
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: GetDC
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: CloseWindow
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: wsprintfA
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: EnumDisplayDevicesA
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: GetKeyboardLayoutList
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: CharToOemW
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: wsprintfW
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: RegQueryValueExA
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: RegEnumKeyExA
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: RegOpenKeyExA
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: RegCloseKey
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: RegEnumValueA
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: CryptBinaryToStringA
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: CryptUnprotectData
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: SHGetFolderPathA
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: ShellExecuteExA
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: InternetOpenUrlA
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: InternetConnectA
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: InternetCloseHandle
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: InternetOpenA
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: HttpSendRequestA
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: HttpOpenRequestA
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: InternetReadFile
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: InternetCrackUrlA
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: StrCmpCA
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: StrStrA
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: StrCmpCW
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: PathMatchSpecA
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: GetModuleFileNameExA
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: RmStartSession
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: RmRegisterResources
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: RmGetList
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: RmEndSession
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: sqlite3_open
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: sqlite3_prepare_v2
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: sqlite3_step
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: sqlite3_column_text
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: sqlite3_finalize
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: sqlite3_close
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: sqlite3_column_bytes
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: sqlite3_column_blob
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: encrypted_key
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: PATH
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: C:\ProgramData\nss3.dll
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: NSS_Init
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: NSS_Shutdown
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: PK11_GetInternalKeySlot
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: PK11_FreeSlot
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: PK11_Authenticate
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: PK11SDR_Decrypt
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: C:\ProgramData\
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: browser:
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: profile:
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: url:
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: login:
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: password:
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: Opera
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: OperaGX
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: Network
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: cookies
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: .txt
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: TRUE
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: FALSE
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: autofill
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: SELECT name, value FROM autofill
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: history
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: SELECT url FROM urls LIMIT 1000
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: name:
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: month:
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: year:
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: card:
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: Cookies
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: Login Data
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: Web Data
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: History
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: logins.json
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: formSubmitURL
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: usernameField
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: encryptedUsername
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: encryptedPassword
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: guid
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: cookies.sqlite
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: formhistory.sqlite
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: places.sqlite
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: plugins
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: Local Extension Settings
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: Sync Extension Settings
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: IndexedDB
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: Opera Stable
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: Opera GX Stable
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: CURRENT
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: chrome-extension_
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: _0.indexeddb.leveldb
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: Local State
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: profiles.ini
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: chrome
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: opera
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: firefox
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: wallets
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: %08lX%04lX%lu
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: ProductName
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: %d/%d/%d %d:%d:%d
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: ProcessorNameString
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: DisplayName
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: DisplayVersion
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: Network Info:
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: - IP: IP?
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: - Country: ISO?
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: System Summary:
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: - HWID:
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: - OS:
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: - Architecture:
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: - UserName:
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: - Computer Name:
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: - Local Time:
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: - UTC:
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: - Language:
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: - Keyboards:
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: - Laptop:
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: - Running Path:
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: - CPU:
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: - Threads:
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: - Cores:
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: - RAM:
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: - Display Resolution:
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: - GPU:
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: User Agents:
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: Installed Apps:
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: All Users:
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: Current User:
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: Process List:
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: system_info.txt
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: freebl3.dll
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: mozglue.dll
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: msvcp140.dll
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: nss3.dll
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: softokn3.dll
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: vcruntime140.dll
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: \Temp\
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: .exe
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: runas
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: open
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: /c start
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: %DESKTOP%
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: %APPDATA%
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: %LOCALAPPDATA%
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: %USERPROFILE%
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: %DOCUMENTS%
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: %PROGRAMFILES%
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: %PROGRAMFILES_86%
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: %RECENT%
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: *.lnk
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: files
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: \discord\
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: \Local Storage\leveldb\CURRENT
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: \Local Storage\leveldb
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: \Telegram Desktop\
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: key_datas
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: D877F783D5D3EF8C*
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: map*
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: A7FDF864FBC10B77*
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: A92DAA6EA6F891F2*
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: F8806DD0C461824F*
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: Telegram
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: *.tox
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: *.ini
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: Password
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: 00000001
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: 00000002
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: 00000003
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: 00000004
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: \Outlook\accounts.txt
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: Pidgin
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: \.purple\
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: accounts.xml
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: dQw4w9WgXcQ
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: token:
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: Software\Valve\Steam
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: SteamPath
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: \config\
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: ssfn*
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: config.vdf
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: DialogConfig.vdf
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: DialogConfigOverlay*.vdf
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: libraryfolders.vdf
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: loginusers.vdf
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: \Steam\
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: sqlite3.dll
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: browsers
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: done
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: soft
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: \Discord\tokens.txt
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: /c timeout /t 5 & del /f /q "
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: C:\Windows\system32\cmd.exe
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: https
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: POST
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: HTTP/1.1
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: Content-Disposition: form-data; name="
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: hwid
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: build
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: token
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: file_name
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: file
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: message
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 1.2.cmd.exe.38e00c8.0.raw.unpack String decryptor: screenshot.jpg
Uses 32bit PE files
Source: BCb8yQ0fg8.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 23.209.58.93:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.209.58.93:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.4:49758 version: TLS 1.2
Source: BCb8yQ0fg8.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: wntdll.pdbUGP source: BCb8yQ0fg8.exe, 00000000.00000002.1696875335.00000000051D2000.00000004.00000001.00020000.00000000.sdmp, BCb8yQ0fg8.exe, 00000000.00000002.1696166985.0000000004AC1000.00000004.00000020.00020000.00000000.sdmp, BCb8yQ0fg8.exe, 00000000.00000002.1696358566.0000000004E20000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896691691.0000000005513000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896922559.0000000005950000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896820594.0000000004B44000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896957182.0000000004EA0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: BCb8yQ0fg8.exe, 00000000.00000002.1696875335.00000000051D2000.00000004.00000001.00020000.00000000.sdmp, BCb8yQ0fg8.exe, 00000000.00000002.1696166985.0000000004AC1000.00000004.00000020.00020000.00000000.sdmp, BCb8yQ0fg8.exe, 00000000.00000002.1696358566.0000000004E20000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896691691.0000000005513000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896922559.0000000005950000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896820594.0000000004B44000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896957182.0000000004EA0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x86.Release\corehost\apphost\standalone\apphost.pdbgggGCTL source: BCb8yQ0fg8.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x86.Release\corehost\apphost\standalone\apphost.pdb source: BCb8yQ0fg8.exe
Source: C:\Users\user\Desktop\BCb8yQ0fg8.exe Code function: 0_2_006DD060 FindFirstFileExW,FindNextFileW,FindClose,_invalid_parameter_noinfo_noreturn, 0_2_006DD060

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://193.163.7.88/a69d09b357e06b52.php
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: unknown TCP traffic detected without corresponding DNS query: 104.46.162.224
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 23.209.58.93
Source: unknown TCP traffic detected without corresponding DNS query: 23.209.58.93
Source: unknown TCP traffic detected without corresponding DNS query: 23.209.58.93
Source: unknown TCP traffic detected without corresponding DNS query: 23.209.58.93
Source: unknown TCP traffic detected without corresponding DNS query: 23.209.58.93
Source: unknown TCP traffic detected without corresponding DNS query: 23.209.58.93
Source: unknown TCP traffic detected without corresponding DNS query: 23.209.58.93
Source: unknown TCP traffic detected without corresponding DNS query: 23.209.58.93
Source: unknown TCP traffic detected without corresponding DNS query: 23.209.58.93
Source: unknown TCP traffic detected without corresponding DNS query: 23.209.58.93
Source: unknown TCP traffic detected without corresponding DNS query: 23.209.58.93
Source: unknown TCP traffic detected without corresponding DNS query: 23.209.58.93
Source: unknown TCP traffic detected without corresponding DNS query: 23.209.58.93
Source: unknown TCP traffic detected without corresponding DNS query: 23.209.58.93
Source: unknown TCP traffic detected without corresponding DNS query: 23.209.58.93
Source: unknown TCP traffic detected without corresponding DNS query: 23.209.58.93
Source: unknown TCP traffic detected without corresponding DNS query: 23.209.58.93
Source: unknown TCP traffic detected without corresponding DNS query: 23.209.58.93
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 23.53.35.105
Source: unknown TCP traffic detected without corresponding DNS query: 23.53.35.103
Source: unknown TCP traffic detected without corresponding DNS query: 23.53.35.111
Source: unknown TCP traffic detected without corresponding DNS query: 23.53.35.104
Source: unknown TCP traffic detected without corresponding DNS query: 23.53.35.111
Source: unknown TCP traffic detected without corresponding DNS query: 23.53.35.103
Source: unknown TCP traffic detected without corresponding DNS query: 23.53.35.104
Source: unknown TCP traffic detected without corresponding DNS query: 23.53.35.105
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: global traffic HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCJDKzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCJDKzQEIucrNAQii0c0BCIrTzQEIntbNAQin2M0BCPnA1BUY9snNARi60s0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=zC4Eb3mDpgwO3dy&MD=LPFEY77X HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=zC4Eb3mDpgwO3dy&MD=LPFEY77X HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: apis.google.com
Source: BCb8yQ0fg8.exe, 00000000.00000002.1695863530.0000000004763000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://c0rl.m%L
Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: BCb8yQ0fg8.exe String found in binary or memory: http://ccsca2021.crl.certum.pl/ccsca2021.crl0s
Source: BCb8yQ0fg8.exe String found in binary or memory: http://ccsca2021.ocsp-certum.com05
Source: BCb8yQ0fg8.exe String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: BCb8yQ0fg8.exe String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: BCb8yQ0fg8.exe String found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
Source: BCb8yQ0fg8.exe, 00000000.00000002.1695863530.0000000004763000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.
Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0L
Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0O
Source: BCb8yQ0fg8.exe String found in binary or memory: http://repository.certum.pl/ccsca2021.cer0
Source: BCb8yQ0fg8.exe String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: BCb8yQ0fg8.exe String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: BCb8yQ0fg8.exe String found in binary or memory: http://repository.certum.pl/ctsca2021.cer0
Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://s2.symcb.com0
Source: BCb8yQ0fg8.exe String found in binary or memory: http://subca.ocsp-certum.com01
Source: BCb8yQ0fg8.exe String found in binary or memory: http://subca.ocsp-certum.com02
Source: BCb8yQ0fg8.exe String found in binary or memory: http://subca.ocsp-certum.com05
Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcd.com0&
Source: chromecache_49.5.dr String found in binary or memory: http://www.broofa.com
Source: BCb8yQ0fg8.exe String found in binary or memory: http://www.certum.pl/CPS0
Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.000000000480A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.0000000005875000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003240000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.info-zip.org/
Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.symauth.com/cps0(
Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.symauth.com/rpa00
Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.vmware.com/0
Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.vmware.com/0/
Source: chromecache_55.5.dr String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: chromecache_55.5.dr String found in binary or memory: https://accounts.google.com/o/oauth2/postmessageRelay
Source: BCb8yQ0fg8.exe String found in binary or memory: https://aka.ms/dotnet-core-applaunch?
Source: BCb8yQ0fg8.exe String found in binary or memory: https://aka.ms/dotnet-core-applaunch?Architecture:
Source: BCb8yQ0fg8.exe String found in binary or memory: https://aka.ms/dotnet/app-launch-failed
Source: BCb8yQ0fg8.exe String found in binary or memory: https://aka.ms/dotnet/app-launch-failedWould
Source: chromecache_49.5.dr, chromecache_55.5.dr String found in binary or memory: https://apis.google.com
Source: chromecache_55.5.dr String found in binary or memory: https://clients6.google.com
Source: chromecache_55.5.dr String found in binary or memory: https://content.googleapis.com
Source: chromecache_55.5.dr String found in binary or memory: https://csp.withgoogle.com/csp/lcreport/
Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/cps0%
Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/rpa0
Source: chromecache_55.5.dr String found in binary or memory: https://domains.google.com/suggest/flow
Source: chromecache_49.5.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey200-36dp/2x/gm_alert_gm_grey200_3
Source: chromecache_49.5.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey600-36dp/2x/gm_alert_gm_grey600_3
Source: chromecache_49.5.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey200-24dp/1x/gm_close_gm_grey200_2
Source: chromecache_49.5.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey600-24dp/1x/gm_close_gm_grey600_2
Source: chromecache_49.5.dr String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_55.5.dr String found in binary or memory: https://plus.google.com
Source: chromecache_55.5.dr String found in binary or memory: https://plus.googleapis.com
Source: chromecache_55.5.dr String found in binary or memory: https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1
Source: BCb8yQ0fg8.exe String found in binary or memory: https://www.certum.pl/CPS0
Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896840352.00000000058BD000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: chromecache_55.5.dr String found in binary or memory: https://www.googleapis.com/auth/plus.me
Source: chromecache_55.5.dr String found in binary or memory: https://www.googleapis.com/auth/plus.people.recommended
Source: chromecache_49.5.dr String found in binary or memory: https://www.gstatic.com/gb/html/afbp.html
Source: chromecache_49.5.dr String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_medium.css
Source: chromecache_49.5.dr String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_small.css
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown HTTPS traffic detected: 23.209.58.93:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.209.58.93:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.4:49758 version: TLS 1.2

System Summary
barindex
PE file has a writeable .text section
Source: cgfmw.1.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Contains functionality to call native functions
Source: C:\Users\user\Desktop\BCb8yQ0fg8.exe Code function: 0_2_006D4A13 NtQuerySystemInformation, 0_2_006D4A13
Source: C:\Users\user\Desktop\BCb8yQ0fg8.exe Code function: 0_2_006D4A13 NtQuerySystemInformation, 0_2_006D4A13
Detected potential crypto function
Source: C:\Users\user\Desktop\BCb8yQ0fg8.exe Code function: 0_2_006DE8C0 0_2_006DE8C0
Source: C:\Users\user\Desktop\BCb8yQ0fg8.exe Code function: 0_2_006D28B0 0_2_006D28B0
Source: C:\Users\user\Desktop\BCb8yQ0fg8.exe Code function: 0_2_006D8AC0 0_2_006D8AC0
Source: C:\Users\user\Desktop\BCb8yQ0fg8.exe Code function: 0_2_006DD4F0 0_2_006DD4F0
Source: C:\Users\user\Desktop\BCb8yQ0fg8.exe Code function: 0_2_006DBDF0 0_2_006DBDF0
Source: C:\Users\user\Desktop\BCb8yQ0fg8.exe Code function: 0_2_006D85D0 0_2_006D85D0
PE / OLE file has an invalid certificate
Source: BCb8yQ0fg8.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: BCb8yQ0fg8.exe, 00000000.00000002.1695362229.00000000007A4000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameCheckIP.dll0 vs BCb8yQ0fg8.exe
Source: BCb8yQ0fg8.exe, 00000000.00000002.1695941866.0000000004860000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamezip.exe( vs BCb8yQ0fg8.exe
Source: BCb8yQ0fg8.exe, 00000000.00000002.1695766067.0000000004669000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCheckIP.dll0 vs BCb8yQ0fg8.exe
Source: BCb8yQ0fg8.exe, 00000000.00000002.1696358566.0000000004F4D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs BCb8yQ0fg8.exe
Source: BCb8yQ0fg8.exe, 00000000.00000002.1696166985.0000000004BE4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs BCb8yQ0fg8.exe
Source: BCb8yQ0fg8.exe Binary or memory string: OriginalFilenameCheckIP.dll0 vs BCb8yQ0fg8.exe
Uses 32bit PE files
Source: BCb8yQ0fg8.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.evad.winEXE@23/16@4/4
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7280:120:WilError_03
Source: C:\Users\user\Desktop\BCb8yQ0fg8.exe File created: C:\Users\user\AppData\Local\Temp\8028f380 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: BCb8yQ0fg8.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\BCb8yQ0fg8.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: BCb8yQ0fg8.exe Virustotal: Detection: 19%
Source: BCb8yQ0fg8.exe ReversingLabs: Detection: 15%
Source: BCb8yQ0fg8.exe String found in binary or memory: https://aka.ms/dotnet/app-launch-failed Would you like to download it now?
Source: BCb8yQ0fg8.exe String found in binary or memory: https://aka.ms/dotnet/app-launch-failedWould you like to download it now?
Source: BCb8yQ0fg8.exe String found in binary or memory: https://aka.ms/dotnet/app-launch-failed
Source: C:\Users\user\Desktop\BCb8yQ0fg8.exe File read: C:\Users\user\Desktop\BCb8yQ0fg8.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\BCb8yQ0fg8.exe "C:\Users\user\Desktop\BCb8yQ0fg8.exe"
Source: C:\Users\user\Desktop\BCb8yQ0fg8.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://473750571567004317064230583514468350804565684324378075159610742091604698238217701484029465762430135913242023857750034401559054060945654540273638867228794983640833862748912121851334807031249099092790952130035074227943842970399582505875/
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 --field-trial-handle=1800,i,5224496107934403145,5816890975472559302,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\Desktop\BCb8yQ0fg8.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 --field-trial-handle=1800,i,5224496107934403145,5816890975472559302,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\BCb8yQ0fg8.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\BCb8yQ0fg8.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\BCb8yQ0fg8.exe Section loaded: pla.dll Jump to behavior
Source: C:\Users\user\Desktop\BCb8yQ0fg8.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Users\user\Desktop\BCb8yQ0fg8.exe Section loaded: tdh.dll Jump to behavior
Source: C:\Users\user\Desktop\BCb8yQ0fg8.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Users\user\Desktop\BCb8yQ0fg8.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Users\user\Desktop\BCb8yQ0fg8.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: winbrand.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: aepic.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: twinapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: shdocvw.dll Jump to behavior
Source: BCb8yQ0fg8.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: BCb8yQ0fg8.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: BCb8yQ0fg8.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: BCb8yQ0fg8.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: BCb8yQ0fg8.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: BCb8yQ0fg8.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: BCb8yQ0fg8.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: BCb8yQ0fg8.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wntdll.pdbUGP source: BCb8yQ0fg8.exe, 00000000.00000002.1696875335.00000000051D2000.00000004.00000001.00020000.00000000.sdmp, BCb8yQ0fg8.exe, 00000000.00000002.1696166985.0000000004AC1000.00000004.00000020.00020000.00000000.sdmp, BCb8yQ0fg8.exe, 00000000.00000002.1696358566.0000000004E20000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896691691.0000000005513000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896922559.0000000005950000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896820594.0000000004B44000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896957182.0000000004EA0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: BCb8yQ0fg8.exe, 00000000.00000002.1696875335.00000000051D2000.00000004.00000001.00020000.00000000.sdmp, BCb8yQ0fg8.exe, 00000000.00000002.1696166985.0000000004AC1000.00000004.00000020.00020000.00000000.sdmp, BCb8yQ0fg8.exe, 00000000.00000002.1696358566.0000000004E20000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896691691.0000000005513000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000001.00000002.1896922559.0000000005950000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896820594.0000000004B44000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.1896957182.0000000004EA0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x86.Release\corehost\apphost\standalone\apphost.pdbgggGCTL source: BCb8yQ0fg8.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\win-x86.Release\corehost\apphost\standalone\apphost.pdb source: BCb8yQ0fg8.exe
Source: BCb8yQ0fg8.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: BCb8yQ0fg8.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: BCb8yQ0fg8.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: BCb8yQ0fg8.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: BCb8yQ0fg8.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
PE file contains sections with non-standard names
Source: cgfmw.1.dr Static PE information: section name: hypon
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\BCb8yQ0fg8.exe Code function: 0_2_006D80EF push dword ptr [edi+18h]; ret 0_2_006D80F3
Source: C:\Users\user\Desktop\BCb8yQ0fg8.exe Code function: 0_2_006D7164 push ecx; ret 0_2_006D7165
Source: C:\Users\user\Desktop\BCb8yQ0fg8.exe Code function: 0_2_006D81BB push ebx; iretd 0_2_006D823C
Source: C:\Users\user\Desktop\BCb8yQ0fg8.exe Code function: 0_2_006D8276 push ss; ret 0_2_006D8275
Source: C:\Users\user\Desktop\BCb8yQ0fg8.exe Code function: 0_2_006D8276 push cs; ret 0_2_006D827D
Source: C:\Users\user\Desktop\BCb8yQ0fg8.exe Code function: 0_2_006D8240 push ebx; iretd 0_2_006D823C
Source: C:\Users\user\Desktop\BCb8yQ0fg8.exe Code function: 0_2_006D8240 push ss; ret 0_2_006D8275
Source: C:\Users\user\Desktop\BCb8yQ0fg8.exe Code function: 0_2_006D742B push eax; ret 0_2_006D742D
Source: C:\Users\user\Desktop\BCb8yQ0fg8.exe Code function: 0_2_006D6D59 push es; retf 0_2_006D6D5B
Source: C:\Users\user\Desktop\BCb8yQ0fg8.exe Code function: 0_2_006E059A push ecx; ret 0_2_006E05AD
Source: C:\Users\user\Desktop\BCb8yQ0fg8.exe Code function: 0_2_006D6E61 push eax; iretd 0_2_006D6E62
Source: C:\Users\user\Desktop\BCb8yQ0fg8.exe Code function: 0_2_006D8E92 push ds; ret 0_2_006D8EA1
Drops PE files
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\cgfmw Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\cgfmw Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Deletes itself after installation
Source: C:\Windows\SysWOW64\cmd.exe File deleted: c:\users\user\desktop\bcb8yq0fg8.exe Jump to behavior
Found hidden mapped module (file has been removed from disk)
Source: C:\Windows\SysWOW64\cmd.exe Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\CGFMW
Found dropped PE file which has not been started or loaded
Source: C:\Windows\SysWOW64\cmd.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\cgfmw Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\BCb8yQ0fg8.exe API coverage: 9.7 %
Source: C:\Users\user\Desktop\BCb8yQ0fg8.exe Code function: 0_2_006DD060 FindFirstFileExW,FindNextFileW,FindClose,_invalid_parameter_noinfo_noreturn, 0_2_006DD060
Source: BCb8yQ0fg8.exe, 00000000.00000002.1695863530.0000000004763000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware
Source: explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: noreply@vmware.com0
Source: explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: http://www.vmware.com/0
Source: explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware, Inc.1!0
Source: explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: http://www.vmware.com/0/
Source: explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware, Inc.1
Source: explorer.exe, 00000007.00000002.1896700511.0000000003288000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware, Inc.0
Source: C:\Users\user\Desktop\BCb8yQ0fg8.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\BCb8yQ0fg8.exe Code function: 0_2_006E0937 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_006E0937
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\BCb8yQ0fg8.exe Code function: 0_2_006DAB99 mov eax, dword ptr fs:[00000030h] 0_2_006DAB99
Source: C:\Users\user\Desktop\BCb8yQ0fg8.exe Code function: 0_2_006D50E3 mov eax, dword ptr fs:[00000030h] 0_2_006D50E3
Source: C:\Users\user\Desktop\BCb8yQ0fg8.exe Code function: 0_2_006DAB19 mov eax, dword ptr fs:[00000030h] 0_2_006DAB19
Source: C:\Users\user\Desktop\BCb8yQ0fg8.exe Code function: 0_2_006E0800 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_006E0800
Source: C:\Users\user\Desktop\BCb8yQ0fg8.exe Code function: 0_2_006E0937 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_006E0937
Source: C:\Users\user\Desktop\BCb8yQ0fg8.exe Code function: 0_2_006E0A99 SetUnhandledExceptionFilter, 0_2_006E0A99

HIPS / PFW / Operating System Protection Evasion
barindex
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\SysWOW64\cmd.exe Memory written: PID: 8120 base: 2EE0000 value: 00 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Memory written: PID: 8120 base: 2D9F2D8 value: 00 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Memory written: PID: 8120 base: 2DA01E8 value: 00 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Memory written: PID: 8120 base: 2679C0 value: 55 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Memory written: PID: 8120 base: 790000 value: 00 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\BCb8yQ0fg8.exe Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: NULL target: C:\Windows\SysWOW64\explorer.exe protection: read write Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\cmd.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 2679C0 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 790000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\BCb8yQ0fg8.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\BCb8yQ0fg8.exe Code function: 0_2_006E0620 cpuid 0_2_006E0620
Source: C:\Users\user\Desktop\BCb8yQ0fg8.exe Code function: 0_2_006E0B55 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_006E0B55

Stealing of Sensitive Information
barindex
Yara detected Mars stealer
Source: Yara match File source: 1.2.cmd.exe.38e00c8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.cmd.exe.38e00c8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.1896600750.00000000038E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1896414307.0000000000791000.00000080.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\cgfmw, type: DROPPED
Yara detected Stealc
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Yara detected Vidar stealer
Source: Yara match File source: 1.2.cmd.exe.38e00c8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.cmd.exe.38e00c8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.1896600750.00000000038E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1896414307.0000000000791000.00000080.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\cgfmw, type: DROPPED

Remote Access Functionality
barindex
Yara detected Mars stealer
Source: Yara match File source: 1.2.cmd.exe.38e00c8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.cmd.exe.38e00c8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.1896600750.00000000038E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1896414307.0000000000791000.00000080.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\cgfmw, type: DROPPED
Yara detected Stealc
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Yara detected Vidar stealer
Source: Yara match File source: 1.2.cmd.exe.38e00c8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.cmd.exe.38e00c8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.1896600750.00000000038E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1896414307.0000000000791000.00000080.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\cgfmw, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1434650 Sample: BCb8yQ0fg8.exe Startdate: 01/05/2024 Architecture: WINDOWS Score: 100 38 Found malware configuration 2->38 40 Antivirus detection for URL or domain 2->40 42 Antivirus detection for dropped file 2->42 44 8 other signatures 2->44 7 BCb8yQ0fg8.exe 1 2->7         started        10 chrome.exe 1 2->10         started        process3 dnsIp4 46 Maps a DLL or memory area into another process 7->46 13 cmd.exe 2 7->13         started        32 192.168.2.4, 138, 443, 49698 unknown unknown 10->32 34 192.168.2.6 unknown unknown 10->34 36 239.255.255.250 unknown Reserved 10->36 17 chrome.exe 10->17         started        signatures5 process6 dnsIp7 24 C:\Users\user\AppData\Local\Temp\cgfmw, PE32 13->24 dropped 48 Injects code into the Windows Explorer (explorer.exe) 13->48 50 Deletes itself after installation 13->50 52 Writes to foreign memory regions 13->52 54 2 other signatures 13->54 20 conhost.exe 13->20         started        22 explorer.exe 13->22         started        26 www.google.com 64.233.180.99, 443, 49735, 49738 GOOGLEUS United States 17->26 28 plus.l.google.com 17->28 30 apis.google.com 17->30 file8 signatures9 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
239.255.255.250
 unknown Reserved
unknown unknown false
64.233.180.99
 www.google.com United States
15169 GOOGLEUS false

Private

IP
192.168.2.4
192.168.2.6

Contacted Domains

Name IP Active
plus.l.google.com 142.251.16.100 true
www.google.com 64.233.180.99 true
apis.google.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://193.163.7.88/a69d09b357e06b52.php true
  • 3%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
https://www.google.com/async/newtab_promos false
    		high
    https://www.google.com/async/ddljson?async=ntp:2 false
      		high
      https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw false
        		high
        https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0 false
          		high