Windows Analysis Report
pYJeC4VJbw.exe

Overview

General Information

Sample name:	pYJeC4VJbw.exe renamed because original name is a hash value
Original sample name:	14c3db1bdba407c23f0e80bbfdd6db0f.exe
Analysis ID:	1435882
MD5:	14c3db1bdba407c23f0e80bbfdd6db0f
SHA1:	304c2d438d926f73f58f1ee9635b449b585dddce
SHA256:	596a9e9ed53dbeb50b69a93bfeef67855baf488f3638695b5485fd1c9633fad7
Tags:	exe
Infos:

Detection

Mars Stealer, Stealc, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected Mars stealer

Yara detected Stealc

Yara detected Vidar stealer

Found evasive API chain (may stop execution after checking locale)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

JA3 SSL client fingerprint seen in connection with other malware

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Signatures

AV Detection

Antivirus detection for URL or domain

Source: https://shaffatta.com/d32e011d2eaa85a0/mozglue.dll	Avira URL Cloud: Label: malware
Source: https://shaffatta.com/d32e011d2eaa85a0/msvcp140.dll	Avira URL Cloud: Label: malware
Source: https://shaffatta.com/d32e011d2eaa85a0/nss3.dll	Avira URL Cloud: Label: malware
Source: https://shaffatta.com/d32e011d2eaa85a0/freebl3.dll	Avira URL Cloud: Label: malware
Source: https://shaffatta.com/d32e011d2eaa85a0/sqlite3.dll	Avira URL Cloud: Label: malware
Source: https://shaffatta.com/d32e011d2eaa85a0/vcruntime140.dll	Avira URL Cloud: Label: malware
Source: https://shaffatta.com/d32e011d2eaa85a0/softokn3.dll	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: https://shaffatta.com/D	Virustotal: Detection: 8%	Perma Link
Source: https://shaffatta.com/fdca69ae739b4897.php	Virustotal: Detection: 11%	Perma Link
Source: https://shaffatta.com/d32e011d2eaa85a0/msvcp140.dll	Virustotal: Detection: 11%	Perma Link
Source: https://shaffatta.com/fdca69ae739b4897.php&	Virustotal: Detection: 8%	Perma Link
Source: https://shaffatta.com/5	Virustotal: Detection: 10%	Perma Link
Source: https://shaffatta.com/d32e011d2eaa85a0/freebl3.dll	Virustotal: Detection: 6%	Perma Link
Source: https://shaffatta.com/fdca69ae739b4897.phpa	Virustotal: Detection: 8%	Perma Link
Source: https://shaffatta.com/d32e011d2eaa85a0/msvcp140.dlll	Virustotal: Detection: 11%	Perma Link
Source: https://shaffatta.com/d32e011d2eaa85a0/vcruntime140.dll	Virustotal: Detection: 6%	Perma Link

Multi AV Scanner detection for submitted file

Source: pYJeC4VJbw.exe	ReversingLabs: Detection: 65%
Source: pYJeC4VJbw.exe	Virustotal: Detection: 46%			Perma Link

Machine Learning detection for sample

Source: pYJeC4VJbw.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: CtIvEWInDoW
Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: AgEBOxw
Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: ijklmnopqrs
Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: /#%33@@@
Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: abcdefghijklmnopqrs
Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: @@@@<@@@
Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: abcdefghijklmnopqrs
Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: "&&""..""&&"">>""&&"".."ikSQWQSQ_QBEklmn^pqrBtuvFxyzL123H5679+/\|
Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: %s\%V/yVs
Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: %s\*.
Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: }567y9n/S
Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: ntTekeny
Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: ging
Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: PassMord0
Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: J@@@`z`@J@@@J@@@
Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: OPQRSTUVWXY
Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: 456753+/---- '
Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: '--- '
Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: deh0Q
Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: HeapFree
Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: GetLocaleInfoA
Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: ntProcessId
Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: wininet.dll
Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: shlwapi.dll
Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: shell32.dll
Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: .dll
Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: column_text
Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: login:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_00409540 CryptUnprotectData,LocalAlloc,LocalFree,	0_2_00409540
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_00406C10 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_00406C10
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_004094A0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_004094A0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_004155A0 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	0_2_004155A0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_0040BF90 memset,lstrlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcat,lstrcat,PK11_FreeSlot,lstrcat,	0_2_0040BF90
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFA6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	0_2_6CFA6C80
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D0FA9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	0_2_6D0FA9A0

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

Unpacked PE file: 0.2.pYJeC4VJbw.exe.400000.0.unpack

Uses 32bit PE files

Source: pYJeC4VJbw.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 168.119.248.46:443 -> 192.168.2.4:49737 version: TLS 1.2

Source:	Binary string: mozglue.pdbP source: pYJeC4VJbw.exe, 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: nss3.pdb@ source: pYJeC4VJbw.exe, 00000000.00000002.2903802204.000000006D1CF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source:	Binary string: nss3.pdb source: pYJeC4VJbw.exe, 00000000.00000002.2903802204.000000006D1CF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: mozglue.pdb source: pYJeC4VJbw.exe, 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_0040D1C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040D1C0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_004015C0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_004015C0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_00411650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_00411650
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_0040B610 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040B610
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_0040DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0040DB60
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_0040D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040D540
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_00412570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00412570
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_004121F0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_004121F0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_00411B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00411B80

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFIECFIJDAAKEBGCGHIEHost: shaffatta.comContent-Length: 216Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDBKKFHIEGDHJKECAAKKHost: shaffatta.comContent-Length: 268Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFHDAEHDAKECGCAKFCFIHost: shaffatta.comContent-Length: 267Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBKJEGCBKKJECBGCGDBAHost: shaffatta.comContent-Length: 6691Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d32e011d2eaa85a0/sqlite3.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAAAAFBKFIECAAKECGCAHost: shaffatta.comContent-Length: 4599Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJDBKKJKJEBFBGCBAAFIHost: shaffatta.comContent-Length: 1451Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAAAFBKECAKEHIEBAFIEHost: shaffatta.comContent-Length: 359Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIIIDAKKJJJKKECAKKJEHost: shaffatta.comContent-Length: 359Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d32e011d2eaa85a0/freebl3.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d32e011d2eaa85a0/mozglue.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d32e011d2eaa85a0/msvcp140.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d32e011d2eaa85a0/nss3.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d32e011d2eaa85a0/softokn3.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d32e011d2eaa85a0/vcruntime140.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAEGHJKJKKJDHIDHJKJDHost: shaffatta.comContent-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECAKECAEGDHIECBGHIIIHost: shaffatta.comContent-Length: 267Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHJDAKEGDBFHCAAKJJJDHost: shaffatta.comContent-Length: 265Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFHIEBKKFHIEGCAKECGHHost: shaffatta.comContent-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKKEBKJJDGHCBGCAAKEHHost: shaffatta.comContent-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFHIEBKKFHIEGCAKECGHHost: shaffatta.comContent-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKFIDGDHJEGIEBFHDGDGHost: shaffatta.comContent-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGDBAEHIJKKFHIEGCBGHost: shaffatta.comContent-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECBAEBGHDAECBGDGCAKEHost: shaffatta.comContent-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJEGCBGIDHCAKEBGIIDBHost: shaffatta.comContent-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJKFBAKFBGDHIEBGDAKFHost: shaffatta.comContent-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIIIDAKKJJJKKECAKKJEHost: shaffatta.comContent-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJKJJKFHIJKKFHJJECBAHost: shaffatta.comContent-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFHCGHJDBFIIDGDHIJDBHost: shaffatta.comContent-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBFIEHDHIIIECAAKECFHHost: shaffatta.comContent-Length: 1743Connection: Keep-AliveCache-Control: no-cache

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

Code function: 0_2_00404C70 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

0_2_00404C70

Source: global traffic	HTTP traffic detected: GET /d32e011d2eaa85a0/sqlite3.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d32e011d2eaa85a0/freebl3.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d32e011d2eaa85a0/mozglue.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d32e011d2eaa85a0/msvcp140.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d32e011d2eaa85a0/nss3.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d32e011d2eaa85a0/softokn3.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d32e011d2eaa85a0/vcruntime140.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: shaffatta.com

Source: unknown

HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFIECFIJDAAKEBGCGHIEHost: shaffatta.comContent-Length: 216Connection: Keep-AliveCache-Control: no-cache

Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: pYJeC4VJbw.exe, pYJeC4VJbw.exe, 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: pYJeC4VJbw.exe, 00000000.00000002.2903413122.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2895334222.000000001D511000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: GIJKKKFC.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: GIJKKKFC.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ep
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.epnacl
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmp, GIJKKKFC.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmp, GIJKKKFC.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: GIJKKKFC.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: GIJKKKFC.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: GIJKKKFC.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: https://mozilla.org0/
Source: pYJeC4VJbw.exe, 00000000.00000002.2884824643.0000000002DBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/
Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/)
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/1
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/32e011d2eaa85a0/nss3.dll
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/32e011d2eaa85a0/nss3.dllc
Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/3r:
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/5
Source: pYJeC4VJbw.exe, 00000000.00000003.2526693387.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000003.2526535738.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/8s/
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/D
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/GHCGHCBFHJJKKJEHJEHJEH
Source: pYJeC4VJbw.exe, 00000000.00000003.2526693387.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000003.2526535738.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/Hs
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/JKEHDBGHIDHIEHDBAAFHJK
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/amData
Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/c
Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E09000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/freebl3.dll
Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/mozglue.dll
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D4F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/mozglue.dll)
Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/mozglue.dll8
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D4FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/msvcp140.dll
Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/msvcp140.dlll
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/nss3.dlln
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/nss3.dllp
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D4FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/softokn3.dllF
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D4FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/softokn3.dllx
Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/sqlite3.dll
Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/sqlite3.dllH
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D4FF000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/vcruntime140.dll
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/es
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/fatta.com/
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/fatta.com/32e011d2eaa85a0/nss3.dllY
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/fatta.com/d32e011d2eaa85a0/nss3.dll
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/fatta.com/d32e011d2eaa85a0/nss3.dll/
Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002DD5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/fdca69ae739b4897.php
Source: pYJeC4VJbw.exe, 00000000.00000003.2526693387.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000003.2526535738.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/fdca69ae739b4897.php&
Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/fdca69ae739b4897.php-
Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/fdca69ae739b4897.php4r#
Source: pYJeC4VJbw.exe, 00000000.00000003.2526693387.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000003.2526535738.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/fdca69ae739b4897.php7s&
Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/fdca69ae739b4897.php8s/
Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/fdca69ae739b4897.phpCoinomi
Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/fdca69ae739b4897.phpGs
Source: pYJeC4VJbw.exe, 00000000.00000003.2526693387.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000003.2526535738.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/fdca69ae739b4897.phpUs
Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/fdca69ae739b4897.phpa
Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/fdca69ae739b4897.phpi
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://shaffatta.com/fdca69ae739b4897.phpiYW4qLCpjYXJkcyosKmJhbmtzKiwqY3Z2KiwqY3ZjKiwqYWNjb3VudCosK
Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/fdca69ae739b4897.phpmple-storage.jsoncoOaY
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://shaffatta.com/fdca69ae739b4897.phption:
Source: pYJeC4VJbw.exe, 00000000.00000003.2526693387.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000003.2526535738.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/fdca69ae739b4897.phpys
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/ost:
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/ozglue.dll
Source: pYJeC4VJbw.exe, 00000000.00000002.2884824643.0000000002DBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.comC
Source: IDAKJKEHDBGHIDHIEHDBAAFHJK.0.dr	String found in binary or memory: https://support.mozilla.org
Source: IDAKJKEHDBGHIDHIEHDBAAFHJK.0.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: IDAKJKEHDBGHIDHIEHDBAAFHJK.0.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: pYJeC4VJbw.exe, 00000000.00000003.2585700635.000000002349D000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016.exe
Source: pYJeC4VJbw.exe, 00000000.00000003.2585700635.000000002349D000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17chost.exe
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmp, GIJKKKFC.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: GIJKKKFC.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: IDAKJKEHDBGHIDHIEHDBAAFHJK.0.dr	String found in binary or memory: https://www.mozilla.org
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: IDAKJKEHDBGHIDHIEHDBAAFHJK.0.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: IDAKJKEHDBGHIDHIEHDBAAFHJK.0.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: pYJeC4VJbw.exe, 00000000.00000003.2715320097.00000000298F4000.00000004.00000020.00020000.00000000.sdmp, IDAKJKEHDBGHIDHIEHDBAAFHJK.0.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: IDAKJKEHDBGHIDHIEHDBAAFHJK.0.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: pYJeC4VJbw.exe, 00000000.00000003.2715320097.00000000298F4000.00000004.00000020.00020000.00000000.sdmp, IDAKJKEHDBGHIDHIEHDBAAFHJK.0.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown

HTTPS traffic detected: 168.119.248.46:443 -> 192.168.2.4:49737 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2884642591.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.2884797147.0000000002D97000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2884177155.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.2884841467.0000000002DC0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown

Contains functionality to call native functions

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFBED10 malloc,NtFlushVirtualMemory,memset,memset,memset,memset,memset,memcpy,free,memset,memset,memcpy,memset,memset,memset,memset,memset,	0_2_6CFBED10
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFFB700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	0_2_6CFFB700
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFFB8C0 rand_s,NtQueryVirtualMemory,	0_2_6CFFB8C0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFFB910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	0_2_6CFFB910
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CF9F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	0_2_6CF9F280

Detected potential crypto function

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFD6CF0	0_2_6CFD6CF0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CF9D4E0	0_2_6CF9D4E0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFBD4D0	0_2_6CFBD4D0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFA64C0	0_2_6CFA64C0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFF34A0	0_2_6CFF34A0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFFC4A0	0_2_6CFFC4A0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFA6C80	0_2_6CFA6C80
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFA5440	0_2_6CFA5440
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFD5C10	0_2_6CFD5C10
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFE2C10	0_2_6CFE2C10
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D00AC00	0_2_6D00AC00
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFF85F0	0_2_6CFF85F0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D00542B	0_2_6D00542B
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFD0DD0	0_2_6CFD0DD0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CF935A0	0_2_6CF935A0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D00545C	0_2_6D00545C
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFBED10	0_2_6CFBED10
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFC0512	0_2_6CFC0512
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFAFD00	0_2_6CFAFD00
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CF9BEF0	0_2_6CF9BEF0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFAFEF0	0_2_6CFAFEF0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFF4EA0	0_2_6CFF4EA0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFB5E90	0_2_6CFB5E90
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFFE680	0_2_6CFFE680
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CF9C670	0_2_6CF9C670
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFB9E50	0_2_6CFB9E50
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFD3E50	0_2_6CFD3E50
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFE2E4E	0_2_6CFE2E4E
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFB4640	0_2_6CFB4640
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFF9E30	0_2_6CFF9E30
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFD7E10	0_2_6CFD7E10
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFE5600	0_2_6CFE5600
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFC6FF0	0_2_6CFC6FF0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CF9DFE0	0_2_6CF9DFE0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFE77A0	0_2_6CFE77A0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D006E63	0_2_6D006E63
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D0076E3	0_2_6D0076E3
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFD7710	0_2_6CFD7710
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFA9F00	0_2_6CFA9F00
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFBC0E0	0_2_6CFBC0E0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFD58E0	0_2_6CFD58E0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFC60A0	0_2_6CFC60A0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D00B170	0_2_6D00B170
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFDF070	0_2_6CFDF070
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFB8850	0_2_6CFB8850
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFBD850	0_2_6CFBD850
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFDB820	0_2_6CFDB820
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFE4820	0_2_6CFE4820
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFA7810	0_2_6CFA7810
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFCD9B0	0_2_6CFCD9B0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CF9C9A0	0_2_6CF9C9A0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFD5190	0_2_6CFD5190
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFF2990	0_2_6CFF2990
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFEB970	0_2_6CFEB970
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFAD960	0_2_6CFAD960
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFBA940	0_2_6CFBA940
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D0050C7	0_2_6D0050C7
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFB1AF0	0_2_6CFB1AF0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFDE2F0	0_2_6CFDE2F0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFD8AC0	0_2_6CFD8AC0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFACAB0	0_2_6CFACAB0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CF922A0	0_2_6CF922A0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFC4AA0	0_2_6CFC4AA0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFD9A60	0_2_6CFD9A60
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D0053C8	0_2_6D0053C8
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CF9F380	0_2_6CF9F380
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFAC370	0_2_6CFAC370
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D00BA90	0_2_6D00BA90
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D002AB0	0_2_6D002AB0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CF95340	0_2_6CF95340
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFDD320	0_2_6CFDD320
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D1C8D20	0_2_6D1C8D20
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D16AD50	0_2_6D16AD50
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D10ED70	0_2_6D10ED70
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D0D6D90	0_2_6D0D6D90
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D044DB0	0_2_6D044DB0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D1CCDC0	0_2_6D1CCDC0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D106C00	0_2_6D106C00
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D11AC30	0_2_6D11AC30
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D04AC60	0_2_6D04AC60
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D03ECC0	0_2_6D03ECC0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D09ECD0	0_2_6D09ECD0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D046F10	0_2_6D046F10
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D180F20	0_2_6D180F20
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D0AEF40	0_2_6D0AEF40
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D102F70	0_2_6D102F70
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D188FB0	0_2_6D188FB0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D04EFB0	0_2_6D04EFB0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D11EFF0	0_2_6D11EFF0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D040FE0	0_2_6D040FE0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D120E20	0_2_6D120E20
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D0DEE70	0_2_6D0DEE70
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D0C6E90	0_2_6D0C6E90
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D04AEC0	0_2_6D04AEC0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D0E0EC0	0_2_6D0E0EC0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D096900	0_2_6D096900
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D078960	0_2_6D078960
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D1009B0	0_2_6D1009B0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D0D09A0	0_2_6D0D09A0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D0FA9A0	0_2_6D0FA9A0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D15C9E0	0_2_6D15C9E0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D0749F0	0_2_6D0749F0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D090820	0_2_6D090820
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D0CA820	0_2_6D0CA820
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D114840	0_2_6D114840
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D1468E0	0_2_6D1468E0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D0E0BA0	0_2_6D0E0BA0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D146BE0	0_2_6D146BE0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D0EEA00	0_2_6D0EEA00
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D0F8A30	0_2_6D0F8A30
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D0BCA70	0_2_6D0BCA70
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D0BEA80	0_2_6D0BEA80

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: String function: 6CFCCBE8 appears 134 times
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: String function: 6CFD94D0 appears 90 times
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: String function: 004043B0 appears 316 times
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: String function: 6D1C09D0 appears 112 times

Sample file is different than original file name gathered from version info

Source: pYJeC4VJbw.exe, 00000000.00000002.2903883210.000000006D215000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenamenss3.dll0 vs pYJeC4VJbw.exe
Source: pYJeC4VJbw.exe, 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilenamemozglue.dll0 vs pYJeC4VJbw.exe

Uses 32bit PE files

Source: pYJeC4VJbw.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 00000000.00000002.2884642591.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.2884797147.0000000002D97000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2884177155.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.2884841467.0000000002DC0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/29@1/1

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

Code function: 0_2_6CFF7030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

0_2_6CFF7030

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

Code function: 0_2_00414DE0 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

0_2_00414DE0

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll

Jump to behavior

Source: pYJeC4VJbw.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: pYJeC4VJbw.exe, 00000000.00000002.2903802204.000000006D1CF000.00000002.00000001.01000000.00000007.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2895334222.000000001D511000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2903359635.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: pYJeC4VJbw.exe, 00000000.00000002.2903802204.000000006D1CF000.00000002.00000001.01000000.00000007.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2895334222.000000001D511000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2903359635.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: pYJeC4VJbw.exe, 00000000.00000002.2903802204.000000006D1CF000.00000002.00000001.01000000.00000007.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2895334222.000000001D511000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2903359635.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: pYJeC4VJbw.exe, 00000000.00000002.2903802204.000000006D1CF000.00000002.00000001.01000000.00000007.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2895334222.000000001D511000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2903359635.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: pYJeC4VJbw.exe, pYJeC4VJbw.exe, 00000000.00000002.2903802204.000000006D1CF000.00000002.00000001.01000000.00000007.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2895334222.000000001D511000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2903359635.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: pYJeC4VJbw.exe, 00000000.00000002.2903802204.000000006D1CF000.00000002.00000001.01000000.00000007.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2895334222.000000001D511000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2903359635.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: pYJeC4VJbw.exe, 00000000.00000002.2895334222.000000001D511000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2903359635.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: pYJeC4VJbw.exe, 00000000.00000003.2585700635.0000000023494000.00000004.00000020.00020000.00000000.sdmp, JDBFIIEBGCAKKEBFBAAF.0.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: pYJeC4VJbw.exe, 00000000.00000002.2895334222.000000001D511000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2903359635.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: pYJeC4VJbw.exe, 00000000.00000002.2895334222.000000001D511000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2903359635.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: pYJeC4VJbw.exe	ReversingLabs: Detection: 65%
Source: pYJeC4VJbw.exe	Virustotal: Detection: 46%

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: msvcp140.dll	Jump to behavior

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: mozglue.pdbP source: pYJeC4VJbw.exe, 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: nss3.pdb@ source: pYJeC4VJbw.exe, 00000000.00000002.2903802204.000000006D1CF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source:	Binary string: nss3.pdb source: pYJeC4VJbw.exe, 00000000.00000002.2903802204.000000006D1CF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: mozglue.pdb source: pYJeC4VJbw.exe, 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

Unpacked PE file: 0.2.pYJeC4VJbw.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

Unpacked PE file: 0.2.pYJeC4VJbw.exe.400000.0.unpack

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

Code function: 0_2_00416240 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00416240

PE file contains sections with non-standard names

Source: softokn3.dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.0.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr	Static PE information: section name: .didat
Source: nss3.dll.0.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr	Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_004176C5 push ecx; ret		0_2_004176D8
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFCB536 push ecx; ret		0_2_6CFCB549

Drops PE files

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

0_2_00416240

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

API coverage: 4.8 %

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_0040D1C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040D1C0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_004015C0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_004015C0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_00411650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_00411650
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_0040B610 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040B610
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_0040DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0040DB60
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_0040D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040D540
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_00412570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00412570
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_004121F0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_004121F0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_00411B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00411B80

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

Code function: 0_2_00401120 GetSystemInfo,ExitProcess,

0_2_00401120

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002DD5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX
Source: pYJeC4VJbw.exe, 00000000.00000002.2884824643.0000000002DBB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	API call chain: ExitProcess graph end node

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

Code function: 0_2_00417B4E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00417B4E

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

0_2_00416240

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

Code function: 0_2_00415DC0 mov eax, dword ptr fs:[00000030h]

0_2_00415DC0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

Code function: 0_2_00404C70 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

0_2_00404C70

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_00419DC7 SetUnhandledExceptionFilter,	0_2_00419DC7
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_00417B4E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00417B4E
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_004173DD memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004173DD
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFCB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6CFCB66C
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFCB1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6CFCB1F7
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D17AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6D17AC62

HIPS / PFW / Operating System Protection Evasion

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

Code function: 0_2_00415D00 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_00415D00

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

Code function: 0_2_6CFCB341 cpuid

0_2_6CFCB341

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

0_2_00414570

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

Code function: 0_2_00414450 GetProcessHeap,HeapAlloc,GetLocalTime,wsprintfA,

0_2_00414450

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

Code function: 0_2_004143C0 GetProcessHeap,HeapAlloc,GetUserNameA,

0_2_004143C0

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

Code function: 0_2_004144B0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

0_2_004144B0

Stealing of Sensitive Information

Yara detected Mars stealer

Source: Yara match	File source: 0.2.pYJeC4VJbw.exe.2c80e67.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pYJeC4VJbw.exe.2c80e67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.pYJeC4VJbw.exe.2cc0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pYJeC4VJbw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.pYJeC4VJbw.exe.2cc0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2884642591.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2489810753.0000000002CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match	File source: 00000000.00000002.2884861560.0000000002DD5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pYJeC4VJbw.exe PID: 6936, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.pYJeC4VJbw.exe.2c80e67.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pYJeC4VJbw.exe.2c80e67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.pYJeC4VJbw.exe.2cc0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pYJeC4VJbw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.pYJeC4VJbw.exe.2cc0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2884642591.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2489810753.0000000002CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pYJeC4VJbw.exe PID: 6936, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\.finger-print.fp
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D4F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\.

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Yara detected Credential Stealer

Source: Yara match

File source: Process Memory Space: pYJeC4VJbw.exe PID: 6936, type: MEMORYSTR

Remote Access Functionality

Yara detected Mars stealer

Source: Yara match	File source: 0.2.pYJeC4VJbw.exe.2c80e67.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pYJeC4VJbw.exe.2c80e67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.pYJeC4VJbw.exe.2cc0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pYJeC4VJbw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.pYJeC4VJbw.exe.2cc0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2884642591.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2489810753.0000000002CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match	File source: 00000000.00000002.2884861560.0000000002DD5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pYJeC4VJbw.exe PID: 6936, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.pYJeC4VJbw.exe.2c80e67.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pYJeC4VJbw.exe.2c80e67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.pYJeC4VJbw.exe.2cc0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pYJeC4VJbw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.pYJeC4VJbw.exe.2cc0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2884642591.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2489810753.0000000002CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pYJeC4VJbw.exe PID: 6936, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D180D60 sqlite3_bind_parameter_name,	0_2_6D180D60
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D180C40 sqlite3_bind_zeroblob,	0_2_6D180C40
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D0A8EA0 sqlite3_clear_bindings,	0_2_6D0A8EA0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D180B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	0_2_6D180B40

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
168.119.248.46	shaffatta.com	Germany		24940	HETZNER-ASDE	false

Contacted Domains

Name	IP	Active
shaffatta.com	168.119.248.46	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://shaffatta.com/fdca69ae739b4897.php	false	12%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://shaffatta.com/d32e011d2eaa85a0/mozglue.dll	true	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://shaffatta.com/d32e011d2eaa85a0/msvcp140.dll	false	12%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://shaffatta.com/d32e011d2eaa85a0/nss3.dll	false	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://shaffatta.com/d32e011d2eaa85a0/freebl3.dll	false	7%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://shaffatta.com/d32e011d2eaa85a0/sqlite3.dll	false	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://shaffatta.com/d32e011d2eaa85a0/vcruntime140.dll	false	7%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://shaffatta.com/d32e011d2eaa85a0/softokn3.dll	false	Avira URL Cloud: malware	unknown

AV Detection

Antivirus detection for URL or domain

Source: https://shaffatta.com/d32e011d2eaa85a0/mozglue.dll	Avira URL Cloud: Label: malware
Source: https://shaffatta.com/d32e011d2eaa85a0/msvcp140.dll	Avira URL Cloud: Label: malware
Source: https://shaffatta.com/d32e011d2eaa85a0/nss3.dll	Avira URL Cloud: Label: malware
Source: https://shaffatta.com/d32e011d2eaa85a0/freebl3.dll	Avira URL Cloud: Label: malware
Source: https://shaffatta.com/d32e011d2eaa85a0/sqlite3.dll	Avira URL Cloud: Label: malware
Source: https://shaffatta.com/d32e011d2eaa85a0/vcruntime140.dll	Avira URL Cloud: Label: malware
Source: https://shaffatta.com/d32e011d2eaa85a0/softokn3.dll	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: https://shaffatta.com/D	Virustotal: Detection: 8%	Perma Link
Source: https://shaffatta.com/fdca69ae739b4897.php	Virustotal: Detection: 11%	Perma Link
Source: https://shaffatta.com/d32e011d2eaa85a0/msvcp140.dll	Virustotal: Detection: 11%	Perma Link
Source: https://shaffatta.com/fdca69ae739b4897.php&	Virustotal: Detection: 8%	Perma Link
Source: https://shaffatta.com/5	Virustotal: Detection: 10%	Perma Link
Source: https://shaffatta.com/d32e011d2eaa85a0/freebl3.dll	Virustotal: Detection: 6%	Perma Link
Source: https://shaffatta.com/fdca69ae739b4897.phpa	Virustotal: Detection: 8%	Perma Link
Source: https://shaffatta.com/d32e011d2eaa85a0/msvcp140.dlll	Virustotal: Detection: 11%	Perma Link
Source: https://shaffatta.com/d32e011d2eaa85a0/vcruntime140.dll	Virustotal: Detection: 6%	Perma Link

Multi AV Scanner detection for submitted file

Source: pYJeC4VJbw.exe	ReversingLabs: Detection: 65%
Source: pYJeC4VJbw.exe	Virustotal: Detection: 46%			Perma Link

Machine Learning detection for sample

Source: pYJeC4VJbw.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: CtIvEWInDoW
Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: AgEBOxw
Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: ijklmnopqrs
Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: /#%33@@@
Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: abcdefghijklmnopqrs
Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: @@@@<@@@
Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: abcdefghijklmnopqrs
Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: "&&""..""&&"">>""&&"".."ikSQWQSQ_QBEklmn^pqrBtuvFxyzL123H5679+/\|
Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: %s\%V/yVs
Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: %s\*.
Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: }567y9n/S
Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: ntTekeny
Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: ging
Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: PassMord0
Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: J@@@`z`@J@@@J@@@
Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: OPQRSTUVWXY
Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: 456753+/---- '
Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: '--- '
Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: deh0Q
Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: HeapFree
Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: GetLocaleInfoA
Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: ntProcessId
Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: wininet.dll
Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: shlwapi.dll
Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: shell32.dll
Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: .dll
Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: column_text
Source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack	String decryptor: login:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_00409540 CryptUnprotectData,LocalAlloc,LocalFree,	0_2_00409540
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_00406C10 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_00406C10
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_004094A0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_004094A0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_004155A0 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	0_2_004155A0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_0040BF90 memset,lstrlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcat,lstrcat,PK11_FreeSlot,lstrcat,	0_2_0040BF90
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFA6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	0_2_6CFA6C80
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D0FA9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	0_2_6D0FA9A0

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

Unpacked PE file: 0.2.pYJeC4VJbw.exe.400000.0.unpack

Uses 32bit PE files

Source: pYJeC4VJbw.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 168.119.248.46:443 -> 192.168.2.4:49737 version: TLS 1.2

Source:	Binary string: mozglue.pdbP source: pYJeC4VJbw.exe, 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: nss3.pdb@ source: pYJeC4VJbw.exe, 00000000.00000002.2903802204.000000006D1CF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source:	Binary string: nss3.pdb source: pYJeC4VJbw.exe, 00000000.00000002.2903802204.000000006D1CF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: mozglue.pdb source: pYJeC4VJbw.exe, 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_0040D1C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040D1C0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_004015C0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_004015C0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_00411650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_00411650
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_0040B610 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040B610
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_0040DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0040DB60
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_0040D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040D540
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_00412570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00412570
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_004121F0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_004121F0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_00411B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00411B80

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFIECFIJDAAKEBGCGHIEHost: shaffatta.comContent-Length: 216Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDBKKFHIEGDHJKECAAKKHost: shaffatta.comContent-Length: 268Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFHDAEHDAKECGCAKFCFIHost: shaffatta.comContent-Length: 267Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBKJEGCBKKJECBGCGDBAHost: shaffatta.comContent-Length: 6691Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d32e011d2eaa85a0/sqlite3.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAAAAFBKFIECAAKECGCAHost: shaffatta.comContent-Length: 4599Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJDBKKJKJEBFBGCBAAFIHost: shaffatta.comContent-Length: 1451Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAAAFBKECAKEHIEBAFIEHost: shaffatta.comContent-Length: 359Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIIIDAKKJJJKKECAKKJEHost: shaffatta.comContent-Length: 359Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d32e011d2eaa85a0/freebl3.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d32e011d2eaa85a0/mozglue.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d32e011d2eaa85a0/msvcp140.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d32e011d2eaa85a0/nss3.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d32e011d2eaa85a0/softokn3.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d32e011d2eaa85a0/vcruntime140.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAEGHJKJKKJDHIDHJKJDHost: shaffatta.comContent-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECAKECAEGDHIECBGHIIIHost: shaffatta.comContent-Length: 267Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHJDAKEGDBFHCAAKJJJDHost: shaffatta.comContent-Length: 265Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFHIEBKKFHIEGCAKECGHHost: shaffatta.comContent-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKKEBKJJDGHCBGCAAKEHHost: shaffatta.comContent-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFHIEBKKFHIEGCAKECGHHost: shaffatta.comContent-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKFIDGDHJEGIEBFHDGDGHost: shaffatta.comContent-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGDBAEHIJKKFHIEGCBGHost: shaffatta.comContent-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECBAEBGHDAECBGDGCAKEHost: shaffatta.comContent-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJEGCBGIDHCAKEBGIIDBHost: shaffatta.comContent-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJKFBAKFBGDHIEBGDAKFHost: shaffatta.comContent-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIIIDAKKJJJKKECAKKJEHost: shaffatta.comContent-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJKJJKFHIJKKFHJJECBAHost: shaffatta.comContent-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFHCGHJDBFIIDGDHIJDBHost: shaffatta.comContent-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /fdca69ae739b4897.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBFIEHDHIIIECAAKECFHHost: shaffatta.comContent-Length: 1743Connection: Keep-AliveCache-Control: no-cache

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

Code function: 0_2_00404C70 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

0_2_00404C70

Source: global traffic	HTTP traffic detected: GET /d32e011d2eaa85a0/sqlite3.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d32e011d2eaa85a0/freebl3.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d32e011d2eaa85a0/mozglue.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d32e011d2eaa85a0/msvcp140.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d32e011d2eaa85a0/nss3.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d32e011d2eaa85a0/softokn3.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /d32e011d2eaa85a0/vcruntime140.dll HTTP/1.1Host: shaffatta.comCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: shaffatta.com

Source: unknown

Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: pYJeC4VJbw.exe, pYJeC4VJbw.exe, 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: pYJeC4VJbw.exe, 00000000.00000002.2903413122.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2895334222.000000001D511000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: GIJKKKFC.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: GIJKKKFC.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ep
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.epnacl
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmp, GIJKKKFC.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmp, GIJKKKFC.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: GIJKKKFC.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: GIJKKKFC.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: GIJKKKFC.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: https://mozilla.org0/
Source: pYJeC4VJbw.exe, 00000000.00000002.2884824643.0000000002DBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/
Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/)
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/1
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/32e011d2eaa85a0/nss3.dll
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/32e011d2eaa85a0/nss3.dllc
Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/3r:
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/5
Source: pYJeC4VJbw.exe, 00000000.00000003.2526693387.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000003.2526535738.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/8s/
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/D
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/GHCGHCBFHJJKKJEHJEHJEH
Source: pYJeC4VJbw.exe, 00000000.00000003.2526693387.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000003.2526535738.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/Hs
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/JKEHDBGHIDHIEHDBAAFHJK
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/amData
Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/c
Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E09000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/freebl3.dll
Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/mozglue.dll
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D4F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/mozglue.dll)
Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/mozglue.dll8
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D4FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/msvcp140.dll
Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/msvcp140.dlll
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/nss3.dlln
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/nss3.dllp
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D4FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/softokn3.dllF
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D4FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/softokn3.dllx
Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/sqlite3.dll
Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/sqlite3.dllH
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D4FF000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/d32e011d2eaa85a0/vcruntime140.dll
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/es
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/fatta.com/
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/fatta.com/32e011d2eaa85a0/nss3.dllY
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/fatta.com/d32e011d2eaa85a0/nss3.dll
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/fatta.com/d32e011d2eaa85a0/nss3.dll/
Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002DD5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/fdca69ae739b4897.php
Source: pYJeC4VJbw.exe, 00000000.00000003.2526693387.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000003.2526535738.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/fdca69ae739b4897.php&
Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/fdca69ae739b4897.php-
Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/fdca69ae739b4897.php4r#
Source: pYJeC4VJbw.exe, 00000000.00000003.2526693387.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000003.2526535738.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/fdca69ae739b4897.php7s&
Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/fdca69ae739b4897.php8s/
Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/fdca69ae739b4897.phpCoinomi
Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/fdca69ae739b4897.phpGs
Source: pYJeC4VJbw.exe, 00000000.00000003.2526693387.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000003.2526535738.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/fdca69ae739b4897.phpUs
Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/fdca69ae739b4897.phpa
Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/fdca69ae739b4897.phpi
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://shaffatta.com/fdca69ae739b4897.phpiYW4qLCpjYXJkcyosKmJhbmtzKiwqY3Z2KiwqY3ZjKiwqYWNjb3VudCosK
Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/fdca69ae739b4897.phpmple-storage.jsoncoOaY
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://shaffatta.com/fdca69ae739b4897.phption:
Source: pYJeC4VJbw.exe, 00000000.00000003.2526693387.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000003.2526535738.0000000002E3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/fdca69ae739b4897.phpys
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/ost:
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.com/ozglue.dll
Source: pYJeC4VJbw.exe, 00000000.00000002.2884824643.0000000002DBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://shaffatta.comC
Source: IDAKJKEHDBGHIDHIEHDBAAFHJK.0.dr	String found in binary or memory: https://support.mozilla.org
Source: IDAKJKEHDBGHIDHIEHDBAAFHJK.0.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: IDAKJKEHDBGHIDHIEHDBAAFHJK.0.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: pYJeC4VJbw.exe, 00000000.00000003.2585700635.000000002349D000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016.exe
Source: pYJeC4VJbw.exe, 00000000.00000003.2585700635.000000002349D000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17chost.exe
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D410000.00000004.00000020.00020000.00000000.sdmp, GIJKKKFC.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: GIJKKKFC.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: IDAKJKEHDBGHIDHIEHDBAAFHJK.0.dr	String found in binary or memory: https://www.mozilla.org
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: IDAKJKEHDBGHIDHIEHDBAAFHJK.0.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: IDAKJKEHDBGHIDHIEHDBAAFHJK.0.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: pYJeC4VJbw.exe, 00000000.00000003.2715320097.00000000298F4000.00000004.00000020.00020000.00000000.sdmp, IDAKJKEHDBGHIDHIEHDBAAFHJK.0.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: IDAKJKEHDBGHIDHIEHDBAAFHJK.0.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: pYJeC4VJbw.exe, 00000000.00000003.2715320097.00000000298F4000.00000004.00000020.00020000.00000000.sdmp, IDAKJKEHDBGHIDHIEHDBAAFHJK.0.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.000000000044B000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown

HTTPS traffic detected: 168.119.248.46:443 -> 192.168.2.4:49737 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2884642591.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.2884797147.0000000002D97000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2884177155.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.2884841467.0000000002DC0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown

Contains functionality to call native functions

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFBED10 malloc,NtFlushVirtualMemory,memset,memset,memset,memset,memset,memcpy,free,memset,memset,memcpy,memset,memset,memset,memset,memset,	0_2_6CFBED10
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFFB700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	0_2_6CFFB700
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFFB8C0 rand_s,NtQueryVirtualMemory,	0_2_6CFFB8C0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFFB910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	0_2_6CFFB910
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CF9F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	0_2_6CF9F280

Detected potential crypto function

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFD6CF0	0_2_6CFD6CF0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CF9D4E0	0_2_6CF9D4E0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFBD4D0	0_2_6CFBD4D0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFA64C0	0_2_6CFA64C0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFF34A0	0_2_6CFF34A0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFFC4A0	0_2_6CFFC4A0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFA6C80	0_2_6CFA6C80
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFA5440	0_2_6CFA5440
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFD5C10	0_2_6CFD5C10
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFE2C10	0_2_6CFE2C10
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D00AC00	0_2_6D00AC00
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFF85F0	0_2_6CFF85F0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D00542B	0_2_6D00542B
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFD0DD0	0_2_6CFD0DD0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CF935A0	0_2_6CF935A0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D00545C	0_2_6D00545C
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFBED10	0_2_6CFBED10
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFC0512	0_2_6CFC0512
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFAFD00	0_2_6CFAFD00
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CF9BEF0	0_2_6CF9BEF0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFAFEF0	0_2_6CFAFEF0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFF4EA0	0_2_6CFF4EA0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFB5E90	0_2_6CFB5E90
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFFE680	0_2_6CFFE680
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CF9C670	0_2_6CF9C670
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFB9E50	0_2_6CFB9E50
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFD3E50	0_2_6CFD3E50
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFE2E4E	0_2_6CFE2E4E
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFB4640	0_2_6CFB4640
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFF9E30	0_2_6CFF9E30
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFD7E10	0_2_6CFD7E10
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFE5600	0_2_6CFE5600
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFC6FF0	0_2_6CFC6FF0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CF9DFE0	0_2_6CF9DFE0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFE77A0	0_2_6CFE77A0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D006E63	0_2_6D006E63
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D0076E3	0_2_6D0076E3
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFD7710	0_2_6CFD7710
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFA9F00	0_2_6CFA9F00
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFBC0E0	0_2_6CFBC0E0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFD58E0	0_2_6CFD58E0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFC60A0	0_2_6CFC60A0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D00B170	0_2_6D00B170
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFDF070	0_2_6CFDF070
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFB8850	0_2_6CFB8850
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFBD850	0_2_6CFBD850
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFDB820	0_2_6CFDB820
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFE4820	0_2_6CFE4820
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFA7810	0_2_6CFA7810
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFCD9B0	0_2_6CFCD9B0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CF9C9A0	0_2_6CF9C9A0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFD5190	0_2_6CFD5190
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFF2990	0_2_6CFF2990
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFEB970	0_2_6CFEB970
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFAD960	0_2_6CFAD960
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFBA940	0_2_6CFBA940
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D0050C7	0_2_6D0050C7
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFB1AF0	0_2_6CFB1AF0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFDE2F0	0_2_6CFDE2F0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFD8AC0	0_2_6CFD8AC0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFACAB0	0_2_6CFACAB0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CF922A0	0_2_6CF922A0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFC4AA0	0_2_6CFC4AA0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFD9A60	0_2_6CFD9A60
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D0053C8	0_2_6D0053C8
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CF9F380	0_2_6CF9F380
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFAC370	0_2_6CFAC370
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D00BA90	0_2_6D00BA90
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D002AB0	0_2_6D002AB0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CF95340	0_2_6CF95340
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFDD320	0_2_6CFDD320
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D1C8D20	0_2_6D1C8D20
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D16AD50	0_2_6D16AD50
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D10ED70	0_2_6D10ED70
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D0D6D90	0_2_6D0D6D90
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D044DB0	0_2_6D044DB0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D1CCDC0	0_2_6D1CCDC0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D106C00	0_2_6D106C00
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D11AC30	0_2_6D11AC30
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D04AC60	0_2_6D04AC60
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D03ECC0	0_2_6D03ECC0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D09ECD0	0_2_6D09ECD0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D046F10	0_2_6D046F10
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D180F20	0_2_6D180F20
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D0AEF40	0_2_6D0AEF40
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D102F70	0_2_6D102F70
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D188FB0	0_2_6D188FB0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D04EFB0	0_2_6D04EFB0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D11EFF0	0_2_6D11EFF0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D040FE0	0_2_6D040FE0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D120E20	0_2_6D120E20
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D0DEE70	0_2_6D0DEE70
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D0C6E90	0_2_6D0C6E90
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D04AEC0	0_2_6D04AEC0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D0E0EC0	0_2_6D0E0EC0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D096900	0_2_6D096900
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D078960	0_2_6D078960
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D1009B0	0_2_6D1009B0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D0D09A0	0_2_6D0D09A0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D0FA9A0	0_2_6D0FA9A0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D15C9E0	0_2_6D15C9E0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D0749F0	0_2_6D0749F0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D090820	0_2_6D090820
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D0CA820	0_2_6D0CA820
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D114840	0_2_6D114840
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D1468E0	0_2_6D1468E0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D0E0BA0	0_2_6D0E0BA0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D146BE0	0_2_6D146BE0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D0EEA00	0_2_6D0EEA00
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D0F8A30	0_2_6D0F8A30
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D0BCA70	0_2_6D0BCA70
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D0BEA80	0_2_6D0BEA80

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: String function: 6CFCCBE8 appears 134 times
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: String function: 6CFD94D0 appears 90 times
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: String function: 004043B0 appears 316 times
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: String function: 6D1C09D0 appears 112 times

Sample file is different than original file name gathered from version info

Source: pYJeC4VJbw.exe, 00000000.00000002.2903883210.000000006D215000.00000002.00000001.01000000.00000007.sdmp	Binary or memory string: OriginalFilenamenss3.dll0 vs pYJeC4VJbw.exe
Source: pYJeC4VJbw.exe, 00000000.00000002.2903626057.000000006D022000.00000002.00000001.01000000.00000008.sdmp	Binary or memory string: OriginalFilenamemozglue.dll0 vs pYJeC4VJbw.exe

Uses 32bit PE files

Source: pYJeC4VJbw.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 00000000.00000002.2884642591.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.2884797147.0000000002D97000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2884177155.0000000002C00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.2884841467.0000000002DC0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/29@1/1

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

Code function: 0_2_6CFF7030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

0_2_6CFF7030

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

Code function: 0_2_00414DE0 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

0_2_00414DE0

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll

Jump to behavior

Source: pYJeC4VJbw.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: pYJeC4VJbw.exe, 00000000.00000002.2903802204.000000006D1CF000.00000002.00000001.01000000.00000007.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2895334222.000000001D511000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2903359635.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: pYJeC4VJbw.exe, 00000000.00000002.2903802204.000000006D1CF000.00000002.00000001.01000000.00000007.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2895334222.000000001D511000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2903359635.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: pYJeC4VJbw.exe, 00000000.00000002.2903802204.000000006D1CF000.00000002.00000001.01000000.00000007.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2895334222.000000001D511000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2903359635.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: pYJeC4VJbw.exe, 00000000.00000002.2903802204.000000006D1CF000.00000002.00000001.01000000.00000007.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2895334222.000000001D511000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2903359635.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: pYJeC4VJbw.exe, pYJeC4VJbw.exe, 00000000.00000002.2903802204.000000006D1CF000.00000002.00000001.01000000.00000007.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2895334222.000000001D511000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2903359635.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: pYJeC4VJbw.exe, 00000000.00000002.2903802204.000000006D1CF000.00000002.00000001.01000000.00000007.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2895334222.000000001D511000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2903359635.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: pYJeC4VJbw.exe, 00000000.00000002.2895334222.000000001D511000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2903359635.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: pYJeC4VJbw.exe, 00000000.00000003.2585700635.0000000023494000.00000004.00000020.00020000.00000000.sdmp, JDBFIIEBGCAKKEBFBAAF.0.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: pYJeC4VJbw.exe, 00000000.00000002.2895334222.000000001D511000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2903359635.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: pYJeC4VJbw.exe, 00000000.00000002.2895334222.000000001D511000.00000004.00000020.00020000.00000000.sdmp, pYJeC4VJbw.exe, 00000000.00000002.2903359635.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: pYJeC4VJbw.exe	ReversingLabs: Detection: 65%
Source: pYJeC4VJbw.exe	Virustotal: Detection: 46%

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Section loaded: msvcp140.dll	Jump to behavior

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: mozglue.pdbP source: pYJeC4VJbw.exe, 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: nss3.pdb@ source: pYJeC4VJbw.exe, 00000000.00000002.2903802204.000000006D1CF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source:	Binary string: nss3.pdb source: pYJeC4VJbw.exe, 00000000.00000002.2903802204.000000006D1CF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source:	Binary string: mozglue.pdb source: pYJeC4VJbw.exe, 00000000.00000002.2903578339.000000006D00D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

Unpacked PE file: 0.2.pYJeC4VJbw.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

Unpacked PE file: 0.2.pYJeC4VJbw.exe.400000.0.unpack

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

0_2_00416240

PE file contains sections with non-standard names

Source: softokn3.dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.0.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr	Static PE information: section name: .didat
Source: nss3.dll.0.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr	Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_004176C5 push ecx; ret		0_2_004176D8
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFCB536 push ecx; ret		0_2_6CFCB549

Drops PE files

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

0_2_00416240

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

API coverage: 4.8 %

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_0040D1C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040D1C0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_004015C0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_004015C0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_00411650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_00411650
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_0040B610 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040B610
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_0040DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0040DB60
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_0040D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040D540
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_00412570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00412570
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_004121F0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_004121F0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_00411B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00411B80

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

Code function: 0_2_00401120 GetSystemInfo,ExitProcess,

0_2_00401120

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002DD5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX
Source: pYJeC4VJbw.exe, 00000000.00000002.2884824643.0000000002DBB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	API call chain: ExitProcess graph end node

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

Code function: 0_2_00417B4E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00417B4E

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

0_2_00416240

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

Code function: 0_2_00415DC0 mov eax, dword ptr fs:[00000030h]

0_2_00415DC0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

Code function: 0_2_00404C70 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

0_2_00404C70

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_00419DC7 SetUnhandledExceptionFilter,	0_2_00419DC7
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_00417B4E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00417B4E
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_004173DD memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004173DD
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFCB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6CFCB66C
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6CFCB1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6CFCB1F7
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D17AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6D17AC62

HIPS / PFW / Operating System Protection Evasion

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

Code function: 0_2_00415D00 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_00415D00

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

Code function: 0_2_6CFCB341 cpuid

0_2_6CFCB341

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

0_2_00414570

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

Code function: 0_2_00414450 GetProcessHeap,HeapAlloc,GetLocalTime,wsprintfA,

0_2_00414450

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

Code function: 0_2_004143C0 GetProcessHeap,HeapAlloc,GetUserNameA,

0_2_004143C0

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

Code function: 0_2_004144B0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

0_2_004144B0

Stealing of Sensitive Information

Yara detected Mars stealer

Source: Yara match	File source: 0.2.pYJeC4VJbw.exe.2c80e67.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pYJeC4VJbw.exe.2c80e67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.pYJeC4VJbw.exe.2cc0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pYJeC4VJbw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.pYJeC4VJbw.exe.2cc0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2884642591.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2489810753.0000000002CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match	File source: 00000000.00000002.2884861560.0000000002DD5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pYJeC4VJbw.exe PID: 6936, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.pYJeC4VJbw.exe.2c80e67.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pYJeC4VJbw.exe.2c80e67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.pYJeC4VJbw.exe.2cc0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pYJeC4VJbw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.pYJeC4VJbw.exe.2cc0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2884642591.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2489810753.0000000002CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pYJeC4VJbw.exe PID: 6936, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: pYJeC4VJbw.exe, 00000000.00000002.2884861560.0000000002E26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\.finger-print.fp
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: pYJeC4VJbw.exe, 00000000.00000002.2882938021.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: ite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: pYJeC4VJbw.exe, 00000000.00000002.2895207403.000000001D4F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\.

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior

Yara detected Credential Stealer

Source: Yara match

File source: Process Memory Space: pYJeC4VJbw.exe PID: 6936, type: MEMORYSTR

Remote Access Functionality

Yara detected Mars stealer

Source: Yara match	File source: 0.2.pYJeC4VJbw.exe.2c80e67.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pYJeC4VJbw.exe.2c80e67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.pYJeC4VJbw.exe.2cc0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pYJeC4VJbw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.pYJeC4VJbw.exe.2cc0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2884642591.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2489810753.0000000002CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match	File source: 00000000.00000002.2884861560.0000000002DD5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pYJeC4VJbw.exe PID: 6936, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.pYJeC4VJbw.exe.2c80e67.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pYJeC4VJbw.exe.2c80e67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pYJeC4VJbw.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.pYJeC4VJbw.exe.2cc0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.pYJeC4VJbw.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.pYJeC4VJbw.exe.2cc0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2884642591.0000000002C80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2489810753.0000000002CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2882938021.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: pYJeC4VJbw.exe PID: 6936, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D180D60 sqlite3_bind_parameter_name,	0_2_6D180D60
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D180C40 sqlite3_bind_zeroblob,	0_2_6D180C40
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D0A8EA0 sqlite3_clear_bindings,	0_2_6D0A8EA0
Source: C:\Users\user\Desktop\pYJeC4VJbw.exe	Code function: 0_2_6D180B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	0_2_6D180B40

ID:	1435882
Product:	CloudBasic
Start time:	11:19:09
Start date:	03.05.2024
Sample:	pYJeC4VJbw.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	14c3db1bdba407c23f0e80bbfdd6db0f
SHA1:	304c2d438d926f73f58f1ee9635b449b585dddce
SHA256:	596a9e9ed53dbeb50b69a93bfeef67855baf488f3638695b5485fd1c9633fad7
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\AAEGHJKJ	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2	780853CDDEAEE8DE70F28A4B255A600B	AD7A5DA33F7AD12946153C497E990720B09005ED	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
C:\ProgramData\AIXACVYBSB.docx	ASCII text, with very long lines (1024), with CRLF line terminators	4E32787C3D6F915D3CB360878174E142	57FF84FAEDF66015F2D79E1BE72A29D7B5643F47	2BCD2A46D2DCED38DE96701E6D3477D8C9F4456FFAE5135C0605C8434BA60269
C:\ProgramData\AIXACVYBSB.xlsx	ASCII text, with very long lines (1024), with CRLF line terminators	4E32787C3D6F915D3CB360878174E142	57FF84FAEDF66015F2D79E1BE72A29D7B5643F47	2BCD2A46D2DCED38DE96701E6D3477D8C9F4456FFAE5135C0605C8434BA60269
C:\ProgramData\CBKJEGCBKKJECBGCGDBAKJEBAA	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11	41EA9A4112F057AE6BA17E2838AEAC26	F2B389103BFD1A1A050C4857A995B09FEAFE8903	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
C:\ProgramData\DTBZGIOOSO.docx	ASCII text, with very long lines (1024), with CRLF line terminators	159C7BA9D193731A3AAE589183A63B3F	81FDFC9C96C5B4F9C7730127B166B778092F114A	1FD7067403DCC66C9C013C2F21001B91C2C6456762B05BDC5EDA2C9E7039F41D
C:\ProgramData\GIJKKKFC	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3	28591AA4E12D1C4FC761BE7C0A468622	BC4968A84C19377D05A8BB3F208FBFAC49F4820B	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
C:\ProgramData\HIIIDAKKJJJKKECAKKJE	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1	349E6EB110E34A08924D92F6B334801D	BDFB289DAFF51890CC71697B6322AA4B35EC9169	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
C:\ProgramData\IDAKJKEHDBGHIDHIEHDBAAFHJK	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2	C0FDF21AE11A6D1FA1201D502614B622	11724034A1CC915B061316A96E79E9DA6A00ADE8	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
C:\ProgramData\JDBFIIEBGCAKKEBFBAAF	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1	28222628A3465C5F0D4B28F70F97F482	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
C:\ProgramData\JDGCGHCGHCBFHJJKKJEHJEHJEH	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3	369B6DD66F1CAD49D0952C40FEB9AD41	D05B2DE29433FB113EC4C558FF33087ED7481DD4	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
C:\ProgramData\KATAXZVCPS.xlsx	ASCII text, with very long lines (1024), with CRLF line terminators	A0DC32426FC8BF469784A49B3D092ADC	0C0EEB9B226B1B19A509D9864F8ADC521BF18350	A381579322A3055F468E57EA1980A523CAF16ABFE5A09B46EC709E854E67AA01
C:\ProgramData\NHPKIZUUSG.docx	ASCII text, with very long lines (1024), with CRLF line terminators	8C1F71001ABC7FCE68B3F15299553CE7	382285FB69081EB79C936BC4E1BFFC9D4697D881	DCC1D5A624022EFCE4D4A919041C499622A1213FD62B848C36E6252EE29B5CAE
C:\ProgramData\VLZDGUKUTZ.xlsx	ASCII text, with very long lines (1024), with CRLF line terminators	520219000D5681B63804A2D138617B27	2C7827C354FD7A58FB662266B7E3008AFB42C567	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
C:\ProgramData\XZXHAVGRAG.docx	ASCII text, with very long lines (1024), with CRLF line terminators	A4E170A8033E4DAE501B5FD3D8AC2B74	589F92029C10058A7B281AA9F2BBFA8C822B5767	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
C:\ProgramData\XZXHAVGRAG.xlsx	ASCII text, with very long lines (1024), with CRLF line terminators	A4E170A8033E4DAE501B5FD3D8AC2B74	589F92029C10058A7B281AA9F2BBFA8C822B5767	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
C:\ProgramData\freebl3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	550686C0EE48C386DFCB40199BD076AC	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
C:\ProgramData\mozglue.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C8FD9BE83BC728CC04BEFFAFC2907FE9	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
C:\ProgramData\msvcp140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5FF1FCA37C466D6723EC67BE93B51442	34CC4E158092083B13D67D6D2BC9E57B798A303B	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
C:\ProgramData\nss3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1CC453CDF74F31E4D913FF9C10ACDDE2	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
C:\ProgramData\softokn3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4E52D739C324DB8225BD9AB2695F262F	71C3DA43DC5A0D2A1941E874A6D015A071783889	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
C:\ProgramData\vcruntime140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A37EE36B536409056A86F50E67777DD7	1CAFA159292AA736FC595FC04E16325B27CD6750	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\freebl3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	550686C0EE48C386DFCB40199BD076AC	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\mozglue[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C8FD9BE83BC728CC04BEFFAFC2907FE9	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\msvcp140[1].dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5FF1FCA37C466D6723EC67BE93B51442	34CC4E158092083B13D67D6D2BC9E57B798A303B	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\nss3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1CC453CDF74F31E4D913FF9C10ACDDE2	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\softokn3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4E52D739C324DB8225BD9AB2695F262F	71C3DA43DC5A0D2A1941E874A6D015A071783889	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\vcruntime140[1].dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A37EE36B536409056A86F50E67777DD7	1CAFA159292AA736FC595FC04E16325B27CD6750	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB

Windows Analysis Report
pYJeC4VJbw.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report pYJeC4VJbw.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
pYJeC4VJbw.exe

Malware Threat Intel
Provided by