analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | gjnvlcxv.exe |
| Full analysis: | https://app.any.run/tasks/f2733975-cedb-4d18-a0e1-20ff9b8d653b |
| Verdict: | Malicious activity |
| Analysis date: | April 01, 2023, 19:22:55 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
| MD5: | 3ABACDBDDB7190C93D7F24561B201B48 |
| SHA1: | 751507B13DA515C2FC06E556EB7D5CA16BC54CD0 |
| SHA256: | 72779E29EB9099678AF9B0DAA7E376322A0C8FD2C9ACE68962249ED72930D9D2 |
| SSDEEP: | 49152:DX0T+Sk6BU7HIFd7+JJ1glw+W7SCFHT9kly8Pv6Uc:DX0T+Srpzmg2rz38X6Uc |
MALICIOUS
BLACKGUARD detected by memory dumps
- gjnvlcxv.exe (PID: 2824)
Actions looks like stealing of personal data
- gjnvlcxv.exe (PID: 2824)
SUSPICIOUS
Reads settings of System Certificates
- gjnvlcxv.exe (PID: 2824)
Reads the Internet Settings
- gjnvlcxv.exe (PID: 2824)
Connects to the server without a host name
- gjnvlcxv.exe (PID: 2824)
The COM object is verified by Verclsid
- verclsid.exe (PID: 3864)
INFO
Reads Environment values
- gjnvlcxv.exe (PID: 2824)
The process checks LSA protection
- gjnvlcxv.exe (PID: 2824)
Reads the machine GUID from the registry
- gjnvlcxv.exe (PID: 2824)
Checks supported languages
- gjnvlcxv.exe (PID: 2824)
Reads the computer name
- gjnvlcxv.exe (PID: 2824)
Manual execution by a user
- verclsid.exe (PID: 3864)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
BlackGuard
(PID) Process(2824) gjnvlcxv.exe
Strings (590)x64\\SQLite.Interop.dll
x86\\SQLite.Interop.dll
\\Browsers
\\Browsers\\cookie_chrome.txt
\\Browsers\\password_chrome.txt
\\Browsers\\cookies_Brave.txt
\\Browsers\\password_Brave.txt
\\Browsers\\cookies_Vivaldi.txt
\\Browsers\\password_Vivaldi.txt
\\Browsers\\cookies_Opera.txt
\\Browsers\\password_Opera.txt
\\Browsers\\cookies_Edge.txt
\\Browsers\\password_Edge.txt
\\Browsers\\cookies_EdgeBeta.txt
\\Browsers\\password_EdgeBeta.txt
\\Wallets
\\Browsers\\password_firefox.txt
\\Browsers\\cookies_firefox.txt
\\Messenger
\\Chrome_Wallet
\\Edge_Wallet
\\Edge Betta_Wallet
\UsAgent.txt
Browser :
{0} {1} {2} {3} {4} {5} {6} {7} {8} {9} {10}
Unspecified
Medium
Domain:
Domain:
Login:
Password:
Password:
{0} {1} {2} {3} {4} {5} {6} {7}
\\Information.txt
Upgrade.php
http analyzer stand-alone
fiddler
effetech http sniffer
firesheep
IEWatch Professional
dumpcap
wireshark
wireshark portable
sysinternals tcpview
NetworkMiner
NetworkTrafficView
HTTPNetworkSniffer
tcpdump
intercepter
Intercepter-NG
The Cookie database could not be found:
The Key for decryption (Local State) could not be found:
The Login database could not be found:
\\Roaming\\
\\FTP\\WinSCP
WinSCP.ini
\\FTP\\WinSCP\\WinSCP.ini
Hostname = '
' | DecryptedUsername = '
' | DecryptedPassword = '
Title = '
' | Url = '
\zaredin.jbbt
\UGFghfw.helt
MM/dd/yyyy h:mm
Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676
Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676
Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676
Software\\Microsoft\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676
SMTP Email Address
SMTP Server
POP3 Server
POP3 User Name
SMTP User Name
NNTP Email Address
NNTP User Name
NNTP Server
IMAP Server
IMAP User Name
Email
HTTP User
HTTP Server URL
POP3 User
IMAP User
HTTPMail User Name
HTTPMail Server
SMTP User
POP3 Password2
IMAP Password2
NNTP Password2
HTTPMail Password2
SMTP Password2
POP3 Password
IMAP Password
NNTP Password
HTTPMail Password
SMTP Password
\\Outlook.txt
UGFzc3dvcmQ=
null
^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$
^(?!:\/\/)([a-zA-Z0-9-_]+\.)*[a-zA-Z0-9][a-zA-Z0-9-_]+\.[a-zA-Z]{2,11}?$
\\Temp\\dotnetbrowser-chromium\\64.0.3282.24.1.19.0.0.642\\32bit
\\Chromium\\User Data
\\Google\\Chrome\\User Data
\\Google(x86)\\Chrome\\User Data
\\MapleStudio\\ChromePlus\\User Data
\\Iridium\\User Data
\\7Star\\User Data
\\CentBrowser\\User Data
\\Chedot\\User Data
\\Vivaldi\\User Data
\\Kometa\\User Data
\\Elements Browser\\User Data
\\Epic Privacy Browser\\User Data
\\uCozMedia\\Uran\\User Data
\\Fenrir Inc\\Sleipnir5\\setting\\modules\\ChromiumViewer
\\CatalinaGroup\\Citrio\\User Data
\\Coowon\\Coowon\\User Data
\\liebao\\User Data
\\QIP Surf\\User Data
\\Orbitum\\User Data
\\Comodo\\Dragon\\User Data
\\Amigo\\User\\User Data
\\Torch\\User Data
\\Comodo\\User Data
\\360Browser\\Browser\\User Data
\\Maxthon3\\User Data
\\K-Melon\\User Data
\\Sputnik\\Sputnik\\User Data
\\Nichrome\\User Data
\\CocCoc\\Browser\\User Data
\\Uran\\User Data
\\Chromodo\\User Data
UNIQUE
.dat
Hostname:
BCrypt.BCryptDecrypt() (get size) failed with status code: {0}
BCrypt.BCryptDecrypt(): authentication tag mismatch
BCrypt.BCryptDecrypt() failed with status code:{0}
BCrypt.BCryptOpenAlgorithmProvider() failed with status code:{0}
BCrypt.BCryptSetAlgorithmProperty(BCrypt.BCRYPT_CHAINING_MODE, BCrypt.BCRYPT_CHAIN_MODE_GCM) failed with status code:{0}
BCrypt.BCryptImportKey() failed with status code:{0}
BCrypt.BCryptGetProperty() (get size) failed with status code:{0}
BCrypt.BCryptGetProperty() failed with status code:{0}
ObjectLength
ChainingModeGCM
AuthTagLength
ChainingMode
KeyDataBlob
Microsoft Primitive Provider
].rar
cp866
files/upgrade.php?user={0}&hwid={1}&antivirus={2}&os={3}&passCount={4}&coockieCount={5}&walletCount={6}&telegramCount={7}&vpnCount={8}&ftpCount={9}&country={10}&searche={11}&link={12}
POST
SystemDrive
SELECT * FROM CIM_OperatingSystem
Caption
Windows 8
Windows 8.1
Windows 10
Windows 11
Windows XP
Windows 7
Server
Unknown
Windows Server
SELECT * FROM Win32_OperatingSystem
Version
BIOS Maker: Unknown
\root\SecurityCenter2
SELECT * FROM AntivirusProduct
displayName
https://ipwhois.app/xml/
country
Armenia
Azerbaijan
Belarus
Kazakhstan
Kyrgyzstan
Moldova
Tajikistan
Uzbekistan
Ukraine
Russia
.txt
.config
.rdp
Worlds
SbieDll.dll
cmdvrt32.dll
jkvvd
SxIn.dll
uryu65
l5y546546t3tl
25454
cuckoomon.dll
\\Discord
\\Tokens.txt
.log
.ldb
[a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}|mfa\.[a-zA-Z0-9_\-]{84}
Discord\\Local Storage\\leveldb
Discord PTB\\Local Storage\\leveldb
Discord Canary\\leveldb
\\Files
\\source
\\FileZilla
\\FileZilla.log
RecentServers
SG9zdA==
UG9ydA==
Rǫ
UGFzcw==
link:
Port:
Uname:
pws:
FileZilla\recentservers.xml
\\GHISLER\\
\\FTP\\Total Commander
wcx_ftp.ini
\\FTP\\Total Commander\\wcx_ftp.ini
Protocol:
Login:
pSWrd:
\\Pidgin_INFo.txt
.purple\\accounts.xml
\\Steam
ssfn*
\\config\\config.vdf
\\config.vdf
\\config\\loginusers.vdf
\\loginusers.vdf
\\config\\SteamAppData.vdf
\\SteamAppData.vdf
Software\\Wow6432Node\\Valve\\Steam
InstallPath
Software\\Valve\\Steam
VGVsZWdyYW0=
%appdata%
\Telegram Desktop\tdata
\\Telegram
Telegram.exe
\tdata
\\Telegram\\
NordVPN
NordVpn.exe*
user.config
\\VPN\\NordVPN\\
//setting[@name='Username']/value
//setting[@name='Password']/value
\\accounts.txt
OpenVPN Connect\\profiles
\\VPN\\OpenVPN
b3Zwbg==
ProtonVPN
ProtonVPN.exe
\\user.config
\\VPN\\ProtonVPN
U29mdHdhcmU=
strDataDir
\\wallets
Zcash
\\Zcash
Armory
\\Armory
SmF4eA==
\\com.liberty.jaxx\\IndexedDB\\file__0.indexeddb.leveldb
Exodus
\\Exodus\\exodus.wallet
RXRoZXJldW0=
\\Ethereum\\keystore
RWxlY3RydW0=
\\Electrum\\wallets
QXRvbWljV2FsbGV0
\\atomic\\Local Storage\\leveldb
Guarda
\\Guarda\\Local Storage\\leveldb
Zap
\\Zap\\Local Storage\\leveldb
Binance
\\Binance\\Local Storage\\leveldb
atomic_qt
\\atomic_qt\\config
Frame
\\Frame\\Local Storage\\leveldb
io.solarwallet.app
\\io.solarwallet.app\\Local Storage\\leveldb
TokenPocket
\\TokenPocket\\Local Storage\\leveldb
TGl0ZWNvaW4=
RGFzaA==
*.txt
\\Browsers\\search_link.txt
SELECT ExecutablePath, ProcessID FROM Win32_Process
ProcessID
ExecutablePath
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
Progid
chromehtml
chrome
firefoxurl
firefox
operastable
opera
yandexhtml
browser
msedgehtm
msedge
iexplore
http://127.0.0.1:{0}
http://127.0.0.1:{0}/
User-Agent
https://google.com/
dictionary
ERROR
SELECT COUNT(*) AS CNTREC FROM pragma_table_info('
') WHERE name='
The current process is 32-bit! To decrypt firefox values it needs to be 64-bit
\mozglue.dll
MozGlue was not found:
\nss3.dll
NSS3 was not found:
\mozglue.dll could not be found:
\nss3.dll could not be found:
NSS_Init
PK11SDR_Decrypt
NSS_Shutdown
Process Address of NSS_Init was not found!
Process Address of PK11SDR_Decrypt was not found!
Process Address of NSS_Shutdown was not found!
Function 'NSS_Init()' was not found!
Function 'PK11SDR_Decrypt()' was not found!
Function 'NSS_Shutdown()' was not found!
Key length not 128/192/256 bits.
Should never get here
invalid parameter passed to AES init
AES engine not initialised
input buffer too short
output buffer too short
cipher required with a block size of
/GCM
Invalid value for MAC size:
invalid parameters passed to GCM
IV must be at least 1 byte
cannot reuse nonce for GCM encryption
Key must be specified in initial init
Output buffer too short
data too short
mac check in GCM failed
Attempt to process too many blocks
GCM cipher cannot be reused for encryption
GCM cipher needs to be initialised
keyOff
keyLen
YXV0b2ZpbGw=
Opera
\\Opera Stable\\Local State
\\Local State
"encrypted_key":"(.*?)"
Opera
Opera Software
\\Login Data
\\Web Data
\\History
\\Passwords.txt
\\AutoFill.txt
\\History.txt
\\Downloads.txt
downloads
dXJscw==
logins
kardannivall.Properties.Resources
upche
Gecko profile path was not found:
\cookies.sqlite
\logins.json
\places.sqlite
hostname
httpRealm
formSubmitURL
usernameField
passwordField
encryptedUsername
encryptedPassword
guid
encType
timeCreated
timeLastUsed
timePasswordChanged
timesUsed
ProgramW6432
\Mozilla Firefox
The Login File could not be found: \logins.json
Profile could not be set:
ConvertDynamicObjectsToLogins
logins
value
The History database could not be found:
Data Source=
;pooling=false
{0} WHERE {1} = '{2}'
SELECT id,url,title,rev_host,visit_count,hidden,typed,frecency,last_visit_date,guid,foreign_count,url_hash,description,preview_image_url,origin_id,site_name FROM moz_places
C:\Users\
\AppData\Local\Microsoft\Edge Beta\User Data\Default\Network\Cookies
\AppData\Local\Microsoft\Edge Beta\User Data\Local State
\AppData\Local\Microsoft\Edge Beta\User Data\Default\Login Data
\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Network\Cookies
\AppData\Local\BraveSoftware\Brave-Browser\User Data\Local State
\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Login Data
\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
\AppData\Local\Google\Chrome\User Data\Local State
\AppData\Local\Google\Chrome\User Data\Default\Login Data
SELECT creation_utc,top_frame_site_key,host_key,name,value,encrypted_value,path,expires_utc,is_secure,is_httponly,last_access_utc,has_expires,is_persistent,priority,samesite,source_scheme,source_port,is_same_party FROM cookies
SELECT origin_url,action_url,username_element,username_value,password_element,password_value,submit_element,signon_realm,date_created,blacklisted_by_user,scheme,password_type,times_used,form_data,display_name,icon_url,federation_url,skip_zero_click,generation_upload_status,possible_username_pairs,id...
encrypted_key
os_crypt
Key needs to be {0} bit!
Message required!
message
\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
\AppData\Local\Microsoft\Edge\User Data\Local State
\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
\AppData\Roaming\Mozilla\Firefox\Profiles
default-release
SELECT id,originAttributes,name,value,host,path,expiry,lastAccessed,creationTime,isSecure,isHttpOnly,inBrowserElement,sameSite,rawSameSite,schemeMap FROM moz_cookies
\AppData\Roaming\Opera Software\Opera Stable\Cookies
\AppData\Roaming\Opera Software\Opera Stable\Local State
\AppData\Roaming\Opera Software\Opera Stable\Login Data
\AppData\Roaming\Opera Software\Opera GX Stable\Cookies
\AppData\Roaming\Opera Software\Opera GX Stable\Local State
\AppData\Roaming\Opera Software\Opera GX Stable\Login Data
\AppData\Local\Vivaldi\User Data\Default\Network\Cookies
\AppData\Local\Vivaldi\User Data\Local State
\AppData\Local\Vivaldi\User Data\Default\Login Data
Tox
\\tox
Element
\\Element\\Local Storage\\leveldb
Signal
\\Signal\\Local Storage\\leveldb
Proxifier
\\Proxifier4\\Profiles
EdgeBETA_Auvitas
\Microsoft\Edge Beta\User Data\Default\Local Extension Settings\klfhbdnlcfcaccoakhceodhldjojboga\
EdgeBETA_Math
\Microsoft\Edge Beta\User Data\Default\Local Extension Settings\dfeccadlilpndjjohbjdblepmjeahlmm\
EdgeBETA_Metamask
\Microsoft\Edge Beta\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm\
EdgeBETA_MTV
\Microsoft\Edge Beta\User Data\Default\Local Extension Settings\oooiblbdpdlecigodndinbpfopomaegl\
EdgeBETA_Rabet
\Microsoft\Edge Beta\User Data\Default\Local Extension Settings\aanjhgiamnacdfnlfnmgehjikagdbafd\
EdgeBETA_Ronin
\Microsoft\Edge Beta\User Data\Default\Local Extension Settings\bblmcdckkhkhfhhpfcchlpalebmonecp\
EdgeBETA_Yoroi
\Microsoft\Edge Beta\User Data\Default\Local Extension Settings\akoiaibnepcedcplijmiamnaigbepmcb\
EdgeBETA_Zilpay
\Microsoft\Edge Beta\User Data\Default\Local Extension Settings\fbekallmnjoeggkefjkbebpineneilec\
EdgeBETA_Exodus
\Microsoft\Edge Beta\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\
EdgeBETA_Terra_Station
\Microsoft\Edge Beta\User Data\Default\Local Extension Settings\ajkhoeiiokighlmdnlakpjfoobnjinie\
EdgeBETA_Jaxx
Edge_Auvitas
\Microsoft\Edge\User Data\Default\Local Extension Settings\klfhbdnlcfcaccoakhceodhldjojboga\
Edge_Math
\Microsoft\Edge\User Data\Default\Local Extension Settings\dfeccadlilpndjjohbjdblepmjeahlmm\
Edge_Metamask
\Microsoft\Edge\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm\
Edge_MTV
\Microsoft\Edge\User Data\Default\Local Extension Settings\oooiblbdpdlecigodndinbpfopomaegl\
Edge_Rabet
\Microsoft\Edge\User Data\Default\Local Extension Settings\aanjhgiamnacdfnlfnmgehjikagdbafd\
Edge_Ronin
\Microsoft\Edge\User Data\Default\Local Extension Settings\bblmcdckkhkhfhhpfcchlpalebmonecp\
Edge_Yoroi
\Microsoft\Edge\User Data\Default\Local Extension Settings\akoiaibnepcedcplijmiamnaigbepmcb\
Edge_Zilpay
\Microsoft\Edge\User Data\Default\Local Extension Settings\fbekallmnjoeggkefjkbebpineneilec\
Edge_Exodus
\Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\
Edge_Terra_Station
\Microsoft\Edge\User Data\Default\Local Extension Settings\ajkhoeiiokighlmdnlakpjfoobnjinie\
Edge_Jaxx
\Microsoft\Edge\User Data\Default\Local Extension Settings\dmdimapfghaakeibppbfeokhgoikeoci\
Chrome_Binance
\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp\
Chrome_Bitapp
\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\
Chrome_Coin98
\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg\
Chrome_Equal
\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\
Chrome_Guild
\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\
Chrome_Iconex
\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfel\
Chrome_Math
\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc\
Chrome_Mobox
\Google\Chrome\User Data\Default\Local Extension Settings\fcckkdbjnoikooededlapcalpionmalo\
Chrome_Phantom
\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\
Chrome_Tron
\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec\
Chrome_XinPay
\Google\Chrome\User Data\Default\Local Extension Settings\bocpokimicclpaiekenaeelehdjllofo\
Chrome_Ton
\Google\Chrome\User Data\Default\Local Extension Settings\nphplpgoakhhjchkkhmiggakijnkhfnd\
Chrome_Metamask
Chrome_Sollet
\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno\
Chrome_Slope
\Google\Chrome\User Data\Default\Local Extension Settings\pocmplpaccanhmnllbbkpgfliimjljgo\
Chrome_Starcoin
\Google\Chrome\User Data\Default\Local Extension Settings\mfhbebgoclkghebffdldpobeajmbecfk\
Chrome_Swash
\Google\Chrome\User Data\Default\Local Extension Settings\cmndjbecilbocjfkibfbifhngkdmjgog\
Chrome_Finnie
\Google\Chrome\User Data\Default\Local Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj\
Chrome_Keplr
\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap\
Chrome_Crocobit
\Google\Chrome\User Data\Default\Local Extension Settings\pnlfjmlcjdjgkddecgincndfgegkecke\
Chrome_Oxygen
\Google\Chrome\User Data\Default\Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbh\
Chrome_Nifty
\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid\
Chrome_Liquality
\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\
.compressed
bouncycastle.crypto
costura.bouncycastle.crypto.dll.compressed
costura
costura.costura.dll.compressed
costura.costura.pdb.compressed
dotnetzip
costura.dotnetzip.dll.compressed
microsoft.win32.primitives
costura.microsoft.win32.primitives.dll.compressed
newtonsoft.json
costura.newtonsoft.json.dll.compressed
system.appcontext
costura.system.appcontext.dll.compressed
system.console
costura.system.console.dll.compressed
system.data.sqlite
costura.system.data.sqlite.dll.compressed
system.diagnostics.diagnosticsource
costura.system.diagnostics.diagnosticsource.dll.compressed
system.diagnostics.tracing
costura.system.diagnostics.tracing.dll.compressed
system.globalization.calendars
costura.system.globalization.calendars.dll.compressed
system.io.compression
costura.system.io.compression.dll.compressed
system.io.compression.zipfile
costura.system.io.compression.zipfile.dll.compressed
system.io
costura.system.io.dll.compressed
system.io.filesystem
costura.system.io.filesystem.dll.compressed
system.io.filesystem.primitives
costura.system.io.filesystem.primitives.dll.compressed
system.net.http
costura.system.net.http.dll.compressed
system.net.sockets
costura.system.net.sockets.dll.compressed
system.reflection
costura.system.reflection.dll.compressed
system.runtime
costura.system.runtime.dll.compressed
system.runtime.extensions
costura.system.runtime.extensions.dll.compressed
system.runtime.interopservices
costura.system.runtime.interopservices.dll.compressed
system.runtime.interopservices.runtimeinformation
costura.system.runtime.interopservices.runtimeinformation.dll.compressed
system.security.cryptography.algorithms
costura.system.security.cryptography.algorithms.dll.compressed
system.security.cryptography.encoding
costura.system.security.cryptography.encoding.dll.compressed
system.security.cryptography.primitives
costura.system.security.cryptography.primitives.dll.compressed
system.security.cryptography.x509certificates
costura.system.security.cryptography.x509certificates.dll.compressed
system.xml.readerwriter
costura.system.xml.readerwriter.dll.compressed
C2 (1)http://45.67.230.199
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (63.1) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (23.8) |
| .dll | | | Win32 Dynamic Link Library (generic) (5.6) |
| .exe | | | Win32 Executable (generic) (3.8) |
| .exe | | | Generic Win/DOS Executable (1.7) |
EXIF
EXE
| AssemblyVersion: | 1.0.0.0 |
|---|---|
| ProductVersion: | 1.0.0.0 |
| ProductName: | - |
| OriginalFileName: | fogilcxv.exe |
| LegalTrademarks: | gdwhgeral |
| LegalCopyright: | - |
| InternalName: | fogilcxv.exe |
| FileVersion: | 1.0.0.0 |
| FileDescription: | tanos |
| CompanyName: | - |
| Comments: | fdgert opopchie |
| CharacterSet: | Unicode |
| LanguageCode: | Neutral |
| FileSubtype: | - |
| ObjectFileType: | Executable application |
| FileOS: | Win32 |
| FileFlags: | (none) |
| FileFlagsMask: | 0x003f |
| ProductVersionNumber: | 1.0.0.0 |
| FileVersionNumber: | 1.0.0.0 |
| Subsystem: | Windows GUI |
| SubsystemVersion: | 6 |
| ImageVersion: | - |
| OSVersion: | 4 |
| EntryPoint: | 0x22112e |
| UninitializedDataSize: | - |
| InitializedDataSize: | 182272 |
| CodeSize: | 2224640 |
| LinkerVersion: | 48 |
| PEType: | PE32 |
| ImageFileCharacteristics: | Executable, Large address aware, 32-bit |
| TimeStamp: | 2068:11:08 00:30:45+00:00 |
| MachineType: | Intel 386 or later, and compatibles |
Summary
| Architecture: | IMAGE_FILE_MACHINE_I386 |
|---|---|
| Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
| Compilation Date: | 08-Nov-2068 00:30:45 |
| Comments: | fdgert opopchie |
| CompanyName: | - |
| FileDescription: | tanos |
| FileVersion: | 1.0.0.0 |
| InternalName: | fogilcxv.exe |
| LegalCopyright: | - |
| LegalTrademarks: | gdwhgeral |
| OriginalFilename: | fogilcxv.exe |
| ProductName: | - |
| ProductVersion: | 1.0.0.0 |
| Assembly Version: | 1.0.0.0 |
DOS Header
| Magic number: | MZ |
|---|---|
| Bytes on last page of file: | 0x0090 |
| Pages in file: | 0x0003 |
| Relocations: | 0x0000 |
| Size of header: | 0x0004 |
| Min extra paragraphs: | 0x0000 |
| Max extra paragraphs: | 0xFFFF |
| Initial SS value: | 0x0000 |
| Initial SP value: | 0x00B8 |
| Checksum: | 0x0000 |
| Initial IP value: | 0x0000 |
| Initial CS value: | 0x0000 |
| Overlay number: | 0x0000 |
| OEM identifier: | 0x0000 |
| OEM information: | 0x0000 |
| Address of NE header: | 0x00000080 |
PE Headers
| Signature: | PE |
|---|---|
| Machine: | IMAGE_FILE_MACHINE_I386 |
| Number of sections: | 3 |
| Time date stamp: | 08-Nov-2068 00:30:45 |
| Pointer to Symbol Table: | 0x00000000 |
| Number of symbols: | 0 |
| Size of Optional Header: | 0x00E0 |
| Characteristics: |
|
Sections
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
|---|---|---|---|---|---|
.text | 0x00002000 | 0x0021F134 | 0x0021F200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.95157 |
.rsrc | 0x00222000 | 0x0002C57C | 0x0002C600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.34164 |
.reloc | 0x00250000 | 0x0000000C | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.10191 |
Resources
Title | Entropy | Size | Codepage | Language | Type |
|---|---|---|---|---|---|
1 | 5.00112 | 490 | UNKNOWN | UNKNOWN | RT_MANIFEST |
2 | 4.43469 | 67624 | UNKNOWN | UNKNOWN | RT_ICON |
3 | 4.78561 | 38056 | UNKNOWN | UNKNOWN | RT_ICON |
4 | 4.76922 | 21640 | UNKNOWN | UNKNOWN | RT_ICON |
5 | 4.66089 | 16936 | UNKNOWN | UNKNOWN | RT_ICON |
6 | 4.98162 | 9640 | UNKNOWN | UNKNOWN | RT_ICON |
7 | 5.05077 | 4264 | UNKNOWN | UNKNOWN | RT_ICON |
8 | 5.34627 | 2440 | UNKNOWN | UNKNOWN | RT_ICON |
9 | 5.41874 | 1128 | UNKNOWN | UNKNOWN | RT_ICON |
32512 | 3.03466 | 132 | UNKNOWN | UNKNOWN | RT_GROUP_ICON |
Imports
mscoree.dll |
Total processes
41
Monitored processes
2
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2824 | "C:\Users\admin\AppData\Local\Temp\gjnvlcxv.exe" | C:\Users\admin\AppData\Local\Temp\gjnvlcxv.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: tanos Exit code: 3762504530 Version: 1.0.0.0 Modules
BlackGuard(PID) Process(2824) gjnvlcxv.exe Strings (590)x64\\SQLite.Interop.dll x86\\SQLite.Interop.dll \\Browsers \\Browsers\\cookie_chrome.txt \\Browsers\\password_chrome.txt \\Browsers\\cookies_Brave.txt \\Browsers\\password_Brave.txt \\Browsers\\cookies_Vivaldi.txt \\Browsers\\password_Vivaldi.txt \\Browsers\\cookies_Opera.txt \\Browsers\\password_Opera.txt \\Browsers\\cookies_Edge.txt \\Browsers\\password_Edge.txt \\Browsers\\cookies_EdgeBeta.txt \\Browsers\\password_EdgeBeta.txt \\Wallets \\Browsers\\password_firefox.txt \\Browsers\\cookies_firefox.txt \\Messenger \\Chrome_Wallet \\Edge_Wallet \\Edge Betta_Wallet \UsAgent.txt Browser : {0} {1} {2} {3} {4} {5} {6} {7} {8} {9} {10} Unspecified Medium Domain: Domain: Login: Password: Password: {0} {1} {2} {3} {4} {5} {6} {7} \\Information.txt Upgrade.php http analyzer stand-alone fiddler effetech http sniffer firesheep IEWatch Professional dumpcap wireshark wireshark portable sysinternals tcpview NetworkMiner NetworkTrafficView HTTPNetworkSniffer tcpdump intercepter Intercepter-NG The Cookie database could not be found: The Key for decryption (Local State) could not be found: The Login database could not be found: \\Roaming\\ \\FTP\\WinSCP WinSCP.ini \\FTP\\WinSCP\\WinSCP.ini Hostname = ' ' | DecryptedUsername = ' ' | DecryptedPassword = ' Title = ' ' | Url = ' \zaredin.jbbt \UGFghfw.helt MM/dd/yyyy h:mm Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676 Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676 Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676 Software\\Microsoft\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676 SMTP Email Address SMTP Server POP3 Server POP3 User Name SMTP User Name NNTP Email Address NNTP User Name NNTP Server IMAP Server IMAP User Name Email HTTP User HTTP Server URL POP3 User IMAP User HTTPMail User Name HTTPMail Server SMTP User POP3 Password2 IMAP Password2 NNTP Password2 HTTPMail Password2 SMTP Password2 POP3 Password IMAP Password NNTP Password HTTPMail Password SMTP Password \\Outlook.txt UGFzc3dvcmQ= null ^([a-zA-Z0-9_\-\.]+)@([a-zA-Z0-9_\-\.]+)\.([a-zA-Z]{2,5})$ ^(?!:\/\/)([a-zA-Z0-9-_]+\.)*[a-zA-Z0-9][a-zA-Z0-9-_]+\.[a-zA-Z]{2,11}?$ \\Temp\\dotnetbrowser-chromium\\64.0.3282.24.1.19.0.0.642\\32bit \\Chromium\\User Data \\Google\\Chrome\\User Data \\Google(x86)\\Chrome\\User Data \\MapleStudio\\ChromePlus\\User Data \\Iridium\\User Data \\7Star\\User Data \\CentBrowser\\User Data \\Chedot\\User Data \\Vivaldi\\User Data \\Kometa\\User Data \\Elements Browser\\User Data \\Epic Privacy Browser\\User Data \\uCozMedia\\Uran\\User Data \\Fenrir Inc\\Sleipnir5\\setting\\modules\\ChromiumViewer \\CatalinaGroup\\Citrio\\User Data \\Coowon\\Coowon\\User Data \\liebao\\User Data \\QIP Surf\\User Data \\Orbitum\\User Data \\Comodo\\Dragon\\User Data \\Amigo\\User\\User Data \\Torch\\User Data \\Comodo\\User Data \\360Browser\\Browser\\User Data \\Maxthon3\\User Data \\K-Melon\\User Data \\Sputnik\\Sputnik\\User Data \\Nichrome\\User Data \\CocCoc\\Browser\\User Data \\Uran\\User Data \\Chromodo\\User Data UNIQUE .dat Hostname: BCrypt.BCryptDecrypt() (get size) failed with status code: {0} BCrypt.BCryptDecrypt(): authentication tag mismatch BCrypt.BCryptDecrypt() failed with status code:{0} BCrypt.BCryptOpenAlgorithmProvider() failed with status code:{0} BCrypt.BCryptSetAlgorithmProperty(BCrypt.BCRYPT_CHAINING_MODE, BCrypt.BCRYPT_CHAIN_MODE_GCM) failed with status code:{0} BCrypt.BCryptImportKey() failed with status code:{0} BCrypt.BCryptGetProperty() (get size) failed with status code:{0} BCrypt.BCryptGetProperty() failed with status code:{0} ObjectLength ChainingModeGCM AuthTagLength ChainingMode KeyDataBlob Microsoft Primitive Provider ].rar cp866 files/upgrade.php?user={0}&hwid={1}&antivirus={2}&os={3}&passCount={4}&coockieCount={5}&walletCount={6}&telegramCount={7}&vpnCount={8}&ftpCount={9}&country={10}&searche={11}&link={12} POST SystemDrive SELECT * FROM CIM_OperatingSystem Caption Windows 8 Windows 8.1 Windows 10 Windows 11 Windows XP Windows 7 Server Unknown Windows Server SELECT * FROM Win32_OperatingSystem Version BIOS Maker: Unknown \root\SecurityCenter2 SELECT * FROM AntivirusProduct displayName https://ipwhois.app/xml/ country Armenia Azerbaijan Belarus Kazakhstan Kyrgyzstan Moldova Tajikistan Uzbekistan Ukraine Russia .txt .config .rdp Worlds SbieDll.dll cmdvrt32.dll jkvvd SxIn.dll uryu65 l5y546546t3tl 25454 cuckoomon.dll \\Discord \\Tokens.txt .log .ldb [a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}|mfa\.[a-zA-Z0-9_\-]{84} Discord\\Local Storage\\leveldb Discord PTB\\Local Storage\\leveldb Discord Canary\\leveldb \\Files \\source \\FileZilla \\FileZilla.log RecentServers SG9zdA== UG9ydA== Rǫ UGFzcw== link: Port: Uname: pws: FileZilla\recentservers.xml \\GHISLER\\ \\FTP\\Total Commander wcx_ftp.ini \\FTP\\Total Commander\\wcx_ftp.ini Protocol: Login: pSWrd: \\Pidgin_INFo.txt .purple\\accounts.xml \\Steam ssfn* \\config\\config.vdf \\config.vdf \\config\\loginusers.vdf \\loginusers.vdf \\config\\SteamAppData.vdf \\SteamAppData.vdf Software\\Wow6432Node\\Valve\\Steam InstallPath Software\\Valve\\Steam VGVsZWdyYW0= %appdata% \Telegram Desktop\tdata \\Telegram Telegram.exe \tdata \\Telegram\\ NordVPN NordVpn.exe* user.config \\VPN\\NordVPN\\ //setting[@name='Username']/value //setting[@name='Password']/value \\accounts.txt OpenVPN Connect\\profiles \\VPN\\OpenVPN b3Zwbg== ProtonVPN ProtonVPN.exe \\user.config \\VPN\\ProtonVPN U29mdHdhcmU= strDataDir \\wallets Zcash \\Zcash Armory \\Armory SmF4eA== \\com.liberty.jaxx\\IndexedDB\\file__0.indexeddb.leveldb Exodus \\Exodus\\exodus.wallet RXRoZXJldW0= \\Ethereum\\keystore RWxlY3RydW0= \\Electrum\\wallets QXRvbWljV2FsbGV0 \\atomic\\Local Storage\\leveldb Guarda \\Guarda\\Local Storage\\leveldb Zap \\Zap\\Local Storage\\leveldb Binance \\Binance\\Local Storage\\leveldb atomic_qt \\atomic_qt\\config Frame \\Frame\\Local Storage\\leveldb io.solarwallet.app \\io.solarwallet.app\\Local Storage\\leveldb TokenPocket \\TokenPocket\\Local Storage\\leveldb TGl0ZWNvaW4= RGFzaA== *.txt \\Browsers\\search_link.txt SELECT ExecutablePath, ProcessID FROM Win32_Process ProcessID ExecutablePath Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice Progid chromehtml chrome firefoxurl firefox operastable opera yandexhtml browser msedgehtm msedge iexplore http://127.0.0.1:{0} http://127.0.0.1:{0}/ User-Agent https://google.com/ dictionary ERROR SELECT COUNT(*) AS CNTREC FROM pragma_table_info(' ') WHERE name=' The current process is 32-bit! To decrypt firefox values it needs to be 64-bit \mozglue.dll MozGlue was not found: \nss3.dll NSS3 was not found: \mozglue.dll could not be found: \nss3.dll could not be found: NSS_Init PK11SDR_Decrypt NSS_Shutdown Process Address of NSS_Init was not found! Process Address of PK11SDR_Decrypt was not found! Process Address of NSS_Shutdown was not found! Function 'NSS_Init()' was not found! Function 'PK11SDR_Decrypt()' was not found! Function 'NSS_Shutdown()' was not found! Key length not 128/192/256 bits. Should never get here invalid parameter passed to AES init AES engine not initialised input buffer too short output buffer too short cipher required with a block size of /GCM Invalid value for MAC size: invalid parameters passed to GCM IV must be at least 1 byte cannot reuse nonce for GCM encryption Key must be specified in initial init Output buffer too short data too short mac check in GCM failed Attempt to process too many blocks GCM cipher cannot be reused for encryption GCM cipher needs to be initialised keyOff keyLen YXV0b2ZpbGw= Opera \\Opera Stable\\Local State \\Local State "encrypted_key":"(.*?)" Opera Opera Software \\Login Data \\Web Data \\History \\Passwords.txt \\AutoFill.txt \\History.txt \\Downloads.txt downloads dXJscw== logins kardannivall.Properties.Resources upche Gecko profile path was not found: \cookies.sqlite \logins.json \places.sqlite hostname httpRealm formSubmitURL usernameField passwordField encryptedUsername encryptedPassword guid encType timeCreated timeLastUsed timePasswordChanged timesUsed ProgramW6432 \Mozilla Firefox The Login File could not be found: \logins.json Profile could not be set: ConvertDynamicObjectsToLogins logins value The History database could not be found: Data Source= ;pooling=false {0} WHERE {1} = '{2}' SELECT id,url,title,rev_host,visit_count,hidden,typed,frecency,last_visit_date,guid,foreign_count,url_hash,description,preview_image_url,origin_id,site_name FROM moz_places C:\Users\ \AppData\Local\Microsoft\Edge Beta\User Data\Default\Network\Cookies \AppData\Local\Microsoft\Edge Beta\User Data\Local State \AppData\Local\Microsoft\Edge Beta\User Data\Default\Login Data \AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Network\Cookies \AppData\Local\BraveSoftware\Brave-Browser\User Data\Local State \AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Login Data \AppData\Local\Google\Chrome\User Data\Default\Network\Cookies \AppData\Local\Google\Chrome\User Data\Local State \AppData\Local\Google\Chrome\User Data\Default\Login Data SELECT creation_utc,top_frame_site_key,host_key,name,value,encrypted_value,path,expires_utc,is_secure,is_httponly,last_access_utc,has_expires,is_persistent,priority,samesite,source_scheme,source_port,is_same_party FROM cookies SELECT origin_url,action_url,username_element,username_value,password_element,password_value,submit_element,signon_realm,date_created,blacklisted_by_user,scheme,password_type,times_used,form_data,display_name,icon_url,federation_url,skip_zero_click,generation_upload_status,possible_username_pairs,id... encrypted_key os_crypt Key needs to be {0} bit! Message required! message \AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies \AppData\Local\Microsoft\Edge\User Data\Local State \AppData\Local\Microsoft\Edge\User Data\Default\Login Data \AppData\Roaming\Mozilla\Firefox\Profiles default-release SELECT id,originAttributes,name,value,host,path,expiry,lastAccessed,creationTime,isSecure,isHttpOnly,inBrowserElement,sameSite,rawSameSite,schemeMap FROM moz_cookies \AppData\Roaming\Opera Software\Opera Stable\Cookies \AppData\Roaming\Opera Software\Opera Stable\Local State \AppData\Roaming\Opera Software\Opera Stable\Login Data \AppData\Roaming\Opera Software\Opera GX Stable\Cookies \AppData\Roaming\Opera Software\Opera GX Stable\Local State \AppData\Roaming\Opera Software\Opera GX Stable\Login Data \AppData\Local\Vivaldi\User Data\Default\Network\Cookies \AppData\Local\Vivaldi\User Data\Local State \AppData\Local\Vivaldi\User Data\Default\Login Data Tox \\tox Element \\Element\\Local Storage\\leveldb Signal \\Signal\\Local Storage\\leveldb Proxifier \\Proxifier4\\Profiles EdgeBETA_Auvitas \Microsoft\Edge Beta\User Data\Default\Local Extension Settings\klfhbdnlcfcaccoakhceodhldjojboga\ EdgeBETA_Math \Microsoft\Edge Beta\User Data\Default\Local Extension Settings\dfeccadlilpndjjohbjdblepmjeahlmm\ EdgeBETA_Metamask \Microsoft\Edge Beta\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm\ EdgeBETA_MTV \Microsoft\Edge Beta\User Data\Default\Local Extension Settings\oooiblbdpdlecigodndinbpfopomaegl\ EdgeBETA_Rabet \Microsoft\Edge Beta\User Data\Default\Local Extension Settings\aanjhgiamnacdfnlfnmgehjikagdbafd\ EdgeBETA_Ronin \Microsoft\Edge Beta\User Data\Default\Local Extension Settings\bblmcdckkhkhfhhpfcchlpalebmonecp\ EdgeBETA_Yoroi \Microsoft\Edge Beta\User Data\Default\Local Extension Settings\akoiaibnepcedcplijmiamnaigbepmcb\ EdgeBETA_Zilpay \Microsoft\Edge Beta\User Data\Default\Local Extension Settings\fbekallmnjoeggkefjkbebpineneilec\ EdgeBETA_Exodus \Microsoft\Edge Beta\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\ EdgeBETA_Terra_Station \Microsoft\Edge Beta\User Data\Default\Local Extension Settings\ajkhoeiiokighlmdnlakpjfoobnjinie\ EdgeBETA_Jaxx Edge_Auvitas \Microsoft\Edge\User Data\Default\Local Extension Settings\klfhbdnlcfcaccoakhceodhldjojboga\ Edge_Math \Microsoft\Edge\User Data\Default\Local Extension Settings\dfeccadlilpndjjohbjdblepmjeahlmm\ Edge_Metamask \Microsoft\Edge\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm\ Edge_MTV \Microsoft\Edge\User Data\Default\Local Extension Settings\oooiblbdpdlecigodndinbpfopomaegl\ Edge_Rabet \Microsoft\Edge\User Data\Default\Local Extension Settings\aanjhgiamnacdfnlfnmgehjikagdbafd\ Edge_Ronin \Microsoft\Edge\User Data\Default\Local Extension Settings\bblmcdckkhkhfhhpfcchlpalebmonecp\ Edge_Yoroi \Microsoft\Edge\User Data\Default\Local Extension Settings\akoiaibnepcedcplijmiamnaigbepmcb\ Edge_Zilpay \Microsoft\Edge\User Data\Default\Local Extension Settings\fbekallmnjoeggkefjkbebpineneilec\ Edge_Exodus \Microsoft\Edge\User Data\Default\Local Extension Settings\jdiccldimpdaibmpdkjnbmckianbfold\ Edge_Terra_Station \Microsoft\Edge\User Data\Default\Local Extension Settings\ajkhoeiiokighlmdnlakpjfoobnjinie\ Edge_Jaxx \Microsoft\Edge\User Data\Default\Local Extension Settings\dmdimapfghaakeibppbfeokhgoikeoci\ Chrome_Binance \Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp\ Chrome_Bitapp \Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\ Chrome_Coin98 \Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg\ Chrome_Equal \Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\ Chrome_Guild \Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\ Chrome_Iconex \Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfel\ Chrome_Math \Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc\ Chrome_Mobox \Google\Chrome\User Data\Default\Local Extension Settings\fcckkdbjnoikooededlapcalpionmalo\ Chrome_Phantom \Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\ Chrome_Tron \Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec\ Chrome_XinPay \Google\Chrome\User Data\Default\Local Extension Settings\bocpokimicclpaiekenaeelehdjllofo\ Chrome_Ton \Google\Chrome\User Data\Default\Local Extension Settings\nphplpgoakhhjchkkhmiggakijnkhfnd\ Chrome_Metamask Chrome_Sollet \Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno\ Chrome_Slope \Google\Chrome\User Data\Default\Local Extension Settings\pocmplpaccanhmnllbbkpgfliimjljgo\ Chrome_Starcoin \Google\Chrome\User Data\Default\Local Extension Settings\mfhbebgoclkghebffdldpobeajmbecfk\ Chrome_Swash \Google\Chrome\User Data\Default\Local Extension Settings\cmndjbecilbocjfkibfbifhngkdmjgog\ Chrome_Finnie \Google\Chrome\User Data\Default\Local Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj\ Chrome_Keplr \Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap\ Chrome_Crocobit \Google\Chrome\User Data\Default\Local Extension Settings\pnlfjmlcjdjgkddecgincndfgegkecke\ Chrome_Oxygen \Google\Chrome\User Data\Default\Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbh\ Chrome_Nifty \Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid\ Chrome_Liquality \Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\ .compressed bouncycastle.crypto costura.bouncycastle.crypto.dll.compressed costura costura.costura.dll.compressed costura.costura.pdb.compressed dotnetzip costura.dotnetzip.dll.compressed microsoft.win32.primitives costura.microsoft.win32.primitives.dll.compressed newtonsoft.json costura.newtonsoft.json.dll.compressed system.appcontext costura.system.appcontext.dll.compressed system.console costura.system.console.dll.compressed system.data.sqlite costura.system.data.sqlite.dll.compressed system.diagnostics.diagnosticsource costura.system.diagnostics.diagnosticsource.dll.compressed system.diagnostics.tracing costura.system.diagnostics.tracing.dll.compressed system.globalization.calendars costura.system.globalization.calendars.dll.compressed system.io.compression costura.system.io.compression.dll.compressed system.io.compression.zipfile costura.system.io.compression.zipfile.dll.compressed system.io costura.system.io.dll.compressed system.io.filesystem costura.system.io.filesystem.dll.compressed system.io.filesystem.primitives costura.system.io.filesystem.primitives.dll.compressed system.net.http costura.system.net.http.dll.compressed system.net.sockets costura.system.net.sockets.dll.compressed system.reflection costura.system.reflection.dll.compressed system.runtime costura.system.runtime.dll.compressed system.runtime.extensions costura.system.runtime.extensions.dll.compressed system.runtime.interopservices costura.system.runtime.interopservices.dll.compressed system.runtime.interopservices.runtimeinformation costura.system.runtime.interopservices.runtimeinformation.dll.compressed system.security.cryptography.algorithms costura.system.security.cryptography.algorithms.dll.compressed system.security.cryptography.encoding costura.system.security.cryptography.encoding.dll.compressed system.security.cryptography.primitives costura.system.security.cryptography.primitives.dll.compressed system.security.cryptography.x509certificates costura.system.security.cryptography.x509certificates.dll.compressed system.xml.readerwriter costura.system.xml.readerwriter.dll.compressed C2 (1)http://45.67.230.199 | |||||||||||||||
| 3864 | "C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401 | C:\Windows\System32\verclsid.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Extension CLSID Verification Host Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
6 210
Read events
6 182
Write events
28
Delete events
0
Modification events
| (PID) Process: | (2824) gjnvlcxv.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16D\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0
Dropped files
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
3
DNS requests
1
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2824 | gjnvlcxv.exe | GET | — | 45.67.230.199:80 | http://45.67.230.199/Upgrade.php | unknown | — | — | suspicious |
2824 | gjnvlcxv.exe | GET | — | 45.67.230.199:80 | http://45.67.230.199/Upgrade.php | unknown | — | — | suspicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2824 | gjnvlcxv.exe | 45.67.230.199:80 | — | Webhost LLC | RU | suspicious |
2824 | gjnvlcxv.exe | 195.201.57.90:443 | ipwhois.app | Hetzner Online GmbH | DE | suspicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
ipwhois.app |
| suspicious |