Loading ...

Play interactive tourEdit tour

Analysis Report CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe

Overview

General Information

Sample Name:CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe
Analysis ID:378098
MD5:edeff76475b73d1ea8f9f8eb8afdb738
SHA1:0ec4cf852db313d8d6c7896f4a8fd10f73228749
SHA256:a214379d617efa77932adcbd90240cf0fb0ba443b50d4f93475edde4d53b1681
Tags:exe
Infos:

Most interesting Screenshot:

Detection

GuLoader Raccoon
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for domain / URL
Yara detected GuLoader
Yara detected Raccoon Stealer
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Checks if the current process is being debugged
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Downloads executable code via HTTP
Drops PE files
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Is looking for software installed on the system
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe (PID: 6592 cmdline: 'C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe' MD5: EDEFF76475B73D1EA8F9F8EB8AFDB738)
    • CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe (PID: 5668 cmdline: 'C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe' MD5: EDEFF76475B73D1EA8F9F8EB8AFDB738)
      • cmd.exe (PID: 6744 cmdline: cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q 'C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • timeout.exe (PID: 6716 cmdline: timeout /T 10 /NOBREAK MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
  • cleanup

Malware Configuration

Threatname: Raccoon Stealer

{"Config: ": ["00000000 -> Raccoon | 1.7.3", "Build compile date: Sat Feb 27 21:25:06 2021", "Launched at: 2021.03.30 - 12:22:53 GMT", "Bot_ID: D06ED635-68F6-4E9A-955C-4899F5F57B9A_user", "Running on a desktop", "-------------", "- Cookies: 1", "- Passwords: 0", "- Files: 0", "System Information:", "- System Language: English", "- System TimeZone: +1 hrs", "- IP: 84.17.52.79", "- Location: 47.431702, 8.575900 | Zurich, Zurich, Switzerland (8152)", "- ComputerName: 980108", "- Username: user", "- Windows version: NT 10.0", "- Product name: Windows 10 Pro", "- System arch: x64", "- CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz (4 cores)", "- RAM: 8191 MB (5383 MB used)", "- Screen resolution: 1280x1024", "- Display devices:", "0) Microsoft Basic Display Adapter", "-------------", "Installed Apps:", "Adobe Acrobat Reader DC (19.012.20035)", "Adobe Refresh Manager (1.8.0)", "Google Chrome (85.0.4183.121)", "Google Update Helper (1.3.35.451)", "Java 8 Update 211 (8.0.2110.12)", "Java Auto Updater (2.8.211.12)", "Update for Skype for Business 2016 (KB4484286) 32-Bit Edition", "-------------"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe PID: 5668JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
    Process Memory Space: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe PID: 5668JoeSecurity_RaccoonYara detected Raccoon StealerJoe Security
      Process Memory Space: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe PID: 5668JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

        Sigma Overview

        No Sigma rule has matched

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: machineinfo.txt.4.dr.binstrMalware Configuration Extractor: Raccoon Stealer {"Config: ": ["00000000 -> Raccoon | 1.7.3", "Build compile date: Sat Feb 27 21:25:06 2021", "Launched at: 2021.03.30 - 12:22:53 GMT", "Bot_ID: D06ED635-68F6-4E9A-955C-4899F5F57B9A_user", "Running on a desktop", "-------------", "- Cookies: 1", "- Passwords: 0", "- Files: 0", "System Information:", "- System Language: English", "- System TimeZone: +1 hrs", "- IP: 84.17.52.79", "- Location: 47.431702, 8.575900 | Zurich, Zurich, Switzerland (8152)", "- ComputerName: 980108", "- Username: user", "- Windows version: NT 10.0", "- Product name: Windows 10 Pro", "- System arch: x64", "- CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz (4 cores)", "- RAM: 8191 MB (5383 MB used)", "- Screen resolution: 1280x1024", "- Display devices:", "0) Microsoft Basic Display Adapter", "-------------", "Installed Apps:", "Adobe Acrobat Reader DC (19.012.20035)", "Adobe Refresh Manager (1.8.0)", "Google Chrome (85.0.4183.121)", "Google Update Helper (1.3.35.451)", "Java 8 Update 211 (8.0.2110.12)", "Java Auto Updater (2.8.211.12)", "Update for Skype for Business 2016 (KB4484286) 32-Bit Edition", "-------------"]}
        Multi AV Scanner detection for domain / URLShow sources
        Source: telete.inVirustotal: Detection: 9%Perma Link
        Yara detected Raccoon StealerShow sources
        Source: Yara matchFile source: Process Memory Space: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe PID: 5668, type: MEMORY
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: unknownHTTPS traffic detected: 111.67.28.15:443 -> 192.168.2.4:49742 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 195.201.225.248:443 -> 192.168.2.4:49743 version: TLS 1.2
        Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: freebl3.dll.4.dr
        Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.4.dr
        Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\gfx\angle\targets\libEGL\libEGL.pdb source: libEGL.dll.4.dr
        Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libprldap\prldap60.pdb source: prldap60.dll.4.dr
        Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb source: IA2Marshal.dll.4.dr
        Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.4.dr
        Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss3.pdb source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.854419635.000000006D280000.00000002.00020000.sdmp, nss3.dll.4.dr
        Source: Binary string: ucrtbase.pdb source: ucrtbase.dll.4.dr
        Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.4.dr
        Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: api-ms-win-core-memory-l1-1-0.dll.4.dr
        Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.4.dr
        Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: api-ms-win-crt-filesystem-l1-1-0.dll.4.dr
        Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdb source: ldap60.dll.4.dr
        Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.4.dr
        Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll.4.dr
        Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.4.dr
        Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.4.dr
        Source: Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140.dll.4.dr
        Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.4.dr
        Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: softokn3.dll.4.dr
        Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb source: nssckbi.dll.4.dr
        Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.854118774.000000006D159000.00000002.00020000.sdmp, mozglue.dll.4.dr
        Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: freebl3.dll.4.dr
        Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.4.dr
        Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: api-ms-win-crt-private-l1-1-0.dll.4.dr
        Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: api-ms-win-crt-convert-l1-1-0.dll.4.dr
        Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\ipc\win\handler\AccessibleHandler.pdb source: AccessibleHandler.dll.4.dr
        Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: nssdbm3.dll.4.dr
        Source: Binary string: msvcp140.i386.pdb source: msvcp140.dll.4.dr
        Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapihook\build\MapiProxy.pdb source: MapiProxy.dll.4.dr
        Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.4.dr
        Source: Binary string: ucrtbase.pdbUGP source: ucrtbase.dll.4.dr
        Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdbUU source: ldap60.dll.4.dr
        Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: api-ms-win-crt-time-l1-1-0.dll.4.dr
        Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb66 source: nssckbi.dll.4.dr
        Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll.4.dr
        Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.4.dr
        Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: softokn3.dll.4.dr
        Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb<< source: IA2Marshal.dll.4.dr
        Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.4.dr
        Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.854118774.000000006D159000.00000002.00020000.sdmp, mozglue.dll.4.dr
        Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\library\dummydll\qipcap.pdb source: qipcap.dll.4.dr
        Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.4.dr
        Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.4.dr
        Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.4.dr
        Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.4.dr
        Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.4.dr
        Source: Binary string: vcruntime140.i386.pdb source: vcruntime140.dll.4.dr
        Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.4.dr
        Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: api-ms-win-crt-utility-l1-1-0.dll.4.dr
        Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapiDLL\mozMapi32.pdb source: mozMapi32.dll.4.dr
        Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: api-ms-win-core-rtlsupport-l1-1-0.dll.4.dr
        Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.4.dr
        Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll.4.dr
        Source: Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll.4.dr
        Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: api-ms-win-core-file-l2-1-0.dll.4.dr
        Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.4.dr
        Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.4.dr
        Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldif\ldif60.pdb source: ldif60.dll.4.dr
        Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\config\external\lgpllibs\lgpllibs.pdb source: lgpllibs.dll.4.dr
        Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\msaa\AccessibleMarshal.pdb source: AccessibleMarshal.dll.4.dr
        Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: nssdbm3.dll.4.dr
        Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: api-ms-win-core-interlocked-l1-1-0.dll.4.dr
        Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\crashreporter\injector\breakpadinjector.pdb source: breakpadinjector.dll.4.dr
        Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.4.dr
        Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.4.dr
        Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\Jump to behavior
        Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\Jump to behavior
        Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\Jump to behavior
        Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\Jump to behavior
        Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\Jump to behavior
        Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\Jump to behavior
        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 30 Mar 2021 12:22:48 GMTContent-Type: application/octet-streamContent-Length: 916735Connection: keep-aliveLast-Modified: Thu, 11 Feb 2021 18:55:17 GMTETag: "60257d95-dfcff"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 17 19 74 5c 00 10 0c 00 12 10 00 00 e0 00 06 21 0b 01 02 19 00 5a 09 00 00 04 0b 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 70 09 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 b0 0c 00 00 06 00 00 1c 87 0e 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 c0 0a 00 9d 20 00 00 00 f0 0a 00 48 0c 00 00 00 20 0b 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 0b 00 bc 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 10 0b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 f1 0a 00 b4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 58 58 09 00 00 10 00 00 00 5a 09 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 fc 1b 00 00 00 70 09 00 00 1c 00 00 00 60 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 14 1f 01 00 00 90 09 00 00 20 01 00 00 7c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 b0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 9d 20 00 00 00 c0 0a 00 00 22 00 00 00 9c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 48 0c 00 00 00 f0 0a 00 00 0e 00 00 00 be 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 00 0b 00 00 02 00 00 00 cc 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 10 0b 00 00 02 00 00 00 ce 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 20 0b 00 00 06 00 00 00 d0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 bc 33 00 00 00 30 0b 00 00 34 00 00 00 d6 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 d8 02 00 00 00 70 0b 00 00 04 00 00 00 0a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 d8 98 00 00 00 80 0b 00 00 9a 00 00 00 0e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 f5 1a 00 00 00 20 0c 00 00 1c 00 00 00 a8 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 80 1a 00 00 00 40 0c 00 00 1c
        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Content-Length: 128Host: 45.139.236.6
        Source: global trafficHTTP traffic detected: GET //l/f/7y4Wg3gBuI_ccNKoGwkK/0a3546e5040ab5a4b3cac44b064a321d51adba4a HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 45.139.236.6
        Source: global trafficHTTP traffic detected: GET //l/f/7y4Wg3gBuI_ccNKoGwkK/7a6d75ef6f646f4419fc28f58e62a7952e597921 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 45.139.236.6
        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data, boundary=fQ2iY0qI4sL4iB1dG6aM1wQ5vV6aContent-Length: 1401Host: 45.139.236.6
        Source: Joe Sandbox ViewIP Address: 195.201.225.248 195.201.225.248
        Source: Joe Sandbox ViewIP Address: 45.139.236.6 45.139.236.6
        Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
        Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
        Source: unknownTCP traffic detected without corresponding DNS query: 45.139.236.6
        Source: unknownTCP traffic detected without corresponding DNS query: 45.139.236.6
        Source: unknownTCP traffic detected without corresponding DNS query: 45.139.236.6
        Source: unknownTCP traffic detected without corresponding DNS query: 45.139.236.6
        Source: unknownTCP traffic detected without corresponding DNS query: 45.139.236.6
        Source: unknownTCP traffic detected without corresponding DNS query: 45.139.236.6
        Source: unknownTCP traffic detected without corresponding DNS query: 45.139.236.6
        Source: unknownTCP traffic detected without corresponding DNS query: 45.139.236.6
        Source: unknownTCP traffic detected without corresponding DNS query: 45.139.236.6
        Source: unknownTCP traffic detected without corresponding DNS query: 45.139.236.6
        Source: unknownTCP traffic detected without corresponding DNS query: 45.139.236.6
        Source: unknownTCP traffic detected without corresponding DNS query: 45.139.236.6
        Source: unknownTCP traffic detected without corresponding DNS query: 45.139.236.6
        Source: unknownTCP traffic detected without corresponding DNS query: 45.139.236.6
        Source: unknownTCP traffic detected without corresponding DNS query: 45.139.236.6
        Source: unknownTCP traffic detected without corresponding DNS query: 45.139.236.6
        Source: unknownTCP traffic detected without corresponding DNS query: 45.139.236.6
        Source: unknownTCP traffic detected without corresponding DNS query: 45.139.236.6
        Source: unknownTCP traffic detected without corresponding DNS query: 45.139.236.6
        Source: unknownTCP traffic detected without corresponding DNS query: 45.139.236.6
        Source: unknownTCP traffic detected without corresponding DNS query: 45.139.236.6
        Source: unknownTCP traffic detected without corresponding DNS query: 45.139.236.6
        Source: unknownTCP traffic detected without corresponding DNS query: 45.139.236.6
        Source: unknownTCP traffic detected without corresponding DNS query: 45.139.236.6
        Source: unknownTCP traffic detected without corresponding DNS query: 45.139.236.6
        Source: unknownTCP traffic detected without corresponding DNS query: 45.139.236.6
        Source: unknownTCP traffic detected without corresponding DNS query: 45.139.236.6
        Source: unknownTCP traffic detected without corresponding DNS query: 45.139.236.6
        Source: unknownTCP traffic detected without corresponding DNS query: 45.139.236.6
        Source: unknownTCP traffic detected without corresponding DNS query: 45.139.236.6
        Source: unknownTCP traffic detected without corresponding DNS query: 45.139.236.6
        Source: unknownTCP traffic detected without corresponding DNS query: 45.139.236.6
        Source: unknownTCP traffic detected without corresponding DNS query: 45.139.236.6
        Source: unknownTCP traffic detected without corresponding DNS query: 45.139.236.6
        Source: unknownTCP traffic detected without corresponding DNS query: 45.139.236.6
        Source: unknownTCP traffic detected without corresponding DNS query: 45.139.236.6
        Source: unknownTCP traffic detected without corresponding DNS query: 45.139.236.6
        Source: unknownTCP traffic detected without corresponding DNS query: 45.139.236.6
        Source: unknownTCP traffic detected without corresponding DNS query: 45.139.236.6
        Source: unknownTCP traffic detected without corresponding DNS query: 45.139.236.6
        Source: unknownTCP traffic detected without corresponding DNS query: 45.139.236.6
        Source: unknownTCP traffic detected without corresponding DNS query: 45.139.236.6
        Source: unknownTCP traffic detected without corresponding DNS query: 45.139.236.6
        Source: unknownTCP traffic detected without corresponding DNS query: 45.139.236.6
        Source: unknownTCP traffic detected without corresponding DNS query: 45.139.236.6
        Source: unknownTCP traffic detected without corresponding DNS query: 45.139.236.6
        Source: unknownTCP traffic detected without corresponding DNS query: 45.139.236.6
        Source: unknownTCP traffic detected without corresponding DNS query: 45.139.236.6
        Source: unknownTCP traffic detected without corresponding DNS query: 45.139.236.6
        Source: unknownTCP traffic detected without corresponding DNS query: 45.139.236.6
        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 30 Mar 2021 12:22:51 GMTContent-Type: application/octet-streamContent-Length: 2828315Connection: keep-aliveLast-Modified: Thu, 11 Feb 2021 18:55:16 GMTETag: "60257d94-2b281b"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 9a 7a 6e 4e 3c 09 f8 7b 72 d2 00 00 d0 69 01 00 0b 00 00 00 6e 73 73 64 62 6d 33 2e 64 6c 6c ec fd 7f 7c 14 d5 d5 38 00 cf ee 4e 92 0d 59 d8 05 36 18 24 4a 90 a0 d1 a0 06 16 24 31 80 d9 84 dd 44 20 b0 61 c9 2e 11 13 b4 6a 4c b7 56 f9 b1 43 b0 12 08 4e 02 3b 19 b7 f5 e9 a3 7d ec 2f ab f5 f1 e9 0f db a7 b6 b5 80 d5 ea 86 d8 24 f8 13 81 5a 2c 54 a3 52 bd 71 63 8d 92 86 45 63 e6 3d e7 dc 99 dd 0d da ef f7 fb be 7f bf f0 c9 ec cc dc 3b f7 9e 7b ee b9 e7 9e 73 ee b9 e7 d6 de 70 bf 60 11 04 41 84 3f 4d 13 84 83 02 ff 57 21 fc df ff e5 99 04 61 ca ec 3f 4e 11 9e ca 7e 65 ce 41 d3 ea 57 e6 ac 6f f9 fa b6 82 cd 5b ef ba 7d eb cd df 2c b8 e5 e6 3b ef bc 2b 5c f0 b5 db 0a b6 4a 77 16 7c fd ce 82 15 6b fd 05 df bc eb d6 db ae 9a 3c 79 52 a1 5e c6 45 07 6f 18 6e 78 73 d1 63 c6 9f ef d1 9f 3d 56 0f bf ed cf 2c fe e9 46 f8 ed bb fb cc 63 75 f4 bc e4 a7 1b e8 77 c1 4f fd f4 5b f2 d3 75 f0 7b cf d3 3c df 77 ff b8 f8 a7 37 50 19 8b 1f 7b 91 9e 4b 7e ea a6 df 45 f4 dd 77 ff f8 d2 63 fc f7 1a 7a 5e f7 f5 5b 5a b0 be 7f d7 36 9f 47 10 56 9b 32 84 e7 2b ba 6e 34 de 0d 08 97 cc c9 31 4d c9 11 2e 84 86 97 f0 77 7b 66 c3 bd 03 6e 4a 4c f8 e8 a0 7b b3 20 64 0a f4 9c fc 15 da 4d 84 e4 2b b6 98 20 b9 82 7f e4 10 84 d4 2f ff 29 b8 ce 24 58 21 b5 08 b2 f4 e3 cb 9b 4c c2 0e 4b 1a 60 ab 4d c2 91 8b e0 77 b3 49 f8 ef 4c 41 38 72 ad 49 58 ff 7f e8 a3 a2 72 d3 c4 be 04 38 37 98 ff 7d fe ab c2 b7 ed 08 c3 ef e9 3c bd 5d 17 72 b8 d3 ff 15 00 54 57 6d bd f5 e6 f0 cd 82 b0 62 36 2f 13 5f 0a 17 9b d2 b3 61 bd 15 57 f1 6c 42 02 db e0 33 11 6e 84 e5 5f ca 17 bb 6a eb b6 ad b7 08 02 6f eb 4d 7a 9d 15 5f 51 de d6 db ee b8 eb 16 81 da 8e 38 10 ac f0 bb e2 4b f9 2a 85 ff ff bf ff a7 7f f5 ea 90 bc ac c8 67 72 08 e1 4c b9 cd 2a 48 2e b5 d6 76 b6 fb 8b 84 36 5b 2a 92 bf e9 34 49 97 a8 dd 7b de 31 67 09 c2 3c 1c 02 3e 4d ca d3 24 47 9d 26 59 d9 8b d0 f7 f2 0b ce c6 1e 2d f7 a1 12 93 a3 4f 98 01 39 5c b1 c6 1e 2c 74 c8 e1 57 1b 6d ae 58 20 a8 b6 59 d5 33 ea 2a 87 e2 19 53 3c 23 7d 1e 22 85 3e cf 30 52 42 67 2c 9c 1d b2 6c 68 2e 73 8b e1 6f d8 0f b8 c5 e6 72 cf 70 38 13 ae 09 29 bf cf 33 82 1d 4b 0f 76 fb 01 93 eb 64 73 d9 8d 6e 33 14 2b 5d 07 8f f6 03 2b dc e3 ae c3 ed 6b 72 4d 75 01 5f 90 59 5c 82 a0 0e cb 2f 38 54 cf 18 96 0b af 06 26 0b 42 43 83 22 8d 75 8e da 3b be 0f 65 a9 6b 20 75 24 1e 81 cf 15 8f cd 7e 60 bd 7b 1c 21 ab 4d c8 09 f3 ae 5c 57 ac 59 a9 33 37 2b 6e 51 f5 5a 95 2a ab ea b1 c5 33 5c 47 15 bf 35 64 be a1 f8 90 5a 9f 68 56 4c cd ea 5a 1b 7c 6b 89 35 17 f7 ab 58 46 ac 59 1e cc 6c 56 56 57 9a d5 43 98 d8 7c bd fd 80 80 cf 62 fb aa 5c 93 5a 0f 95 87 6d 81 20 f3 03 30 f0 d4 d0 50 fe 46 38 7b 5d 90 55 11 70 da da 52 57 2c 6e 91 fb b5 4d 4d 1b d5 7f e8 c8 73 aa 1e c2 5f 40 b5 aa 3e 51 dd 08 20 8e a8
        Source: global trafficHTTP traffic detected: GET //l/f/7y4Wg3gBuI_ccNKoGwkK/0a3546e5040ab5a4b3cac44b064a321d51adba4a HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 45.139.236.6
        Source: global trafficHTTP traffic detected: GET //l/f/7y4Wg3gBuI_ccNKoGwkK/7a6d75ef6f646f4419fc28f58e62a7952e597921 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 45.139.236.6
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.837471226.00000000009E7000.00000004.00000001.sdmpString found in binary or memory: rence":"http://support.apple.com/kb/HT203092","status":"requires_authorization","version":"7.7.6"}]},"chromium-pdf":{"group_name_matcher":"*Chromium PDF Viewer*","mime_types":[],"name":"Chromium PDF Viewer","versions":[{"comment":"Chromium PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"chromium-pdf-plugin":{"group_name_matcher":"*Chromium PDF Plugin*","mime_types":[],"name":"Chromium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"*DivX Web Player*","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","applicati
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.837471226.00000000009E7000.00000004.00000001.sdmpString found in binary or memory: rence":"http://support.apple.com/kb/HT203092","status":"requires_authorization","version":"7.7.6"}]},"chromium-pdf":{"group_name_matcher":"*Chromium PDF Viewer*","mime_types":[],"name":"Chromium PDF Viewer","versions":[{"comment":"Chromium PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"chromium-pdf-plugin":{"group_name_matcher":"*Chromium PDF Plugin*","mime_types":[],"name":"Chromium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"*DivX Web Player*","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","applicati
        Source: unknownDNS traffic detected: queries for: ekocafebali.com
        Source: unknownHTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Content-Length: 128Host: 45.139.236.6
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.849907601.00000000009A8000.00000004.00000020.sdmpString found in binary or memory: http://45.139.236.6
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exeString found in binary or memory: http://45.139.236.6/
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.849907601.00000000009A8000.00000004.00000020.sdmpString found in binary or memory: http://45.139.236.6//l/f/7y4Wg3gBuI_ccNKoGwkK/0a3546e5040ab5a4b3cac44b064a321d51adba4a
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.849907601.00000000009A8000.00000004.00000020.sdmpString found in binary or memory: http://45.139.236.6//l/f/7y4Wg3gBuI_ccNKoGwkK/7a6d75ef6f646f4419fc28f58e62a7952e597921
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.849907601.00000000009A8000.00000004.00000020.sdmpString found in binary or memory: http://45.139.236.6//l/f/7y4Wg3gBuI_ccNKoGwkK/7a6d75ef6f646f4419fc28f58e62a7952e597921er
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.849907601.00000000009A8000.00000004.00000020.sdmpString found in binary or memory: http://45.139.236.6/E
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.839118709.0000000000A12000.00000004.00000001.sdmpString found in binary or memory: http://45.139.236.6/OINT
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.830914273.00000000009F9000.00000004.00000001.sdmpString found in binary or memory: http://45.139.236.6/q_
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.849907601.00000000009A8000.00000004.00000020.sdmpString found in binary or memory: http://45.139.236.6ne
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.830914273.00000000009F9000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dst
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.839106229.00000000009FA000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.845882655.0000000000A42000.00000004.00000001.sdmp, AccessibleHandler.dll.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.845882655.0000000000A42000.00000004.00000001.sdmp, AccessibleHandler.dll.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
        Source: nssckbi.dll.4.drString found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
        Source: nssckbi.dll.4.drString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.830914273.00000000009F9000.00000004.00000001.sdmpString found in binary or memory: http://cps.letseh
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.839106229.00000000009FA000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.839106229.00000000009FA000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
        Source: nssckbi.dll.4.drString found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
        Source: nssckbi.dll.4.drString found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
        Source: nssckbi.dll.4.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
        Source: nssckbi.dll.4.drString found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
        Source: nssckbi.dll.4.drString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.839106229.00000000009FA000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
        Source: nssckbi.dll.4.drString found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
        Source: nssckbi.dll.4.drString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
        Source: nssckbi.dll.4.drString found in binary or memory: http://crl.securetrust.com/SGCA.crl0
        Source: nssckbi.dll.4.drString found in binary or memory: http://crl.securetrust.com/STCA.crl0
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.845882655.0000000000A42000.00000004.00000001.sdmp, AccessibleHandler.dll.4.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
        Source: nssckbi.dll.4.drString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.845882655.0000000000A42000.00000004.00000001.sdmp, AccessibleHandler.dll.4.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.845882655.0000000000A42000.00000004.00000001.sdmp, AccessibleHandler.dll.4.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.845882655.0000000000A42000.00000004.00000001.sdmp, AccessibleHandler.dll.4.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.845882655.0000000000A42000.00000004.00000001.sdmp, AccessibleHandler.dll.4.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.837471226.00000000009E7000.00000004.00000001.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
        Source: nssckbi.dll.4.drString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
        Source: nssckbi.dll.4.drString found in binary or memory: http://ocsp.accv.es0
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.845882655.0000000000A42000.00000004.00000001.sdmp, AccessibleHandler.dll.4.drString found in binary or memory: http://ocsp.digicert.com0C
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.845882655.0000000000A42000.00000004.00000001.sdmp, AccessibleHandler.dll.4.drString found in binary or memory: http://ocsp.digicert.com0N
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.845882655.0000000000A42000.00000004.00000001.sdmp, AccessibleHandler.dll.4.drString found in binary or memory: http://ocsp.thawte.com0
        Source: nssckbi.dll.4.drString found in binary or memory: http://policy.camerfirma.com0
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.849907601.00000000009A8000.00000004.00000020.sdmpString found in binary or memory: http://r3.i.lencr.org/0-
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.839106229.00000000009FA000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0Y
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.839106229.00000000009FA000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
        Source: nssckbi.dll.4.drString found in binary or memory: http://repository.swisssign.com/0
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.839087627.0000000000A34000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.837471226.00000000009E7000.00000004.00000001.sdmpString found in binary or memory: http://support.apple.com/kb/HT203092
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.845882655.0000000000A42000.00000004.00000001.sdmp, AccessibleHandler.dll.4.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.845882655.0000000000A42000.00000004.00000001.sdmp, AccessibleHandler.dll.4.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.845882655.0000000000A42000.00000004.00000001.sdmp, AccessibleHandler.dll.4.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
        Source: nssckbi.dll.4.drString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
        Source: nssckbi.dll.4.drString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
        Source: nssckbi.dll.4.drString found in binary or memory: http://www.accv.es/legislacion_c.htm0U
        Source: nssckbi.dll.4.drString found in binary or memory: http://www.accv.es00
        Source: nssckbi.dll.4.drString found in binary or memory: http://www.cert.fnmt.es/dpcs/0
        Source: nssckbi.dll.4.drString found in binary or memory: http://www.certicamara.com/dpc/0Z
        Source: nssckbi.dll.4.drString found in binary or memory: http://www.certplus.com/CRL/class2.crl0
        Source: nssckbi.dll.4.drString found in binary or memory: http://www.chambersign.org1
        Source: nssckbi.dll.4.drString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
        Source: nssckbi.dll.4.drString found in binary or memory: http://www.firmaprofesional.com/cps0
        Source: mozglue.dll.4.drString found in binary or memory: http://www.mozilla.com/en-US/blocklist/
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.845882655.0000000000A42000.00000004.00000001.sdmp, AccessibleHandler.dll.4.drString found in binary or memory: http://www.mozilla.com0
        Source: nssckbi.dll.4.drString found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
        Source: nssckbi.dll.4.drString found in binary or memory: http://www.quovadis.bm0
        Source: nssckbi.dll.4.drString found in binary or memory: http://www.quovadisglobal.com/cps0
        Source: sqlite3.dll.4.drString found in binary or memory: http://www.sqlite.org/copyright.html.
        Source: nssckbi.dll.4.drString found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.839087627.0000000000A34000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=8072167097284;g
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.849907601.00000000009A8000.00000004.00000020.sdmp, CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.839087627.0000000000A34000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=4510094
        Source: RYwTiizs2t.4.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.839087627.0000000000A34000.00000004.00000001.sdmpString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=2542116;cat=chom0;ord=8072167097284;gtm=2wg9
        Source: RYwTiizs2t.4.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.839128579.0000000000A18000.00000004.00000001.sdmpString found in binary or memory: https://consent.google.com/?hl=en-GB&origin=https://www.google.com&continue=https://www.google.com/?
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.846081146.00000000009EC000.00000004.00000001.sdmp, CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.839087627.0000000000A34000.00000004.00000001.sdmpString found in binary or memory: https://consent.google.com/done8?continue=https://www.google.com/?gws_rd%3Dssl&origin=https://www.go
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exeString found in binary or memory: https://consent.google.com/set?pc=s&uxe=4421591
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.839087627.0000000000A34000.00000004.00000001.sdmpString found in binary or memory: https://consent.google.com/set?pc=s&uxe=4421591LMEM
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.839087627.0000000000A34000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exeString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.846017240.0000000000A22000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1xdLMEM
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.839118709.0000000000A12000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.846017240.0000000000A22000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1e-LMEM
        Source: RYwTiizs2t.4.drString found in binary or memory: https://duckduckgo.com/ac/?q=
        Source: RYwTiizs2t.4.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
        Source: RYwTiizs2t.4.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.849718672.0000000000561000.00000040.00000001.sdmpString found in binary or memory: https://ekocafebali.com/wp-content/plugins/vmaxyvefms/back/78893c675eddafbfbda146801a998645182ce2c3_
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.849718672.0000000000561000.00000040.00000001.sdmpString found in binary or memory: https://ekocafebali.com/wp-content/plugins/vmaxyvefms/main/78893c675eddafbfbda146801a998645182ce2c3_
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.839106229.00000000009FA000.00000004.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:400
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.839118709.0000000000A12000.00000004.00000001.sdmpString found in binary or memory: https://helpx.a
        Source: nssckbi.dll.4.drString found in binary or memory: https://ocsp.quovadisoffshore.com0
        Source: nssckbi.dll.4.drString found in binary or memory: https://repository.luxtrust.lu0
        Source: RYwTiizs2t.4.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
        Source: RYwTiizs2t.4.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.839118709.0000000000A12000.00000004.00000001.sdmpString found in binary or memory: https://support.google.c
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.837471226.00000000009E7000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.837414207.0000000000A22000.00000004.00000001.sdmp, CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.837391480.0000000000A12000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.837414207.0000000000A22000.00000004.00000001.sdmp, CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.837391480.0000000000A12000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.839106229.00000000009FA000.00000004.00000001.sdmpString found in binary or memory: https://telete.in/org/img/t_logo.png
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.839106229.00000000009FA000.00000004.00000001.sdmpString found in binary or memory: https://telete.in/yoyodcabane
        Source: nssckbi.dll.4.drString found in binary or memory: https://www.catcert.net/verarrel
        Source: nssckbi.dll.4.drString found in binary or memory: https://www.catcert.net/verarrel05
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.845882655.0000000000A42000.00000004.00000001.sdmp, AccessibleHandler.dll.4.drString found in binary or memory: https://www.digicert.com/CPS0
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.839106229.00000000009FA000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.839087627.0000000000A34000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.pngx%
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.839087627.0000000000A34000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/favicon.ico
        Source: RYwTiizs2t.4.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.839106229.00000000009FA000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/intl/en_uk/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrows
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.839106229.00000000009FA000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/search?source=hp&ei=djJ0X6TKCL6IjLsPqriogAY&q=chrome&oq=chrome&gs_lcp=CgZwc3k
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.839087627.0000000000A34000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwj8k7G9rJDsAhWNTxUIHZZGDCQQ
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
        Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
        Source: unknownHTTPS traffic detected: 111.67.28.15:443 -> 192.168.2.4:49742 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 195.201.225.248:443 -> 192.168.2.4:49743 version: TLS 1.2
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000000.00000002.798629979.000000000076A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

        E-Banking Fraud:

        barindex
        Yara detected Raccoon StealerShow sources
        Source: Yara matchFile source: Process Memory Space: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe PID: 5668, type: MEMORY
        Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exeProcess Stats: CPU usage > 98%
        Source: sqlite3.dll.4.drStatic PE information: Number of sections : 18 > 10
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000000.00000002.798617531.0000000000740000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000000.00000002.798978298.0000000002AD0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameindsetknopw.exeFE2XBoshiyuki TasuiBoshiyuki Tasui@ vs CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000000.00000002.798978298.0000000002AD0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameindsetknopw.exeFE2XBoshiyuki TasuiK vs CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000000.00000002.798978298.0000000002AD0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameindsetknopw.exeFE2X vs CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000000.00000002.798978298.0000000002AD0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameindsetknopw.exeFE2XBoshiyuki Tasui vs CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000000.00000002.798978298.0000000002AD0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameindsetknopw.exeFE2XBoshiyuki Tasui. vs CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000000.00000002.798978298.0000000002AD0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameindsetknopw.exeFE2XBoshiyuki Tasuiw vs CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000000.00000000.651225218.000000000041C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameindsetknopw.exe vs CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.854463696.000000006D2BB000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamenss3.dll8 vs CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.845882655.0000000000A42000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamenssdbm3.dll8 vs CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000003.845882655.0000000000A42000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.854151367.000000006D162000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamemozglue.dll8 vs CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.853350592.000000001E180000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000000.797569198.000000000041C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameindsetknopw.exe vs CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.853428201.0000000066C40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.853312694.000000001E010000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.853293961.000000001DEC0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.853337212.000000001E160000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exeBinary or memory string: OriginalFilenameindsetknopw.exe vs CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/67@2/3
        Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exeFile created: C:\Users\user\AppData\LocalLow\sqlite3.dllJump to behavior
        Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exeMutant created: \Sessions\1\BaseNamedObjects\uiabfqwfuuser
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6824:120:WilError_01
        Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exeFile created: C:\Users\user\AppData\Local\Temp\~DF4AE595A1013A60B4.TMPJump to behavior
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
        Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
        Source: softokn3.dll.4.drBinary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.854419635.000000006D280000.00000002.00020000.sdmp, nss3.dll.4.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
        Source: softokn3.dll.4.drBinary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
        Source: softokn3.dll.4.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.854419635.000000006D280000.00000002.00020000.sdmp, nss3.dll.4.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.854419635.000000006D280000.00000002.00020000.sdmp, nss3.dll.4.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);docid INTEGER PRIMARY KEY%z, 'c%d%q'%z, langidCREATE TABLE %Q.'%q_content'(%s)CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);<
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.854419635.000000006D280000.00000002.00020000.sdmp, nss3.dll.4.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.854419635.000000006D280000.00000002.00020000.sdmp, nss3.dll.4.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
        Source: softokn3.dll.4.drBinary or memory string: UPDATE %s SET %s WHERE id=$ID;
        Source: softokn3.dll.4.drBinary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
        Source: softokn3.dll.4.drBinary or memory string: SELECT ALL id FROM %s WHERE %s;
        Source: softokn3.dll.4.drBinary or memory string: SELECT ALL id FROM %s;
        Source: softokn3.dll.4.drBinary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
        Source: sqlite3.dll.4.drBinary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
        Source: softokn3.dll.4.drBinary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.854419635.000000006D280000.00000002.00020000.sdmp, nss3.dll.4.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.854419635.000000006D280000.00000002.00020000.sdmp, nss3.dll.4.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.854419635.000000006D280000.00000002.00020000.sdmp, nss3.dll.4.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.854419635.000000006D280000.00000002.00020000.sdmp, nss3.dll.4.drBinary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.854419635.000000006D280000.00000002.00020000.sdmp, nss3.dll.4.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
        Source: softokn3.dll.4.drBinary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
        Source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.854419635.000000006D280000.00000002.00020000.sdmp, nss3.dll.4.drBinary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);/overflow%s%.3x+%.6x%s%.3x/internalleafcorruptedno such schema: %sSELECT 'sqlite_master' AS name, 1 AS rootpage, 'table' AS type UNION ALL SELECT name, rootpage, type FROM "%w".%s WHERE rootpage!=0 ORDER BY namedbstat2018-01-22 18:45:57 0c55d179733b46d8d0ba4d88e01a25e10677046ee3da1d5b1581e86726f2171d:
        Source: sqlite3.dll.4.drBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
        Source: unknownProcess created: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe 'C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe'
        Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exeProcess created: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe 'C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe'
        Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q 'C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe'
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /T 10 /NOBREAK
        Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q 'C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe'Jump to behavior
        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /T 10 /NOBREAK Jump to behavior
        Source: C:\Users\user\Desktop\CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account ManagerJump to behavior
        Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: freebl3.dll.4.dr
        Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.4.dr
        Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\gfx\angle\targets\libEGL\libEGL.pdb source: libEGL.dll.4.dr
        Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libprldap\prldap60.pdb source: prldap60.dll.4.dr
        Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb source: IA2Marshal.dll.4.dr
        Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.4.dr
        Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss3.pdb source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.854419635.000000006D280000.00000002.00020000.sdmp, nss3.dll.4.dr
        Source: Binary string: ucrtbase.pdb source: ucrtbase.dll.4.dr
        Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.4.dr
        Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: api-ms-win-core-memory-l1-1-0.dll.4.dr
        Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.4.dr
        Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: api-ms-win-crt-filesystem-l1-1-0.dll.4.dr
        Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdb source: ldap60.dll.4.dr
        Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.4.dr
        Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll.4.dr
        Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.4.dr
        Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.4.dr
        Source: Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140.dll.4.dr
        Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.4.dr
        Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: softokn3.dll.4.dr
        Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb source: nssckbi.dll.4.dr
        Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.854118774.000000006D159000.00000002.00020000.sdmp, mozglue.dll.4.dr
        Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: freebl3.dll.4.dr
        Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.4.dr
        Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: api-ms-win-crt-private-l1-1-0.dll.4.dr
        Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: api-ms-win-crt-convert-l1-1-0.dll.4.dr
        Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\ipc\win\handler\AccessibleHandler.pdb source: AccessibleHandler.dll.4.dr
        Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: nssdbm3.dll.4.dr
        Source: Binary string: msvcp140.i386.pdb source: msvcp140.dll.4.dr
        Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapihook\build\MapiProxy.pdb source: MapiProxy.dll.4.dr
        Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.4.dr
        Source: Binary string: ucrtbase.pdbUGP source: ucrtbase.dll.4.dr
        Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdbUU source: ldap60.dll.4.dr
        Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: api-ms-win-crt-time-l1-1-0.dll.4.dr
        Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb66 source: nssckbi.dll.4.dr
        Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll.4.dr
        Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.4.dr
        Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: softokn3.dll.4.dr
        Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb<< source: IA2Marshal.dll.4.dr
        Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.4.dr
        Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: CopyDocs-BUSINESS-CONFIRMATION_NO-MGFT560_0w9wMGT500383RRTF.exe, 00000004.00000002.854118774.000000006D159000.00000002.00020000.sdmp, mozglue.dll.4.dr
        Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\library\dummydll\qipcap.pdb source: qipcap.dll.4.dr
        Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.4.dr
        Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.4.dr
        Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.4.dr
        Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.4.dr
        Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.4.dr
        Source: Binary string: vcruntime140.i386.pdb source: vcruntime140.dll.4.dr
        Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.4.dr
        Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: api-ms-win-crt-utility-l1-1-0.dll.4.dr
        Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapiDLL\mozMapi32.pdb source: mozMapi32.dll.4.dr
        Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: api-ms-win-core-rtlsupport-l1-1-0.dll.4.dr
        Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.4.dr
        Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll.4.dr
        Source: Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll.4.dr
        Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: api-ms-win-core-file-l2-1-0.dll.4.dr
        Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.4.dr
        Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.4.dr
        Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldif\ldif60.pdb source: ldif60.dll.4.dr
        Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\config\external\lgpllibs\lgpllibs.pdb source: lgpllibs.dll.4.dr
        Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\msaa\AccessibleMarshal.pdb source: AccessibleMarshal.dll.4.dr
        Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: nssdbm3.dll.4.dr
        Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: api-ms-win-core-interlocked-l1-1-0.dll.4.dr
        Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\crashreporter\injector\breakpadinjector.pdb source: breakpadinjector.dll.4.dr
        Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.4.dr
        Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.4.dr

        Data Obfuscation:

        bar