Analysis Report Anmodning om tilbud 12-04-2021#U00b7pdf.exe

Overview

General Information

Sample Name: Anmodning om tilbud 12-04-2021#U00b7pdf.exe
Analysis ID: 385424
MD5: ff684bf547b6f692c53f80779dc5ee7b
SHA1: fe4116a2cfa9cadde500c900f605742d5ddabf10
SHA256: 5cc3fcd6bc68db6107493ae5a1d9adfaa4cc210195c2c5f05d3059cd35ba2e09
Tags: GuLoader
Infos:

Most interesting Screenshot:

Detection

GuLoader Raccoon
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for domain / URL
Yara detected GuLoader
Yara detected Raccoon Stealer
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Is looking for software installed on the system
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 0000000C.00000002.877495152.0000000000561000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1EVgv79jm2Kha80e4t5kPPRtQGH8glBYc"}
Source: machineinfo.txt.12.dr.binstr Malware Configuration Extractor: Raccoon Stealer {"Config: ": ["00000000 -> Raccoon | 1.7.3", "Build compile date: Sat Feb 27 21:25:06 2021", "Launched at: 2021.04.12 - 11:46:46 GMT", "Bot_ID: D06ED635-68F6-4E9A-955C-4899F5F57B9A_user", "Running on a desktop", "-------------", "- Cookies: 1", "- Passwords: 0", "- Files: 0", "System Information:", "- System Language: English", "- System TimeZone: +1 hrs", "- IP: 84.17.52.3", "- Location: 47.431702, 8.575900 | Zurich, Zurich, Switzerland (8152)", "- ComputerName: 128757", "- Username: user", "- Windows version: NT 10.0", "- Product name: Windows 10 Pro", "- System arch: x64", "- CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz (4 cores)", "- RAM: 8191 MB (5413 MB used)", "- Screen resolution: 1280x1024", "- Display devices:", "0) Microsoft Basic Display Adapter", "-------------", "Installed Apps:", "Adobe Acrobat Reader DC (19.012.20035)", "Adobe Refresh Manager (1.8.0)", "Google Chrome (85.0.4183.121)", "Google Update Helper (1.3.35.451)", "Java 8 Update 211 (8.0.2110.12)", "Java Auto Updater (2.8.211.12)", "Update for Skype for Business 2016 (KB4484286) 32-Bit Edition", "-------------"]}
Multi AV Scanner detection for domain / URL
Source: telete.in Virustotal: Detection: 11% Perma Link
Yara detected Raccoon Stealer
Source: Yara match File source: Process Memory Space: Anmodning om tilbud 12-04-2021#U00b7pdf.exe PID: 4552, type: MEMORY

Compliance:

barindex
Uses 32bit PE files
Source: Anmodning om tilbud 12-04-2021#U00b7pdf.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: unknown HTTPS traffic detected: 216.58.215.225:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown HTTPS traffic detected: 195.201.225.248:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: unknown HTTPS traffic detected: 195.123.215.115:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: freebl3.dll.12.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\gfx\angle\targets\libEGL\libEGL.pdb source: libEGL.dll.12.dr
Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.12.dr
Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.12.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libprldap\prldap60.pdb source: prldap60.dll.12.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb source: IA2Marshal.dll.12.dr
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.12.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss3.pdb source: Anmodning om tilbud 12-04-2021#U00b7pdf.exe, 0000000C.00000002.881153656.000000006D200000.00000002.00020000.sdmp, nss3.dll.12.dr
Source: Binary string: ucrtbase.pdb source: ucrtbase.dll.12.dr
Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: api-ms-win-core-memory-l1-1-0.dll.12.dr
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.12.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdb source: ldap60.dll.12.dr
Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: api-ms-win-crt-filesystem-l1-1-0.dll.12.dr
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.12.dr
Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll.12.dr
Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.12.dr
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.12.dr
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.12.dr
Source: Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140.dll.12.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: softokn3.dll.12.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb source: nssckbi.dll.12.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: Anmodning om tilbud 12-04-2021#U00b7pdf.exe, 0000000C.00000002.881046456.000000006D0F9000.00000002.00020000.sdmp, mozglue.dll.12.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.12.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: freebl3.dll.12.dr
Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: api-ms-win-crt-private-l1-1-0.dll.12.dr
Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: api-ms-win-crt-convert-l1-1-0.dll.12.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\ipc\win\handler\AccessibleHandler.pdb source: AccessibleHandler.dll.12.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: nssdbm3.dll.12.dr
Source: Binary string: msvcp140.i386.pdb source: msvcp140.dll.12.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapihook\build\MapiProxy.pdb source: MapiProxy_InUse.dll.12.dr
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.12.dr
Source: Binary string: ucrtbase.pdbUGP source: ucrtbase.dll.12.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdbUU source: ldap60.dll.12.dr
Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: api-ms-win-crt-time-l1-1-0.dll.12.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb66 source: nssckbi.dll.12.dr
Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll.12.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.12.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: softokn3.dll.12.dr
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.12.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb<< source: IA2Marshal.dll.12.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: Anmodning om tilbud 12-04-2021#U00b7pdf.exe, 0000000C.00000002.881046456.000000006D0F9000.00000002.00020000.sdmp, mozglue.dll.12.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\library\dummydll\qipcap.pdb source: qipcap.dll.12.dr
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.12.dr
Source: Binary string: ms-win-core-memory-l1-1-0.pdb source: Anmodning om tilbud 12-04-2021#U00b7pdf.exe, 0000000C.00000002.880884389.000000006698B000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.12.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.12.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.12.dr
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.12.dr
Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.12.dr
Source: Binary string: vcruntime140.i386.pdb source: vcruntime140.dll.12.dr
Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: api-ms-win-crt-utility-l1-1-0.dll.12.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapiDLL\mozMapi32.pdb source: mozMapi32.dll.12.dr
Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: api-ms-win-core-rtlsupport-l1-1-0.dll.12.dr
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.12.dr
Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll.12.dr
Source: Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll.12.dr
Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: api-ms-win-core-file-l2-1-0.dll.12.dr
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.12.dr
Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.12.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\config\external\lgpllibs\lgpllibs.pdb source: lgpllibs.dll.12.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldif\ldif60.pdb source: ldif60.dll.12.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\msaa\AccessibleMarshal.pdb source: AccessibleMarshal.dll.12.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: nssdbm3.dll.12.dr
Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: api-ms-win-core-interlocked-l1-1-0.dll.12.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\crashreporter\injector\breakpadinjector.pdb source: breakpadinjector.dll.12.dr
Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.12.dr
Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.12.dr
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\ Jump to behavior
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\ Jump to behavior

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ebx, 00005B18h 0_2_00403E7A
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ecx, ecx 0_2_00403E7A
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ebx, 00005B18h 0_2_0040445A
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ecx, ecx 0_2_0040445A
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ebx, 00005B18h 0_2_00404C77
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ecx, ecx 0_2_00404C77
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ebx, 00005B18h 0_2_00404015
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ecx, ecx 0_2_00404015
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ebx, 00005B18h 0_2_00404839
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ecx, ecx 0_2_00404839
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ebx, 00005B18h 0_2_004044C9
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ecx, ecx 0_2_004044C9
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ebx, 00005B18h 0_2_00404CDD
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ecx, ecx 0_2_00404CDD
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ebx, 00005B18h 0_2_004040F0
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ecx, ecx 0_2_004040F0
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ebx, 00005B18h 0_2_00404081
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ecx, ecx 0_2_00404081
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ebx, 00005B18h 0_2_004048AA
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ecx, ecx 0_2_004048AA
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ebx, 00005B18h 0_2_004050B5
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ecx, ecx 0_2_004050B5
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ebx, 00005B18h 0_2_00404D43
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ecx, ecx 0_2_00404D43
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ebx, 00005B18h 0_2_0040415D
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ecx, ecx 0_2_0040415D
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ebx, 00005B18h 0_2_00404915
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ecx, ecx 0_2_00404915
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ebx, 00005B18h 0_2_00405123
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ecx, ecx 0_2_00405123
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ebx, 00005B18h 0_2_00404538
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ecx, ecx 0_2_00404538
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ebx, 00005B18h 0_2_004041C0
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ecx, ecx 0_2_004041C0
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ebx, 00005B18h 0_2_004051EE
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ecx, ecx 0_2_004051EE
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ebx, 00005B18h 0_2_004049F8
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ecx, ecx 0_2_004049F8
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ebx, 00005B18h 0_2_00404987
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ecx, ecx 0_2_00404987
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ebx, 00005B18h 0_2_00405190
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ecx, ecx 0_2_00405190
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ebx, 00005B18h 0_2_00404DAA
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ecx, ecx 0_2_00404DAA
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ebx, 00005B18h 0_2_004045B2
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ecx, ecx 0_2_004045B2
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ebx, 00005B18h 0_2_00405257
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ecx, ecx 0_2_00405257
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ebx, 00005B18h 0_2_00404A65
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ecx, ecx 0_2_00404A65
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ebx, 00005B18h 0_2_00404E11
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ecx, ecx 0_2_00404E11
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ebx, 00005B18h 0_2_0040461C
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ecx, ecx 0_2_0040461C
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ebx, 00005B18h 0_2_00404230
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ecx, ecx 0_2_00404230
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ebx, 00005B18h 0_2_00403EC3
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ecx, ecx 0_2_00403EC3
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ebx, 00005B18h 0_2_00404AC5
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ecx, ecx 0_2_00404AC5
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ecx, ecx 0_2_004052CF
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ebx, 00005B18h 0_2_004046EA
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ecx, ecx 0_2_004046EA
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ebx, 00005B18h 0_2_0040468B
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ecx, ecx 0_2_0040468B
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ebx, 00005B18h 0_2_00404E8E
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ecx, ecx 0_2_00404E8E
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ebx, 00005B18h 0_2_004042A4
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ecx, ecx 0_2_004042A4
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ebx, 00005B18h 0_2_00404753
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ecx, ecx 0_2_00404753
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ebx, 00005B18h 0_2_00404F6D
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ecx, ecx 0_2_00404F6D
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ebx, 00005B18h 0_2_00404F07
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ecx, ecx 0_2_00404F07
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ebx, 00005B18h 0_2_0040430C
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ecx, ecx 0_2_0040430C
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ebx, 00005B18h 0_2_00404B27
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ecx, ecx 0_2_00404B27
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ecx, ecx 0_2_0040533B
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ebx, 00005B18h 0_2_004047C4
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ecx, ecx 0_2_004047C4
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ebx, 00005B18h 0_2_00404FDE
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ecx, ecx 0_2_00404FDE
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ebx, 00005B18h 0_2_004043E8
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ecx, ecx 0_2_004043E8
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ebx, 00005B18h 0_2_00404380
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ecx, ecx 0_2_00404380
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ebx, 00005B18h 0_2_00404B98
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ecx, ecx 0_2_00404B98
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ecx, ecx 0_2_004053A3
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ebx, 00005B18h 0_2_00403FA7
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 4x nop then mov ecx, ecx 0_2_00403FA7

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://drive.google.com/uc?export=download&id=1EVgv79jm2Kha80e4t5kPPRtQGH8glBYc
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 195.201.225.248 195.201.225.248
Source: Joe Sandbox View IP Address: 195.123.215.115 195.123.215.115
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: HETZNER-ASDE HETZNER-ASDE
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: ce5f3254611a8c095a3d821d44539877
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown DNS traffic detected: queries for: doc-00-7g-docs.googleusercontent.com
Source: mozglue.dll.12.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: mozglue.dll.12.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: nssckbi.dll.12.dr String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: nssckbi.dll.12.dr String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: nssckbi.dll.12.dr String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: nssckbi.dll.12.dr String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: nssckbi.dll.12.dr String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: nssckbi.dll.12.dr String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: nssckbi.dll.12.dr String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: nssckbi.dll.12.dr String found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
Source: nssckbi.dll.12.dr String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: nssckbi.dll.12.dr String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: nssckbi.dll.12.dr String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: mozglue.dll.12.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: nssckbi.dll.12.dr String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: mozglue.dll.12.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: mozglue.dll.12.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: mozglue.dll.12.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: mozglue.dll.12.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: nssckbi.dll.12.dr String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: nssckbi.dll.12.dr String found in binary or memory: http://ocsp.accv.es0
Source: mozglue.dll.12.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: mozglue.dll.12.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: mozglue.dll.12.dr String found in binary or memory: http://ocsp.thawte.com0
Source: nssckbi.dll.12.dr String found in binary or memory: http://policy.camerfirma.com0
Source: nssckbi.dll.12.dr String found in binary or memory: http://repository.swisssign.com/0
Source: mozglue.dll.12.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: mozglue.dll.12.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: mozglue.dll.12.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: nssckbi.dll.12.dr String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: nssckbi.dll.12.dr String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: nssckbi.dll.12.dr String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: nssckbi.dll.12.dr String found in binary or memory: http://www.accv.es00
Source: nssckbi.dll.12.dr String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: nssckbi.dll.12.dr String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: nssckbi.dll.12.dr String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: nssckbi.dll.12.dr String found in binary or memory: http://www.chambersign.org1
Source: nssckbi.dll.12.dr String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: nssckbi.dll.12.dr String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: mozglue.dll.12.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: mozglue.dll.12.dr String found in binary or memory: http://www.mozilla.com0
Source: nssckbi.dll.12.dr String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
Source: nssckbi.dll.12.dr String found in binary or memory: http://www.quovadis.bm0
Source: nssckbi.dll.12.dr String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: sqlite3.dll.12.dr String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: nssckbi.dll.12.dr String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: Anmodning om tilbud 12-04-2021#U00b7pdf.exe, 0000000C.00000003.862159056.0000000066921000.00000004.00000001.sdmp, 1xVPfvJcrg.12.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Anmodning om tilbud 12-04-2021#U00b7pdf.exe, 0000000C.00000003.862159056.0000000066921000.00000004.00000001.sdmp, 1xVPfvJcrg.12.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Anmodning om tilbud 12-04-2021#U00b7pdf.exe, 0000000C.00000002.877495152.0000000000561000.00000040.00000001.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1EVgv79jm2Kha80e4t5kPPRtQGH8glBYc
Source: Anmodning om tilbud 12-04-2021#U00b7pdf.exe, 0000000C.00000003.862159056.0000000066921000.00000004.00000001.sdmp, 1xVPfvJcrg.12.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Anmodning om tilbud 12-04-2021#U00b7pdf.exe, 0000000C.00000003.862159056.0000000066921000.00000004.00000001.sdmp, 1xVPfvJcrg.12.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Anmodning om tilbud 12-04-2021#U00b7pdf.exe, 0000000C.00000003.862159056.0000000066921000.00000004.00000001.sdmp, 1xVPfvJcrg.12.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: nssckbi.dll.12.dr String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: nssckbi.dll.12.dr String found in binary or memory: https://repository.luxtrust.lu0
Source: Anmodning om tilbud 12-04-2021#U00b7pdf.exe, 0000000C.00000003.862159056.0000000066921000.00000004.00000001.sdmp, 1xVPfvJcrg.12.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: Anmodning om tilbud 12-04-2021#U00b7pdf.exe, 0000000C.00000003.862159056.0000000066921000.00000004.00000001.sdmp, 1xVPfvJcrg.12.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: nssckbi.dll.12.dr String found in binary or memory: https://www.catcert.net/verarrel
Source: nssckbi.dll.12.dr String found in binary or memory: https://www.catcert.net/verarrel05
Source: mozglue.dll.12.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: Anmodning om tilbud 12-04-2021#U00b7pdf.exe, 0000000C.00000003.862159056.0000000066921000.00000004.00000001.sdmp, 1xVPfvJcrg.12.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown HTTPS traffic detected: 216.58.215.225:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown HTTPS traffic detected: 195.201.225.248:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: unknown HTTPS traffic detected: 195.123.215.115:443 -> 192.168.2.4:49762 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_0040D548 OpenClipboard, 0_2_0040D548

E-Banking Fraud:

barindex
Yara detected Raccoon Stealer
Source: Yara match File source: Process Memory Space: Anmodning om tilbud 12-04-2021#U00b7pdf.exe PID: 4552, type: MEMORY

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_022A4E08 NtProtectVirtualMemory, 0_2_022A4E08
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_022A528C NtResumeThread, 0_2_022A528C
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_022A1F10 NtSetInformationThread,NtWriteVirtualMemory, 0_2_022A1F10
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_022A03F5 EnumWindows,NtSetInformationThread, 0_2_022A03F5
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_022A300B NtSetInformationThread, 0_2_022A300B
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_022A2018 NtWriteVirtualMemory, 0_2_022A2018
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_022A22BC NtWriteVirtualMemory, 0_2_022A22BC
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_022A5295 NtResumeThread, 0_2_022A5295
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_022A10FF NtSetInformationThread, 0_2_022A10FF
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_022A0EF7 NtSetInformationThread, 0_2_022A0EF7
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_022A04C9 NtSetInformationThread, 0_2_022A04C9
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_022A5336 NtResumeThread, 0_2_022A5336
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_022A5501 NtResumeThread, 0_2_022A5501
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_022A0D5E NtSetInformationThread, 0_2_022A0D5E
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_022A51EB NtProtectVirtualMemory, 0_2_022A51EB
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_022A53F2 NtResumeThread, 0_2_022A53F2
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_022A11CB NtSetInformationThread, 0_2_022A11CB
Detected potential crypto function
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_00403E7A 0_2_00403E7A
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_0040445A 0_2_0040445A
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_00404C77 0_2_00404C77
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_00404015 0_2_00404015
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_00404839 0_2_00404839
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_004044C9 0_2_004044C9
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_004040F0 0_2_004040F0
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_00404081 0_2_00404081
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_004048AA 0_2_004048AA
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_0040415D 0_2_0040415D
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_00404915 0_2_00404915
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_00404538 0_2_00404538
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_004041C0 0_2_004041C0
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_004049F8 0_2_004049F8
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_00404987 0_2_00404987
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_004045B2 0_2_004045B2
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_00404A65 0_2_00404A65
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_0040461C 0_2_0040461C
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_00404230 0_2_00404230
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_00403EC3 0_2_00403EC3
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_00404AC5 0_2_00404AC5
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_004046EA 0_2_004046EA
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_0040468B 0_2_0040468B
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_004042A4 0_2_004042A4
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_00404753 0_2_00404753
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_0040430C 0_2_0040430C
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_00404B27 0_2_00404B27
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_004047C4 0_2_004047C4
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_004043E8 0_2_004043E8
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_00404380 0_2_00404380
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_00403FA7 0_2_00403FA7
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 12_2_6D0EBD8F 12_2_6D0EBD8F
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 12_2_6D0F5F1F 12_2_6D0F5F1F
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 12_2_6D0F0229 12_2_6D0F0229
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: String function: 6D0E90E5 appears 41 times
PE file contains more sections than normal
Source: sqlite3.dll.12.dr Static PE information: Number of sections : 18 > 10
PE file contains strange resources
Source: Anmodning om tilbud 12-04-2021#U00b7pdf.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Anmodning om tilbud 12-04-2021#U00b7pdf.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: Anmodning om tilbud 12-04-2021#U00b7pdf.exe, 00000000.00000002.782935706.0000000000414000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameEleciv.exe vs Anmodning om tilbud 12-04-2021#U00b7pdf.exe
Source: Anmodning om tilbud 12-04-2021#U00b7pdf.exe, 0000000C.00000002.880896126.0000000066A10000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs Anmodning om tilbud 12-04-2021#U00b7pdf.exe
Source: Anmodning om tilbud 12-04-2021#U00b7pdf.exe, 0000000C.00000000.778555254.0000000000414000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameEleciv.exe vs Anmodning om tilbud 12-04-2021#U00b7pdf.exe
Source: Anmodning om tilbud 12-04-2021#U00b7pdf.exe, 0000000C.00000002.880816092.000000001E040000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamenlsbres.dllj% vs Anmodning om tilbud 12-04-2021#U00b7pdf.exe
Source: Anmodning om tilbud 12-04-2021#U00b7pdf.exe, 0000000C.00000002.880785480.000000001DDB0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Anmodning om tilbud 12-04-2021#U00b7pdf.exe
Source: Anmodning om tilbud 12-04-2021#U00b7pdf.exe, 0000000C.00000002.881189819.000000006D23B000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamenss3.dll8 vs Anmodning om tilbud 12-04-2021#U00b7pdf.exe
Source: Anmodning om tilbud 12-04-2021#U00b7pdf.exe, 0000000C.00000002.880770161.000000001DC60000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemswsock.dll.muij% vs Anmodning om tilbud 12-04-2021#U00b7pdf.exe
Source: Anmodning om tilbud 12-04-2021#U00b7pdf.exe, 0000000C.00000002.881060024.000000006D102000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamemozglue.dll8 vs Anmodning om tilbud 12-04-2021#U00b7pdf.exe
Source: Anmodning om tilbud 12-04-2021#U00b7pdf.exe, 0000000C.00000002.880822923.000000001E050000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamenlsbres.dll.muij% vs Anmodning om tilbud 12-04-2021#U00b7pdf.exe
Source: Anmodning om tilbud 12-04-2021#U00b7pdf.exe Binary or memory string: OriginalFilenameEleciv.exe vs Anmodning om tilbud 12-04-2021#U00b7pdf.exe
Uses 32bit PE files
Source: Anmodning om tilbud 12-04-2021#U00b7pdf.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@8/67@3/3
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 12_2_6D0EADB0 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree, 12_2_6D0EADB0
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\sqlite3.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6500:120:WilError_01
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Mutant created: \Sessions\1\BaseNamedObjects\uiabfqwfuuser
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\Local\Temp\~DF57257DC25578F538.TMP Jump to behavior
Source: Anmodning om tilbud 12-04-2021#U00b7pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: softokn3.dll.12.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: Anmodning om tilbud 12-04-2021#U00b7pdf.exe, 0000000C.00000002.881153656.000000006D200000.00000002.00020000.sdmp, sqlite3.dll.12.dr Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: softokn3.dll.12.dr Binary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
Source: softokn3.dll.12.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: Anmodning om tilbud 12-04-2021#U00b7pdf.exe, 0000000C.00000002.881153656.000000006D200000.00000002.00020000.sdmp, sqlite3.dll.12.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: Anmodning om tilbud 12-04-2021#U00b7pdf.exe, 0000000C.00000002.881153656.000000006D200000.00000002.00020000.sdmp, nss3.dll.12.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);docid INTEGER PRIMARY KEY%z, 'c%d%q'%z, langidCREATE TABLE %Q.'%q_content'(%s)CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);<
Source: Anmodning om tilbud 12-04-2021#U00b7pdf.exe, 0000000C.00000002.881153656.000000006D200000.00000002.00020000.sdmp, sqlite3.dll.12.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: Anmodning om tilbud 12-04-2021#U00b7pdf.exe, 0000000C.00000002.881153656.000000006D200000.00000002.00020000.sdmp, sqlite3.dll.12.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3.dll.12.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3.dll.12.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3.dll.12.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3.dll.12.dr Binary or memory string: SELECT ALL id FROM %s;
Source: softokn3.dll.12.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: sqlite3.dll.12.dr Binary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3.dll.12.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: Anmodning om tilbud 12-04-2021#U00b7pdf.exe, 0000000C.00000002.881153656.000000006D200000.00000002.00020000.sdmp, nss3.dll.12.dr Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: Anmodning om tilbud 12-04-2021#U00b7pdf.exe, 0000000C.00000002.881153656.000000006D200000.00000002.00020000.sdmp, nss3.dll.12.dr Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: Anmodning om tilbud 12-04-2021#U00b7pdf.exe, 0000000C.00000002.881153656.000000006D200000.00000002.00020000.sdmp, sqlite3.dll.12.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: Anmodning om tilbud 12-04-2021#U00b7pdf.exe, 0000000C.00000002.881153656.000000006D200000.00000002.00020000.sdmp, nss3.dll.12.dr Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);
Source: Anmodning om tilbud 12-04-2021#U00b7pdf.exe, 0000000C.00000002.881153656.000000006D200000.00000002.00020000.sdmp, nss3.dll.12.dr Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3.dll.12.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: Anmodning om tilbud 12-04-2021#U00b7pdf.exe, 0000000C.00000002.881153656.000000006D200000.00000002.00020000.sdmp, nss3.dll.12.dr Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);/overflow%s%.3x+%.6x%s%.3x/internalleafcorruptedno such schema: %sSELECT 'sqlite_master' AS name, 1 AS rootpage, 'table' AS type UNION ALL SELECT name, rootpage, type FROM "%w".%s WHERE rootpage!=0 ORDER BY namedbstat2018-01-22 18:45:57 0c55d179733b46d8d0ba4d88e01a25e10677046ee3da1d5b1581e86726f2171d:
Source: sqlite3.dll.12.dr Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: unknown Process created: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe 'C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe'
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Process created: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe 'C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe'
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q 'C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /T 10 /NOBREAK
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Process created: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe 'C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe' Jump to behavior
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q 'C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /T 10 /NOBREAK Jump to behavior
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager Jump to behavior
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: freebl3.dll.12.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\gfx\angle\targets\libEGL\libEGL.pdb source: libEGL.dll.12.dr
Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.12.dr
Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.12.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libprldap\prldap60.pdb source: prldap60.dll.12.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb source: IA2Marshal.dll.12.dr
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.12.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss3.pdb source: Anmodning om tilbud 12-04-2021#U00b7pdf.exe, 0000000C.00000002.881153656.000000006D200000.00000002.00020000.sdmp, nss3.dll.12.dr
Source: Binary string: ucrtbase.pdb source: ucrtbase.dll.12.dr
Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: api-ms-win-core-memory-l1-1-0.dll.12.dr
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.12.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdb source: ldap60.dll.12.dr
Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: api-ms-win-crt-filesystem-l1-1-0.dll.12.dr
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.12.dr
Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll.12.dr
Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.12.dr
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.12.dr
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.12.dr
Source: Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140.dll.12.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: softokn3.dll.12.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb source: nssckbi.dll.12.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: Anmodning om tilbud 12-04-2021#U00b7pdf.exe, 0000000C.00000002.881046456.000000006D0F9000.00000002.00020000.sdmp, mozglue.dll.12.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.12.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: freebl3.dll.12.dr
Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: api-ms-win-crt-private-l1-1-0.dll.12.dr
Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: api-ms-win-crt-convert-l1-1-0.dll.12.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\ipc\win\handler\AccessibleHandler.pdb source: AccessibleHandler.dll.12.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: nssdbm3.dll.12.dr
Source: Binary string: msvcp140.i386.pdb source: msvcp140.dll.12.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapihook\build\MapiProxy.pdb source: MapiProxy_InUse.dll.12.dr
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.12.dr
Source: Binary string: ucrtbase.pdbUGP source: ucrtbase.dll.12.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdbUU source: ldap60.dll.12.dr
Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: api-ms-win-crt-time-l1-1-0.dll.12.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb66 source: nssckbi.dll.12.dr
Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll.12.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.12.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: softokn3.dll.12.dr
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.12.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb<< source: IA2Marshal.dll.12.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: Anmodning om tilbud 12-04-2021#U00b7pdf.exe, 0000000C.00000002.881046456.000000006D0F9000.00000002.00020000.sdmp, mozglue.dll.12.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\library\dummydll\qipcap.pdb source: qipcap.dll.12.dr
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.12.dr
Source: Binary string: ms-win-core-memory-l1-1-0.pdb source: Anmodning om tilbud 12-04-2021#U00b7pdf.exe, 0000000C.00000002.880884389.000000006698B000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.12.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.12.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.12.dr
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.12.dr
Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.12.dr
Source: Binary string: vcruntime140.i386.pdb source: vcruntime140.dll.12.dr
Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: api-ms-win-crt-utility-l1-1-0.dll.12.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapiDLL\mozMapi32.pdb source: mozMapi32.dll.12.dr
Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: api-ms-win-core-rtlsupport-l1-1-0.dll.12.dr
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.12.dr
Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll.12.dr
Source: Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll.12.dr
Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: api-ms-win-core-file-l2-1-0.dll.12.dr
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.12.dr
Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.12.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\config\external\lgpllibs\lgpllibs.pdb source: lgpllibs.dll.12.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldif\ldif60.pdb source: ldif60.dll.12.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\msaa\AccessibleMarshal.pdb source: AccessibleMarshal.dll.12.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: nssdbm3.dll.12.dr
Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: api-ms-win-core-interlocked-l1-1-0.dll.12.dr
Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\crashreporter\injector\breakpadinjector.pdb source: breakpadinjector.dll.12.dr
Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.12.dr
Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.12.dr

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 0000000C.00000002.877495152.0000000000561000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Anmodning om tilbud 12-04-2021#U00b7pdf.exe PID: 4552, type: MEMORY
Source: Yara match File source: Process Memory Space: Anmodning om tilbud 12-04-2021#U00b7pdf.exe PID: 6976, type: MEMORY
Yara detected VB6 Downloader Generic
Source: Yara match File source: Process Memory Space: Anmodning om tilbud 12-04-2021#U00b7pdf.exe PID: 4552, type: MEMORY
Source: Yara match File source: Process Memory Space: Anmodning om tilbud 12-04-2021#U00b7pdf.exe PID: 6976, type: MEMORY
PE file contains sections with non-standard names
Source: sqlite3.dll.12.dr Static PE information: section name: /4
Source: sqlite3.dll.12.dr Static PE information: section name: /19
Source: sqlite3.dll.12.dr Static PE information: section name: /31
Source: sqlite3.dll.12.dr Static PE information: section name: /45
Source: sqlite3.dll.12.dr Static PE information: section name: /57
Source: sqlite3.dll.12.dr Static PE information: section name: /70
Source: sqlite3.dll.12.dr Static PE information: section name: /81
Source: sqlite3.dll.12.dr Static PE information: section name: /92
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_0040F534 push dword ptr [ebp-08h]; ret 0_2_00410D60
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_00404012 push esp; iretd 0_2_00404013
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_0040A680 push ds; iretd 0_2_0040A681
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_022A34E1 push 8B792066h; iretd 0_2_022A34E7
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_022A55C0 pushad ; retf 0_2_022A55C1
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_022A55C5 pushad ; retf 0_2_022A55E7
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_022A55C5 push F7668EB2h; retn 2878h 0_2_022A560E
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 12_2_6D0F8646 push ecx; ret 12_2_6D0F8659

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\nssdbm3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\MapiProxy_InUse.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\sqlite3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\AccessibleMarshal.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\ldap60.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-private-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\ucrtbase.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-multibyte-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\qipcap.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\lgpllibs.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\mozMapi32_InUse.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\ldif60.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\prldap60.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\mozMapi32.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\breakpadinjector.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\MapiProxy.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\nssckbi.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\AccessibleHandler.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\IA2Marshal.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\libEGL.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_022A1490 0_2_022A1490
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_022A1A95 LoadLibraryA, 0_2_022A1A95
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_022A1375 0_2_022A1375
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_022A13B6 LoadLibraryA, 0_2_022A13B6
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe RDTSC instruction interceptor: First address: 00000000022A453B second address: 00000000022A453B instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F0BED037528h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test bl, bl 0x0000001f test ch, bh 0x00000021 add edi, edx 0x00000023 test dh, 00000019h 0x00000026 dec dword ptr [ebp+000000F8h] 0x0000002c cmp dword ptr [ebp+000000F8h], 00000000h 0x00000033 jne 00007F0BED037503h 0x00000035 test bl, cl 0x00000037 call 00007F0BED037548h 0x0000003c call 00007F0BED037538h 0x00000041 lfence 0x00000044 mov edx, dword ptr [7FFE0014h] 0x0000004a lfence 0x0000004d ret 0x0000004e mov esi, edx 0x00000050 pushad 0x00000051 rdtsc
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe RDTSC instruction interceptor: First address: 00000000022A4B5A second address: 00000000022A4B5A instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a inc ebx 0x0000000b cmp ebx, eax 0x0000000d je 00007F0BED03762Fh 0x00000013 cmp byte ptr [ebx], FFFFFFB8h 0x00000016 jne 00007F0BED037509h 0x00000018 pushad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe RDTSC instruction interceptor: First address: 00000000022A4BFD second address: 00000000022A4BFD instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a inc ebx 0x0000000b cmp byte ptr [ebx], FFFFFFC2h 0x0000000e jne 00007F0BED03A931h 0x00000010 pushad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe RDTSC instruction interceptor: First address: 00000000022A295B second address: 00000000022A2998 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a pop dword ptr [ebp+0000012Ch] 0x00000010 cmp al, 21h 0x00000012 mov dword ptr [ebp+68h], 00000000h 0x00000019 jmp 00007F0BED038045h 0x0000001e call 00007F0BED036A02h 0x00000023 pop dword ptr [ebp+64h] 0x00000026 cmp dh, bh 0x00000028 jmp 00007F0BED037DB2h 0x0000002d call 00007F0BED036C93h 0x00000032 cmp cl, 00000003h 0x00000035 pop dword ptr [ebp+6Ch] 0x00000038 mov dword ptr [ebp+70h], 00000000h 0x0000003f pushad 0x00000040 mov edi, 00000003h 0x00000045 rdtsc
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe RDTSC instruction interceptor: First address: 00000000022A29B4 second address: 00000000022A29B4 instructions:
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe RDTSC instruction interceptor: First address: 0000000000561805 second address: 0000000000561805 instructions:
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe RDTSC instruction interceptor: First address: 00000000005618F8 second address: 00000000005618F8 instructions:
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe RDTSC instruction interceptor: First address: 0000000000561A99 second address: 0000000000561A99 instructions:
Tries to detect Any.run
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Anmodning om tilbud 12-04-2021#U00b7pdf.exe, Anmodning om tilbud 12-04-2021#U00b7pdf.exe, 0000000C.00000002.877495152.0000000000561000.00000040.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe RDTSC instruction interceptor: First address: 00000000022A453B second address: 00000000022A453B instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F0BED037528h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test bl, bl 0x0000001f test ch, bh 0x00000021 add edi, edx 0x00000023 test dh, 00000019h 0x00000026 dec dword ptr [ebp+000000F8h] 0x0000002c cmp dword ptr [ebp+000000F8h], 00000000h 0x00000033 jne 00007F0BED037503h 0x00000035 test bl, cl 0x00000037 call 00007F0BED037548h 0x0000003c call 00007F0BED037538h 0x00000041 lfence 0x00000044 mov edx, dword ptr [7FFE0014h] 0x0000004a lfence 0x0000004d ret 0x0000004e mov esi, edx 0x00000050 pushad 0x00000051 rdtsc
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe RDTSC instruction interceptor: First address: 00000000022A455B second address: 00000000022A455B instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F0BED03AD3Ah 0x0000001d popad 0x0000001e call 00007F0BED03AA51h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe RDTSC instruction interceptor: First address: 00000000022A4B5A second address: 00000000022A4B5A instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a inc ebx 0x0000000b cmp ebx, eax 0x0000000d je 00007F0BED03762Fh 0x00000013 cmp byte ptr [ebx], FFFFFFB8h 0x00000016 jne 00007F0BED037509h 0x00000018 pushad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe RDTSC instruction interceptor: First address: 00000000022A4BFD second address: 00000000022A4BFD instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a inc ebx 0x0000000b cmp byte ptr [ebx], FFFFFFC2h 0x0000000e jne 00007F0BED03A931h 0x00000010 pushad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe RDTSC instruction interceptor: First address: 00000000022A295B second address: 00000000022A2998 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a pop dword ptr [ebp+0000012Ch] 0x00000010 cmp al, 21h 0x00000012 mov dword ptr [ebp+68h], 00000000h 0x00000019 jmp 00007F0BED038045h 0x0000001e call 00007F0BED036A02h 0x00000023 pop dword ptr [ebp+64h] 0x00000026 cmp dh, bh 0x00000028 jmp 00007F0BED037DB2h 0x0000002d call 00007F0BED036C93h 0x00000032 cmp cl, 00000003h 0x00000035 pop dword ptr [ebp+6Ch] 0x00000038 mov dword ptr [ebp+70h], 00000000h 0x0000003f pushad 0x00000040 mov edi, 00000003h 0x00000045 rdtsc
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe RDTSC instruction interceptor: First address: 00000000022A2998 second address: 00000000022A29B4 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov dword ptr [ebp+74h], 00000000h 0x0000000a mov dword ptr [ebp+000000ACh], 0008F400h 0x00000014 mov dword ptr [ebp+7Ch], 00000000h 0x0000001b pushad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe RDTSC instruction interceptor: First address: 00000000022A29B4 second address: 00000000022A29B4 instructions:
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe RDTSC instruction interceptor: First address: 000000000056455B second address: 000000000056455B instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F0BED03AD3Ah 0x0000001d popad 0x0000001e call 00007F0BED03AA51h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe RDTSC instruction interceptor: First address: 0000000000561805 second address: 0000000000561805 instructions:
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe RDTSC instruction interceptor: First address: 00000000005618F8 second address: 00000000005618F8 instructions:
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe RDTSC instruction interceptor: First address: 0000000000561A99 second address: 0000000000561A99 instructions:
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_022A3F21 rdtsc 0_2_022A3F21
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\nssdbm3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\MapiProxy_InUse.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\softokn3.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\AccessibleMarshal.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\ldap60.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-private-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-multibyte-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\qipcap.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\lgpllibs.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\mozMapi32_InUse.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\ldif60.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\prldap60.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\mozMapi32.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\breakpadinjector.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\MapiProxy.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\nssckbi.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\AccessibleHandler.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\IA2Marshal.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\libEGL.dll Jump to dropped file
Is looking for software installed on the system
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Registry key enumerated: More than 152 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\timeout.exe TID: 2460 Thread sleep count: 77 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 12_2_6D0E199C GetSystemInfo,MapViewOfFile, 12_2_6D0E199C
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\ Jump to behavior
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\ Jump to behavior
Source: Anmodning om tilbud 12-04-2021#U00b7pdf.exe, 0000000C.00000002.880896126.0000000066A10000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Anmodning om tilbud 12-04-2021#U00b7pdf.exe, 0000000C.00000002.880896126.0000000066A10000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Anmodning om tilbud 12-04-2021#U00b7pdf.exe, Anmodning om tilbud 12-04-2021#U00b7pdf.exe, 0000000C.00000002.877495152.0000000000561000.00000040.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: Anmodning om tilbud 12-04-2021#U00b7pdf.exe, 0000000C.00000002.880896126.0000000066A10000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Anmodning om tilbud 12-04-2021#U00b7pdf.exe, 0000000C.00000002.880896126.0000000066A10000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

barindex
Contains functionality to hide a thread from the debugger
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_022A1F10 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000 0_2_022A1F10
Hides threads from debuggers
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_022A3F21 rdtsc 0_2_022A3F21
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_022A29E9 LdrInitializeThunk, 0_2_022A29E9
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 12_2_6D0E308C IsDebuggerPresent,OutputDebugStringA,_dup,_fdopen,__vfprintf_l,fclose, 12_2_6D0E308C
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_00403E7A mov ebx, dword ptr fs:[00000030h] 0_2_00403E7A
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_00404015 mov ebx, dword ptr fs:[00000030h] 0_2_00404015
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_004040F0 mov ebx, dword ptr fs:[00000030h] 0_2_004040F0
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_00404081 mov ebx, dword ptr fs:[00000030h] 0_2_00404081
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_0040415D mov ebx, dword ptr fs:[00000030h] 0_2_0040415D
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_004041C0 mov ebx, dword ptr fs:[00000030h] 0_2_004041C0
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_00404230 mov ebx, dword ptr fs:[00000030h] 0_2_00404230
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_00403EC3 mov ebx, dword ptr fs:[00000030h] 0_2_00403EC3
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_00403FA7 mov ebx, dword ptr fs:[00000030h] 0_2_00403FA7
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_022A1A42 mov eax, dword ptr fs:[00000030h] 0_2_022A1A42
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_022A1A95 mov eax, dword ptr fs:[00000030h] 0_2_022A1A95
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_022A3EFE mov eax, dword ptr fs:[00000030h] 0_2_022A3EFE
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_022A4350 mov eax, dword ptr fs:[00000030h] 0_2_022A4350
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_022A13B6 mov eax, dword ptr fs:[00000030h] 0_2_022A13B6
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_022A2582 mov eax, dword ptr fs:[00000030h] 0_2_022A2582
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 0_2_022A49C2 mov eax, dword ptr fs:[00000030h] 0_2_022A49C2
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 12_2_6D0F7414 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 12_2_6D0F7414
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 12_2_6D0F84D6 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 12_2_6D0F84D6

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Process created: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe 'C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout /T 10 /NOBREAK Jump to behavior

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 12_2_6D0E149E cpuid 12_2_6D0E149E
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Code function: 12_2_6D0EB95E GetSystemTimeAdjustment,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, 12_2_6D0EB95E
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Raccoon Stealer
Source: Yara match File source: Process Memory Space: Anmodning om tilbud 12-04-2021#U00b7pdf.exe PID: 4552, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings Jump to behavior
Source: C:\Users\user\Desktop\Anmodning om tilbud 12-04-2021#U00b7pdf.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Jump to behavior

Remote Access Functionality:

barindex
Yara detected Raccoon Stealer
Source: Yara match File source: Process Memory Space: Anmodning om tilbud 12-04-2021#U00b7pdf.exe PID: 4552, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 385424 Sample: Anmodning om tilbud 12-04-2... Startdate: 12/04/2021 Architecture: WINDOWS Score: 100 36 Multi AV Scanner detection for domain / URL 2->36 38 Found malware configuration 2->38 40 Yara detected GuLoader 2->40 42 8 other signatures 2->42 8 Anmodning om tilbud 12-04-2021#U00b7pdf.exe 1 2->8         started        process3 signatures4 44 Tries to detect Any.run 8->44 46 Hides threads from debuggers 8->46 11 Anmodning om tilbud 12-04-2021#U00b7pdf.exe 80 8->11         started        process5 dnsIp6 30 telete.in 195.201.225.248, 443, 49761 HETZNER-ASDE Germany 11->30 32 belochkaneprihoditodna.top 195.123.215.115, 443, 49762 ITL-LV Bulgaria 11->32 34 2 other IPs or domains 11->34 22 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 11->22 dropped 24 C:\Users\user\AppData\...\vcruntime140.dll, PE32 11->24 dropped 26 C:\Users\user\AppData\...\ucrtbase.dll, PE32 11->26 dropped 28 56 other files (none is malicious) 11->28 dropped 48 Tries to steal Mail credentials (via file access) 11->48 50 Tries to harvest and steal browser information (history, passwords, etc) 11->50 52 Tries to detect Any.run 11->52 54 Hides threads from debuggers 11->54 16 cmd.exe 1 11->16         started        file7 signatures8 process9 process10 18 conhost.exe 16->18         started        20 timeout.exe 1 16->20         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
195.201.225.248
 telete.in Germany
24940 HETZNER-ASDE true
216.58.215.225
 googlehosted.l.googleusercontent.com United States
15169 GOOGLEUS false
195.123.215.115
 belochkaneprihoditodna.top Bulgaria
50979 ITL-LV false

Contacted Domains

Name IP Active
telete.in 195.201.225.248 true
googlehosted.l.googleusercontent.com 216.58.215.225 true
belochkaneprihoditodna.top 195.123.215.115 true
doc-00-7g-docs.googleusercontent.com unknown unknown