Loading ...

Play interactive tourEdit tour

Analysis Report 7SlKt2Puui.exe

Overview

General Information

Sample Name:7SlKt2Puui.exe
Analysis ID:397893
MD5:9013a8b3f9a8adecf2ff25377f525748
SHA1:b066eb77a5000579f3836291bfb2c2c334c8a84e
SHA256:a21b6b2e6336efdfe470806c0d615ede9acacd44ab317ce7e4c59cfb8de1619f
Tags:exeRaccoonStealer
Infos:

Most interesting Screenshot:

Detection

Raccoon
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected Raccoon Stealer
C2 URLs / IPs found in malware configuration
Contains functionality to steal Internet Explorer form passwords
Machine Learning detection for sample
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Is looking for software installed on the system
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file contains strange resources
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • 7SlKt2Puui.exe (PID: 6912 cmdline: 'C:\Users\user\Desktop\7SlKt2Puui.exe' MD5: 9013A8B3F9A8ADECF2FF25377F525748)
    • cmd.exe (PID: 6652 cmdline: cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q 'C:\Users\user\Desktop\7SlKt2Puui.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 5624 cmdline: timeout /T 10 /NOBREAK MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
  • cleanup

Malware Configuration

Threatname: Raccoon Stealer

{"RC4_key2": "d2190a1675e0673d0823ae5c7f64e90c", "C2 url": "https://telete.in/tomarsjsmith3", "Bot ID": "0edc595f7019893efa9faa3afd9ed6df6023e92c", "RC4_key1": "$Z2s`ten\\@bE9vzR"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: 7SlKt2Puui.exe PID: 6912JoeSecurity_RaccoonYara detected Raccoon StealerJoe Security

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 1.2.7SlKt2Puui.exe.400000.0.unpackMalware Configuration Extractor: Raccoon Stealer {"RC4_key2": "d2190a1675e0673d0823ae5c7f64e90c", "C2 url": "https://telete.in/tomarsjsmith3", "Bot ID": "0edc595f7019893efa9faa3afd9ed6df6023e92c", "RC4_key1": "$Z2s`ten\\@bE9vzR"}
    Multi AV Scanner detection for domain / URLShow sources
    Source: telete.inVirustotal: Detection: 12%Perma Link
    Multi AV Scanner detection for submitted fileShow sources
    Source: 7SlKt2Puui.exeVirustotal: Detection: 33%Perma Link
    Yara detected Raccoon StealerShow sources
    Source: Yara matchFile source: Process Memory Space: 7SlKt2Puui.exe PID: 6912, type: MEMORY
    Machine Learning detection for sampleShow sources
    Source: 7SlKt2Puui.exeJoe Sandbox ML: detected
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeCode function: 1_2_0040CC56 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,1_2_0040CC56
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeCode function: 1_2_0040ED62 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,CryptUnprotectData,LocalFree,1_2_0040ED62
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeCode function: 1_2_0040D35A __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,1_2_0040D35A
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeCode function: 1_2_00427411 CryptAcquireContextA,CryptCreateHash,lstrlenW,CryptHashData,CryptGetHashParam,wsprintfW,lstrcatW,wsprintfW,lstrcatW,CryptDestroyHash,CryptReleaseContext,lstrlenW,CryptUnprotectData,LocalFree,1_2_00427411
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeCode function: 1_2_004275E4 lstrlenW,lstrlenW,lstrlenW,CredEnumerateW,CryptUnprotectData,LocalFree,CredFree,1_2_004275E4
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeCode function: 1_2_0040DDA5 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,CryptUnprotectData,1_2_0040DDA5
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeCode function: 1_2_0040C07D __EH_prolog,BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,LocalAlloc,BCryptDecrypt,BCryptCloseAlgorithmProvider,BCryptDestroyKey,1_2_0040C07D
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeCode function: 1_2_0041E578 __EH_prolog,_strlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,PK11_FreeSlot,1_2_0041E578

    Compliance:

    barindex
    Detected unpacking (overwrites its own PE header)Show sources
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeUnpacked PE file: 1.2.7SlKt2Puui.exe.400000.0.unpack
    Source: 7SlKt2Puui.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
    Source: unknownHTTPS traffic detected: 195.201.225.248:443 -> 192.168.2.4:49736 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.105.210.195:443 -> 192.168.2.4:49738 version: TLS 1.2
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: freebl3.dll.1.dr
    Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.1.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\gfx\angle\targets\libEGL\libEGL.pdb source: libEGL.dll.1.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libprldap\prldap60.pdb source: prldap60.dll.1.dr
    Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.1.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb source: IA2Marshal.dll.1.dr
    Source: Binary string: C:\coselu88\cez-yizuyine80_zesudu_peyihubitigufajuzad doseka.pdbpo.pdb source: 7SlKt2Puui.exe
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss3.pdb source: 7SlKt2Puui.exe, 00000001.00000002.698512852.000000006D570000.00000002.00020000.sdmp, nss3.dll.1.dr
    Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.1.dr
    Source: Binary string: ucrtbase.pdb source: ucrtbase.dll.1.dr
    Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: api-ms-win-core-memory-l1-1-0.dll.1.dr
    Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdb source: ldap60.dll.1.dr
    Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: api-ms-win-crt-filesystem-l1-1-0.dll.1.dr
    Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.1.dr
    Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll.1.dr
    Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.1.dr
    Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.1.dr
    Source: Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140.dll.1.dr
    Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.1.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: softokn3.dll.1.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb source: nssckbi.dll.1.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: 7SlKt2Puui.exe, 00000001.00000002.698110075.000000006D469000.00000002.00020000.sdmp, mozglue.dll.1.dr
    Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: freebl3.dll.1.dr
    Source: Binary string: C:\coselu88\cez-yizuyine80_zesudu_peyihubitigufajuzad doseka.pdb source: 7SlKt2Puui.exe
    Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: api-ms-win-crt-private-l1-1-0.dll.1.dr
    Source: Binary string: po.pdb source: 7SlKt2Puui.exe
    Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: api-ms-win-crt-convert-l1-1-0.dll.1.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\ipc\win\handler\AccessibleHandler.pdb source: AccessibleHandler.dll.1.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: nssdbm3.dll.1.dr
    Source: Binary string: msvcp140.i386.pdb source: msvcp140.dll.1.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapihook\build\MapiProxy.pdb source: MapiProxy_InUse.dll.1.dr
    Source: Binary string: ucrtbase.pdbUGP source: ucrtbase.dll.1.dr
    Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.1.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdbUU source: ldap60.dll.1.dr
    Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: api-ms-win-crt-time-l1-1-0.dll.1.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb66 source: nssckbi.dll.1.dr
    Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll.1.dr
    Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.1.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: softokn3.dll.1.dr
    Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb<< source: IA2Marshal.dll.1.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: 7SlKt2Puui.exe, 00000001.00000002.698110075.000000006D469000.00000002.00020000.sdmp, mozglue.dll.1.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\library\dummydll\qipcap.pdb source: qipcap.dll.1.dr
    Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
    Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
    Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.1.dr
    Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.1.dr
    Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.1.dr
    Source: Binary string: vcruntime140.i386.pdb source: vcruntime140.dll.1.dr
    Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.1.dr
    Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: api-ms-win-crt-utility-l1-1-0.dll.1.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapiDLL\mozMapi32.pdb source: mozMapi32.dll.1.dr
    Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: api-ms-win-core-rtlsupport-l1-1-0.dll.1.dr
    Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.1.dr
    Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll.1.dr
    Source: Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll.1.dr
    Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: api-ms-win-core-file-l2-1-0.dll.1.dr
    Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.1.dr
    Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.1.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldif\ldif60.pdb source: ldif60.dll.1.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\config\external\lgpllibs\lgpllibs.pdb source: lgpllibs.dll.1.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\msaa\AccessibleMarshal.pdb source: AccessibleMarshal.dll.1.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: nssdbm3.dll.1.dr
    Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: api-ms-win-core-interlocked-l1-1-0.dll.1.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\crashreporter\injector\breakpadinjector.pdb source: breakpadinjector.dll.1.dr
    Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.1.dr
    Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.1.dr
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeCode function: 1_2_0043BD9C FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,1_2_0043BD9C
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeCode function: 1_2_004329EE __EH_prolog,GetLogicalDriveStringsA,1_2_004329EE
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\Jump to behavior
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\Jump to behavior
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\Jump to behavior
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\Jump to behavior
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\Jump to behavior
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\Jump to behavior

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: https://telete.in/tomarsjsmith3
    Source: Joe Sandbox ViewIP Address: 195.201.225.248 195.201.225.248
    Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
    Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
    Source: unknownDNS traffic detected: queries for: telete.in
    Source: softokn3.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
    Source: softokn3.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
    Source: nssckbi.dll.1.drString found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
    Source: nssckbi.dll.1.drString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
    Source: nssckbi.dll.1.drString found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
    Source: nssckbi.dll.1.drString found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
    Source: nssckbi.dll.1.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
    Source: nssckbi.dll.1.drString found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
    Source: nssckbi.dll.1.drString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
    Source: nssckbi.dll.1.drString found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
    Source: nssckbi.dll.1.drString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
    Source: nssckbi.dll.1.drString found in binary or memory: http://crl.securetrust.com/SGCA.crl0
    Source: nssckbi.dll.1.drString found in binary or memory: http://crl.securetrust.com/STCA.crl0
    Source: softokn3.dll.1.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
    Source: nssckbi.dll.1.drString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
    Source: softokn3.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
    Source: softokn3.dll.1.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
    Source: softokn3.dll.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
    Source: softokn3.dll.1.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
    Source: nssckbi.dll.1.drString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
    Source: nssckbi.dll.1.drString found in binary or memory: http://ocsp.accv.es0
    Source: softokn3.dll.1.drString found in binary or memory: http://ocsp.digicert.com0C
    Source: softokn3.dll.1.drString found in binary or memory: http://ocsp.digicert.com0N
    Source: softokn3.dll.1.drString found in binary or memory: http://ocsp.thawte.com0
    Source: nssckbi.dll.1.drString found in binary or memory: http://policy.camerfirma.com0
    Source: nssckbi.dll.1.drString found in binary or memory: http://repository.swisssign.com/0
    Source: softokn3.dll.1.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
    Source: softokn3.dll.1.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
    Source: softokn3.dll.1.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
    Source: nssckbi.dll.1.drString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
    Source: nssckbi.dll.1.drString found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
    Source: nssckbi.dll.1.drString found in binary or memory: http://www.accv.es/legislacion_c.htm0U
    Source: nssckbi.dll.1.drString found in binary or memory: http://www.accv.es00
    Source: nssckbi.dll.1.drString found in binary or memory: http://www.cert.fnmt.es/dpcs/0
    Source: nssckbi.dll.1.drString found in binary or memory: http://www.certicamara.com/dpc/0Z
    Source: nssckbi.dll.1.drString found in binary or memory: http://www.certplus.com/CRL/class2.crl0
    Source: nssckbi.dll.1.drString found in binary or memory: http://www.chambersign.org1
    Source: nssckbi.dll.1.drString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
    Source: nssckbi.dll.1.drString found in binary or memory: http://www.firmaprofesional.com/cps0
    Source: mozglue.dll.1.drString found in binary or memory: http://www.mozilla.com/en-US/blocklist/
    Source: softokn3.dll.1.drString found in binary or memory: http://www.mozilla.com0
    Source: nssckbi.dll.1.drString found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
    Source: nssckbi.dll.1.drString found in binary or memory: http://www.quovadis.bm0
    Source: nssckbi.dll.1.drString found in binary or memory: http://www.quovadisglobal.com/cps0
    Source: sqlite3.dll.1.drString found in binary or memory: http://www.sqlite.org/copyright.html.
    Source: nssckbi.dll.1.drString found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
    Source: 1xVPfvJcrg.1.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
    Source: 7SlKt2Puui.exe, 00000001.00000003.686368240.0000000000AAC000.00000004.00000001.sdmpString found in binary or memory: https://birdmilk.top//l/f/uDxHDnkBuI_ccNKogidJ/b0a4288ab8cefd834adcc7f60dc85cae472bc38cusM
    Source: 1xVPfvJcrg.1.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
    Source: 1xVPfvJcrg.1.drString found in binary or memory: https://duckduckgo.com/ac/?q=
    Source: 1xVPfvJcrg.1.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
    Source: 1xVPfvJcrg.1.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
    Source: nssckbi.dll.1.drString found in binary or memory: https://ocsp.quovadisoffshore.com0
    Source: nssckbi.dll.1.drString found in binary or memory: https://repository.luxtrust.lu0
    Source: 1xVPfvJcrg.1.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
    Source: 1xVPfvJcrg.1.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
    Source: 7SlKt2Puui.exe, 00000001.00000003.680986715.0000000000AA8000.00000004.00000001.sdmp, 7SlKt2Puui.exe, 00000001.00000003.681029690.000000004C88D000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
    Source: 7SlKt2Puui.exe, 00000001.00000003.680986715.0000000000AA8000.00000004.00000001.sdmp, 7SlKt2Puui.exe, 00000001.00000003.681029690.000000004C88D000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
    Source: nssckbi.dll.1.drString found in binary or memory: https://www.catcert.net/verarrel
    Source: nssckbi.dll.1.drString found in binary or memory: https://www.catcert.net/verarrel05
    Source: softokn3.dll.1.drString found in binary or memory: https://www.digicert.com/CPS0
    Source: 1xVPfvJcrg.1.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
    Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
    Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
    Source: unknownHTTPS traffic detected: 195.201.225.248:443 -> 192.168.2.4:49736 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.105.210.195:443 -> 192.168.2.4:49738 version: TLS 1.2

    E-Banking Fraud:

    barindex
    Yara detected Raccoon StealerShow sources
    Source: Yara matchFile source: Process Memory Space: 7SlKt2Puui.exe PID: 6912, type: MEMORY
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeCode function: 1_2_0043C37D: DeviceIoControl,GetLastError,1_2_0043C37D
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeCode function: 1_2_004340EE1_2_004340EE
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeCode function: 1_2_0043454A1_2_0043454A
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeCode function: 1_2_0040C67C1_2_0040C67C
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeCode function: 1_2_0041E71E1_2_0041E71E
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeCode function: 1_2_0040CC561_2_0040CC56
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeCode function: 1_2_0040ED621_2_0040ED62
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeCode function: 1_2_00432F991_2_00432F99
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeCode function: 1_2_0043AFB91_2_0043AFB9
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeCode function: 1_2_0040D35A1_2_0040D35A
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeCode function: 1_2_0041D3841_2_0041D384
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeCode function: 1_2_004297961_2_00429796
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeCode function: 1_2_004277AD1_2_004277AD
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeCode function: 1_2_0041DD641_2_0041DD64
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeCode function: 1_2_0040DDA51_2_0040DDA5
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeCode function: 1_2_004400A51_2_004400A5
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeCode function: 1_2_0044614A1_2_0044614A
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeCode function: 1_2_004581091_2_00458109
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeCode function: 1_2_004481121_2_00448112
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeCode function: 1_2_0041C2741_2_0041C274
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeCode function: 1_2_004582291_2_00458229
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeCode function: 1_2_004282DB1_2_004282DB
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeCode function: 1_2_004203581_2_00420358
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeCode function: 1_2_004403601_2_00440360
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeCode function: 1_2_0043A4671_2_0043A467
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeCode function: 1_2_004164BE1_2_004164BE
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeCode function: 1_2_004149DE1_2_004149DE
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeCode function: 1_2_004869E81_2_004869E8
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeCode function: 1_2_00440A901_2_00440A90
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeCode function: String function: 004656A0 appears 102 times
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeCode function: String function: 0043DE20 appears 32 times
    Source: sqlite3.dll.1.drStatic PE information: Number of sections : 18 > 10
    Source: 7SlKt2Puui.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: 7SlKt2Puui.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: 7SlKt2Puui.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: 7SlKt2Puui.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: 7SlKt2Puui.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: 7SlKt2Puui.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: 7SlKt2Puui.exe, 00000001.00000002.693335306.00000000008E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs 7SlKt2Puui.exe
    Source: 7SlKt2Puui.exe, 00000001.00000002.697270839.000000004BAB0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs 7SlKt2Puui.exe
    Source: 7SlKt2Puui.exe, 00000001.00000002.698063835.000000004C905000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameapisetstubj% vs 7SlKt2Puui.exe
    Source: 7SlKt2Puui.exe, 00000001.00000002.698132773.000000006D472000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamemozglue.dll8 vs 7SlKt2Puui.exe
    Source: 7SlKt2Puui.exe, 00000001.00000002.698642427.000000006D5AB000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamenss3.dll8 vs 7SlKt2Puui.exe
    Source: 7SlKt2Puui.exe, 00000001.00000002.693372133.00000000008F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs 7SlKt2Puui.exe
    Source: 7SlKt2Puui.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
    Source: 7SlKt2Puui.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/67@2/3
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeCode function: 1_2_004276D8 CoCreateInstance,StrStrIW,CoTaskMemFree,CoTaskMemFree,1_2_004276D8
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\sqlite3.dllJump to behavior
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeMutant created: \Sessions\1\BaseNamedObjects\uiabfqwfuuser
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5952:120:WilError_01
    Source: 7SlKt2Puui.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: softokn3.dll.1.drBinary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
    Source: 7SlKt2Puui.exe, 00000001.00000002.698512852.000000006D570000.00000002.00020000.sdmp, sqlite3.dll.1.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
    Source: softokn3.dll.1.drBinary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
    Source: softokn3.dll.1.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;
    Source: 7SlKt2Puui.exe, 00000001.00000002.698512852.000000006D570000.00000002.00020000.sdmp, sqlite3.dll.1.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
    Source: 7SlKt2Puui.exe, 00000001.00000002.698512852.000000006D570000.00000002.00020000.sdmp, nss3.dll.1.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);docid INTEGER PRIMARY KEY%z, 'c%d%q'%z, langidCREATE TABLE %Q.'%q_content'(%s)CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);<
    Source: 7SlKt2Puui.exe, 00000001.00000002.698512852.000000006D570000.00000002.00020000.sdmp, sqlite3.dll.1.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
    Source: 7SlKt2Puui.exe, 00000001.00000002.698512852.000000006D570000.00000002.00020000.sdmp, sqlite3.dll.1.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
    Source: softokn3.dll.1.drBinary or memory string: UPDATE %s SET %s WHERE id=$ID;
    Source: softokn3.dll.1.drBinary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
    Source: softokn3.dll.1.drBinary or memory string: SELECT ALL id FROM %s WHERE %s;
    Source: softokn3.dll.1.drBinary or memory string: SELECT ALL id FROM %s;
    Source: softokn3.dll.1.drBinary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
    Source: sqlite3.dll.1.drBinary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
    Source: softokn3.dll.1.drBinary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
    Source: 7SlKt2Puui.exe, 00000001.00000002.698512852.000000006D570000.00000002.00020000.sdmp, nss3.dll.1.drBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
    Source: 7SlKt2Puui.exe, 00000001.00000002.698512852.000000006D570000.00000002.00020000.sdmp, nss3.dll.1.drBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
    Source: 7SlKt2Puui.exe, 00000001.00000002.698512852.000000006D570000.00000002.00020000.sdmp, sqlite3.dll.1.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
    Source: 7SlKt2Puui.exe, 00000001.00000002.698512852.000000006D570000.00000002.00020000.sdmp, nss3.dll.1.drBinary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);
    Source: 7SlKt2Puui.exe, 00000001.00000002.698512852.000000006D570000.00000002.00020000.sdmp, nss3.dll.1.drBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
    Source: softokn3.dll.1.drBinary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
    Source: 7SlKt2Puui.exe, 00000001.00000002.698512852.000000006D570000.00000002.00020000.sdmp, nss3.dll.1.drBinary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index */ path TEXT, /* Path to page from root */ pageno INTEGER, /* Page number */ pagetype TEXT, /* 'internal', 'leaf' or 'overflow' */ ncell INTEGER, /* Cells on page (0 for overflow) */ payload INTEGER, /* Bytes of payload on this page */ unused INTEGER, /* Bytes of unused space on this page */ mx_payload INTEGER, /* Largest payload size of all cells */ pgoffset INTEGER, /* Offset of page in file */ pgsize INTEGER, /* Size of the page */ schema TEXT HIDDEN /* Database schema being analyzed */);/overflow%s%.3x+%.6x%s%.3x/internalleafcorruptedno such schema: %sSELECT 'sqlite_master' AS name, 1 AS rootpage, 'table' AS type UNION ALL SELECT name, rootpage, type FROM "%w".%s WHERE rootpage!=0 ORDER BY namedbstat2018-01-22 18:45:57 0c55d179733b46d8d0ba4d88e01a25e10677046ee3da1d5b1581e86726f2171d:
    Source: sqlite3.dll.1.drBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
    Source: 7SlKt2Puui.exeVirustotal: Detection: 33%
    Source: unknownProcess created: C:\Users\user\Desktop\7SlKt2Puui.exe 'C:\Users\user\Desktop\7SlKt2Puui.exe'
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q 'C:\Users\user\Desktop\7SlKt2Puui.exe'
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /T 10 /NOBREAK
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q 'C:\Users\user\Desktop\7SlKt2Puui.exe'Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /T 10 /NOBREAK Jump to behavior
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account ManagerJump to behavior
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
    Source: 7SlKt2Puui.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdbZZ source: freebl3.dll.1.dr
    Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: api-ms-win-crt-locale-l1-1-0.dll.1.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\gfx\angle\targets\libEGL\libEGL.pdb source: libEGL.dll.1.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libprldap\prldap60.pdb source: prldap60.dll.1.dr
    Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: api-ms-win-crt-runtime-l1-1-0.dll.1.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb source: IA2Marshal.dll.1.dr
    Source: Binary string: C:\coselu88\cez-yizuyine80_zesudu_peyihubitigufajuzad doseka.pdbpo.pdb source: 7SlKt2Puui.exe
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss3.pdb source: 7SlKt2Puui.exe, 00000001.00000002.698512852.000000006D570000.00000002.00020000.sdmp, nss3.dll.1.dr
    Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.1.dr
    Source: Binary string: ucrtbase.pdb source: ucrtbase.dll.1.dr
    Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: api-ms-win-core-memory-l1-1-0.dll.1.dr
    Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdb source: ldap60.dll.1.dr
    Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: api-ms-win-crt-filesystem-l1-1-0.dll.1.dr
    Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.1.dr
    Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll.1.dr
    Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.1.dr
    Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.1.dr
    Source: Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140.dll.1.dr
    Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: api-ms-win-crt-environment-l1-1-0.dll.1.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: softokn3.dll.1.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb source: nssckbi.dll.1.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: 7SlKt2Puui.exe, 00000001.00000002.698110075.000000006D469000.00000002.00020000.sdmp, mozglue.dll.1.dr
    Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\freebl\freebl_freebl3\freebl3.pdb source: freebl3.dll.1.dr
    Source: Binary string: C:\coselu88\cez-yizuyine80_zesudu_peyihubitigufajuzad doseka.pdb source: 7SlKt2Puui.exe
    Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: api-ms-win-crt-private-l1-1-0.dll.1.dr
    Source: Binary string: po.pdb source: 7SlKt2Puui.exe
    Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: api-ms-win-crt-convert-l1-1-0.dll.1.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\ipc\win\handler\AccessibleHandler.pdb source: AccessibleHandler.dll.1.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: nssdbm3.dll.1.dr
    Source: Binary string: msvcp140.i386.pdb source: msvcp140.dll.1.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapihook\build\MapiProxy.pdb source: MapiProxy_InUse.dll.1.dr
    Source: Binary string: ucrtbase.pdbUGP source: ucrtbase.dll.1.dr
    Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.1.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdbUU source: ldap60.dll.1.dr
    Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: api-ms-win-crt-time-l1-1-0.dll.1.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\ckfw\builtins\builtins_nssckbi\nssckbi.pdb66 source: nssckbi.dll.1.dr
    Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll.1.dr
    Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.1.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: softokn3.dll.1.dr
    Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\ia2\IA2Marshal.pdb<< source: IA2Marshal.dll.1.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: 7SlKt2Puui.exe, 00000001.00000002.698110075.000000006D469000.00000002.00020000.sdmp, mozglue.dll.1.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\library\dummydll\qipcap.pdb source: qipcap.dll.1.dr
    Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
    Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
    Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: api-ms-win-crt-math-l1-1-0.dll.1.dr
    Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.1.dr
    Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.1.dr
    Source: Binary string: vcruntime140.i386.pdb source: vcruntime140.dll.1.dr
    Source: Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.1.dr
    Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: api-ms-win-crt-utility-l1-1-0.dll.1.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapiDLL\mozMapi32.pdb source: mozMapi32.dll.1.dr
    Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: api-ms-win-core-rtlsupport-l1-1-0.dll.1.dr
    Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.1.dr
    Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll.1.dr
    Source: Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll.1.dr
    Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: api-ms-win-core-file-l2-1-0.dll.1.dr
    Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.1.dr
    Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.1.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldif\ldif60.pdb source: ldif60.dll.1.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\config\external\lgpllibs\lgpllibs.pdb source: lgpllibs.dll.1.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\interfaces\msaa\AccessibleMarshal.pdb source: AccessibleMarshal.dll.1.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: nssdbm3.dll.1.dr
    Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: api-ms-win-core-interlocked-l1-1-0.dll.1.dr
    Source: Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\crashreporter\injector\breakpadinjector.pdb source: breakpadinjector.dll.1.dr
    Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.1.dr
    Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.1.dr

    Data Obfuscation:

    barindex
    Detected unpacking (changes PE section rights)Show sources
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeUnpacked PE file: 1.2.7SlKt2Puui.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.xozoxew:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
    Detected unpacking (overwrites its own PE header)Show sources
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeUnpacked PE file: 1.2.7SlKt2Puui.exe.400000.0.unpack
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeCode function: 1_2_004317EB LoadLibraryA,GetProcAddress,FreeLibrary,1_2_004317EB
    Source: 7SlKt2Puui.exeStatic PE information: section name: .xozoxew
    Source: sqlite3.dll.1.drStatic PE information: section name: /4
    Source: sqlite3.dll.1.drStatic PE information: section name: /19
    Source: sqlite3.dll.1.drStatic PE information: section name: /31
    Source: sqlite3.dll.1.drStatic PE information: section name: /45
    Source: sqlite3.dll.1.drStatic PE information: section name: /57
    Source: sqlite3.dll.1.drStatic PE information: section name: /70
    Source: sqlite3.dll.1.drStatic PE information: section name: /81
    Source: sqlite3.dll.1.drStatic PE information: section name: /92
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeCode function: 1_2_0046C54A pushad ; retf 1_2_0046C701
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeCode function: 1_2_0046C702 pushad ; retf 1_2_0046C701
    Source: initial sampleStatic PE information: section name: .text entropy: 7.80824497107
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\nssdbm3.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\MapiProxy_InUse.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\freebl3.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\sqlite3.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\softokn3.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\AccessibleMarshal.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\ldap60.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-file-l2-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\vcruntime140.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-private-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\ucrtbase.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-multibyte-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\qipcap.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\lgpllibs.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\mozMapi32_InUse.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\ldif60.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\prldap60.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-file-l1-2-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-string-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\mozMapi32.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\mozglue.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\nss3.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\breakpadinjector.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\MapiProxy.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-util-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\nssckbi.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\AccessibleHandler.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\msvcp140.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\IA2Marshal.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeFile created: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\libEGL.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeCode function: 1_2_0041DD64 __EH_prolog,SetCurrentDirectoryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_0041DD64
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\nssdbm3.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\MapiProxy_InUse.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\freebl3.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\softokn3.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\AccessibleMarshal.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\ldap60.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-file-l2-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-private-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-multibyte-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\qipcap.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\lgpllibs.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\mozMapi32_InUse.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\ldif60.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\prldap60.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-file-l1-2-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-core-string-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui.exeDropped PE file which has not been started: C:\Users\user\AppData\LocalLow\gC9tT2iQ3s\mozMapi32.dllJump to dropped file
    Source: C:\Users\user\Desktop\7SlKt2Puui